Netgate SG-1000 microFirewall

Author Topic: Pfsense <-> solaredge  (Read 1726 times)

0 Members and 1 Guest are viewing this topic.

Offline The cosmic gate

  • Newbie
  • *
  • Posts: 22
  • Karma: +1/-0
    • View Profile
Pfsense <-> solaredge
« on: September 19, 2017, 12:14:22 pm »
At the moment i'am running the latest pfsense together with pfblockerNG.
And 2 weeks ago we also get the complete installation of the solar panel inverter from SoralEdge.
As the people from SE asked I forwarded port : 22221 - 22222.
But everytime after approximately 3 days the communication between the WiFi inverter and the SE panel stops.
When I rebooted pfsense everything is running fine for this 3 days.
What could probably fix this problem?
Or where can I have a look or must be a rule or something the keep this working.

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11973
  • Karma: +471/-15
    • View Profile
Re: Pfsense <-> solaredge
« Reply #1 on: September 20, 2017, 03:25:54 pm »
I assume the SE remote management have to poll the inverter directly if they need a port forwarded. However the inverter may also require outbound traffic separately that may be failing.

Check the firewall logs for blocked traffic on those ports when it fails.

Check the state table for states to/from the inverter IP.

Things spontaneously stopping are usually caused by an update to something that updates by itself like pfBlocker or Snort. Check the alterts/blocks log for those.

Steve

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2313
  • Karma: +177/-9
    • View Profile
Re: Pfsense <-> solaredge
« Reply #2 on: September 20, 2017, 05:02:26 pm »
Installled several weeks ago a Solar Edge - a "900" series (5 Kw if I remember well).
https://photos.app.goo.gl/jr3C5Vi6n6EPT4P43

No ports needed to be opened. We activated the wifi connection (was an option we took) and the cable connection.
The Solar Ege logic "calls home", as a normal device that is connected on your LAN, and connects to a server from SE on the net.
The solar company does not connect from the outside (from Internet) to your Solar Edge installation.

I have all the manual here, user- installation, etc - and nothing is said about opening firewall ports.

What is your Solar Edge type / version ??

edit : https://www.solaredge.com/sites/default/files/se-inverter-installation-guide.pdf page 53
Code: [Select]
NOTE
If your network has a firewall, you may need to configure it to enable the connection to the
following address:
l
Destination Address: prod.solaredge.com
l
TCP Port: 22222 (for incoming and outgoing data)

Your Solar Edge device will contact "prod.solaredge.com" every 5 minutes or so to send over production data.
We never opened up port "22222" (NATted to the solar edge device).

The app on our smartphones uses the data coming from "solaredge.com" that your converter put there.

I frankly believe that " incoming " data is misleading. A home device that needs ports to be for the Internet, that period should be over now. TO error prone - to dangerous and completely NOT needed for basic operation.

I guess they mention the "firewall port 22222 and prod.solaredge.com" because there are people that actually block also all OUTGOING traffic on their LAN except destination ports 80, 25, 143, 443,993, 995, 53, 21, 22 ..... but this very rare, and those people know what to do in this case :)


re-edit : just called my brother.
He is still using the Wifi connection after 4 months. He removed the RJ45 cable. The access point (Ubiquiti UniFi  device) is just 8 feet away. He never had the notion of a wifi connection loss - all the stats are 100 % present ever since. Their (SE) Wifi card/antenna seems pretty stable to us.
« Last Edit: September 20, 2017, 05:27:14 pm by Gertjan »

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11973
  • Karma: +471/-15
    • View Profile
Re: Pfsense <-> solaredge
« Reply #3 on: September 20, 2017, 05:17:53 pm »
That ^ seems like a much more likely approach.  ;)

Also, nice install.  :)

Steve

Offline The cosmic gate

  • Newbie
  • *
  • Posts: 22
  • Karma: +1/-0
    • View Profile
Re: Pfsense <-> solaredge
« Reply #4 on: September 30, 2017, 03:09:28 am »
 We were on holiday for a few weeks, but now when I disabled DNSBL it's running stable for 5 days now.
So there's something within this pfblockerNG option that needs to be changed or whitelisted

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11973
  • Karma: +471/-15
    • View Profile
Re: Pfsense <-> solaredge
« Reply #5 on: October 01, 2017, 06:29:10 pm »
That seems likely. You may see it in the alerts section of pfBlocker though it depends how you have it setup.
Adding that domain to a custom list and setting it to enable will probably solve it.

Steve

Offline The cosmic gate

  • Newbie
  • *
  • Posts: 22
  • Karma: +1/-0
    • View Profile
Re: Pfsense <-> solaredge
« Reply #6 on: October 04, 2017, 01:36:40 pm »
That seems likely. You may see it in the alerts section of pfBlocker though it depends how you have it setup.
Adding that domain to a custom list and setting it to enable will probably solve it.

Steve
I Re-enabled DNSBL, and hope to find the alert.
But where / how to whitelist ?

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11973
  • Karma: +471/-15
    • View Profile
Re: Pfsense <-> solaredge
« Reply #7 on: October 04, 2017, 04:04:20 pm »
In the DNSBL main tab in pfBocker there's a section that is collapsed by default, "Custom Domain Whitelist".

Expand that, add domains you need to not block.

Steve

Offline The cosmic gate

  • Newbie
  • *
  • Posts: 22
  • Karma: +1/-0
    • View Profile
Re: Pfsense <-> solaredge
« Reply #8 on: October 09, 2017, 09:34:11 am »
As above, I entered the custom solaredge URL , but again after a few (probably 3) monitoring stops ;(

Offline mtarbox

  • Jr. Member
  • **
  • Posts: 44
  • Karma: +2/-0
    • View Profile
Re: Pfsense <-> solaredge
« Reply #9 on: October 09, 2017, 12:57:20 pm »
We have two systems installed by Vivint.
On one, panels-> wifi expander -> wifi router -> modem -> Vivint.
One the other, panels -> wireless bridge -> wifi router -> modem -> Vivint.
Vivint supplied the wifi expanders, wireless bridges and wifi router.
Nothing goes through my pfsense box.

Offline The cosmic gate

  • Newbie
  • *
  • Posts: 22
  • Karma: +1/-0
    • View Profile
Re: Pfsense <-> solaredge
« Reply #10 on: October 09, 2017, 01:13:54 pm »
We have two systems installed by Vivint.
On one, panels-> wifi expander -> wifi router -> modem -> Vivint.
One the other, panels -> wireless bridge -> wifi router -> modem -> Vivint.
Vivint supplied the wifi expanders, wireless bridges and wifi router.
Nothing goes through my pfsense box.
Uhhm wrong topic ?

Offline mtarbox

  • Jr. Member
  • **
  • Posts: 44
  • Karma: +2/-0
    • View Profile
Re: Pfsense <-> solaredge
« Reply #11 on: October 09, 2017, 01:35:03 pm »
We have two systems installed by Vivint.
On one, panels-> wifi expander -> wifi router -> modem -> Vivint.
One the other, panels -> wireless bridge -> wifi router -> modem -> Vivint.
Vivint supplied the wifi expanders, wireless bridges and wifi router.
Nothing goes through my pfsense box.
Uhhm wrong topic ?

I was just telling you how my system was configured, and wondering why SolarEdge did not do something similar.

Offline The cosmic gate

  • Newbie
  • *
  • Posts: 22
  • Karma: +1/-0
    • View Profile
Re: Pfsense <-> solaredge
« Reply #12 on: October 13, 2017, 05:25:30 am »
At the moment i configured thw whitelist :
and
but still when i enable DNSBL, after 3 days the connection to the solaredge portal is not okay.

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11973
  • Karma: +471/-15
    • View Profile
Re: Pfsense <-> solaredge
« Reply #13 on: October 17, 2017, 06:07:15 pm »
Hmm, weird that it happens after 3 days... Like maybe it's cached something and only has to re-resolve it then.

How about a different approach. Can you hardcode the SolarEdge DNS servers it's using?

If not try adding a port forward on the LAN for DNS traffic from the solaredge to some other DNS server. Maybe 8.8.8.8 or even run DNSmasq on another port and forward to that.

Steve

Offline The cosmic gate

  • Newbie
  • *
  • Posts: 22
  • Karma: +1/-0
    • View Profile
Re: Pfsense <-> solaredge
« Reply #14 on: October 19, 2017, 05:10:30 am »
Hmm, weird that it happens after 3 days... Like maybe it's cached something and only has to re-resolve it then.

How about a different approach. Can you hardcode the SolarEdge DNS servers it's using?

If not try adding a port forward on the LAN for DNS traffic from the solaredge to some other DNS server. Maybe 8.8.8.8 or even run DNSmasq on another port and forward to that.

Steve

I should have a look, but i think its possible to enter the DNS in the solaredge invertor , i'll give the google DNS a try then
hope that would solve this problem