Firewall Friendly


I have a firewall at home that is generally sold in the mid-market and also to schools. This firewall, like many in the market, supports a feature called Deep Packet Inspection which allows the firewall to inspect encrypted traffic such as TLS.

This doesn’t work well with the Farmbot web infrastructure. I can never communicate to the message broker. The logical thing is to put in an exception to skip this deep packet inspection for Farmbot traffic. I’m still playing with it but I think this works.

What I would like to request, however, is that Farmbot publish not only the ports required for RabbitMQ, etc., but also the URLs.

I know many schools use the same firewall and I wanted to suggest this as a best practice to make it easier for the Farmbot to work in these environments.


That’s odd . . DPI per-se shouldn’t be a problem. The Firewall logs should describe what needs fixing :confused: ( e.g. a policy, perhaps )

I still have to look at the logs to be sure. Typically, if DPI doesn’t work, the logs simply show the inspection taking place but the app or site itself will have a problem in which case you put in an inspection for that particular URL. Once I have my repeater in place, I’ll double check with DPI back on.


Interesting. If I don’t bypass DPI for * then I can’t connect to the cloud broker.

When I do bypass it, things work. In this case, I’m still running an HTTPS proxy but not doing DPI.

I can create a recording if that helps. I’m still cleaning up policies. I got thrown off because my WiFi repeater was doing strange things with DHCP. Now that I’m wired, I want to go through everything again but maybe not until this weekend. The test against * was on wired connection, however.

request … that Farmbot publish not only the ports required for RabbitMQ, etc., but also the URLs

@jrwaters Have you seen this document already? If there are some URLs or ports missing, I would be happy to update the document. As far as I know, it is still up to date. Please let me know if you have found any discrepancies.

1 Like

Hi @RickCarlino

I had not seen that document and it is just what I was looking for. The good news is that the configuration for my WatchGuard Firebox wasn’t too bad - even using an HTTPS proxy and deep packet inspection. The biggest issue (as I alluded) before, was a WiFi repeater. In that instance I believe I had marginal RSSI and the repeater was disassociating me. I got everything working with a looooonnnng Ethernet cable and then disabled the Asus Roaming Assitant and WiFi appears to be stable now.

For reference, if anyone else is using a WatchGuard Firebox, the default policies allow outbound traffic (though security services such as AV, IPS, Geolocation, etc. are still applied). So I didn’t have to explicitly open any ports. In the end, I only had to configure one DPI exception for *

Great document and I definitely consider this request closed.


1 Like