Access Node Red from two subnets

I have two subnets, 192.168.100.x and 192.168.200.x behind a commercial firewall. Node Red is running on the first subnet on a Pi with static IP 192.168.100.100. I can connect to Node Red without any problems from any device on the first subnet. However, when I try to browse to Node Red at 192.168.100.100:1880/ui from any device on the second subnet the connection times out. The commercial firewall is configured to provide routing between the two subnets and I have an "allow all" rule installed on the firewall for traffic between the two subnets. I can "ping" from devices on the 192.168.200.x subnet to the Node Red Pi at 192.168.100.100 and I can also "ping" from the Node Red Pi to devices on the 192.168.200.x subnet. Is there something I have to do to configure Node Red to support the second subnet? Thanks!

Possibly the router is not forwarding port 1880.

What is the point of having separate subnets and a commercial firewall if you then just allow-all between them?

2 Likes

It's set to forward all ports...

The "allow all" is for testing. Normally the two subnets are isolated.

Well if ping works but not 1880 then something is blocking it. I think it must be either a firewall on the client or server, or the router.
Use network monitor software to work out which.

When you say allow all - have you put that as part of a stateful filter ?

When someone says to me FORWARD rather than ALLOW that says to me that you are doing some form of NAT between the subnets - for that to work you will have to ensure that Stateful packet filtering is enabled for traversal.

What firewall is it ?

Craig

In my simple world :slight_smile: no two private subnets should be able to access each other - that's the point of having separate subnets :slight_smile:

All things are usually possible of course, but any solution is going to be a security nightmare

Like I say - I live in a simple world :slight_smile:

1 Like

Well one of the purposes of private subnets is separation of concerns.

I would always expect to see a firewall between two subnets - even though these days, that might be a virtualised firewall (for example, at work, we have some ÂŁ1/4m Fortigate enterprise firewall appliances that support a number of ways of presenting virtual firewalls).

But it is common to need to provide restricted connections between subnets. In the industrial IoT world for example, it is common to have the IoT devices (which often have limited security features available) on their own subnet but to have the central sevices like MQTT on a more secure subnet. Kind of like an internal DMZ. Similarly, in regulated industries such as finance, it is common to use segregated subnets with connecting firewalls to keep things like customer web services separate from card processing and both separate from core banking.

1 Like

You live and learn :slight_smile:

1 Like

That's why we geeks enjoy IT so much :rofl:

1 Like

The firewall is a Sonicwall TZ400. No nat-ing between the subnets.

To eliminate possible issues with the firewall or network infrastructure, I set up two SD cards each with a 'clean' copy of the Raspberry O/S. I then installed NodeRed on one using the command:

bash <(curl -sL https://raw.githubusercontent.com/node-red/linux-installers/master/deb/update-nodejs-and-nodered)

On the other I did a basic installation of the NGINX web server and configured it to use port 1880. The OS copies on both SD cards are configured for the same IP address.

When I boot the Pi using the SD card that has NodeRed, I have the same problem as before -- I can connect to it from devices on the same subnet but not from devices on the second subnet. Asbefore, pings from either subnet to the PI with NodeRed on it are successful.

When I boot the Pi using the SD card that has NGINX, I can connect from any device on either subnet.

So, same Pi, same IP, same Port but NGINX works while NodeRed fails. Does NodeRed install some type of software firewall that would block traffic from a 'foreign' subnet? Or ???

Also ... the reason I am using two subnets is because I live in an area where my WiFi signal is accessible from adjacent properties. I have my WiFi on one subnet and have the computers that have personal data on a second, wired, subnet. That way if an outsider manages to hack into my WiFi network, they would still need to get through the firewall to get to my personal stuff. The firewall allows both subnets to access the internet while isolating the WiFi connections from the wired connections.

No.

Not sure what is happening, you may need to trawl through the firewall logs.

A workaround would be to use NGINX as a reverse proxy for Node-RED, see if that works, not too hard to set up, you should be able to find the instructions online.

Do you have access to Wireshark and can you do port mirroring either on your switch or through the sonicwall ?

Hav you tried to disable the software firewall on the Pi ? I imagine the install of NGINX would punch some holes in the software firewall on Debian - whereas NR might not.

Having said that i have 4 subnets/vlans here and other than making sure the default route was set correctly i have done nothing with the software firewalls on any of them - two of them host RPis with NR on them

Traffic between the subnets goes through my OpnSense internal firewall and is pretty restricted.

Craig

Hi, Craig;

Thanks for the suggestions. The only firewall that I am aware of on the Pi is "iptables". When I query it the response is the same on both the NGINX and NR configurations:

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

As far as I can see, that means there are no rules defined and 'anything goes'. I have found nothing to suggest that the NodeRed installation also installs a different firewall.

My SonicWall has a built-in packet packet monitoring feature and it shows traffic directed to NodeRed arriving from the second subnet and being delivered to the subnet containing NodeRed, but no traffic in the other direction. So, the problem appears to be in the interface between the Pi and the WiFi network. However, I don't know whether NodeRed is not receiving the inbound traffic for some reason or if its response is being blocked from exiting the Pi. Do you know if there is a NodeRed log file that would show the IP's of queries it is receiving?

BTW .when I boot the Pi with the NGINX image, the Sonicwall shows traffic going both directions as expected.

For testing purposes I have disabled the "Allow All" rule between the two subnets and replaced it with an "Allow all addresses and ports inbound from subnet 2 to NodeRed's IP" rule and an "Allow all ports outbound to all addresses on subnet 2 from NodeRed's IP" rule. As expected, when those rules are disabled NGINX is inaccessible and when they are enabled it works. Changing the rules didn't affect the behavior of the NodeRed installation.

It is helpful to know that the Pi's running NodeRed on your subnets communicate as expected. That suggests that there is no inherent restriction in NodeRed that would cause subnetting to fail.

At least I am learning more about how NodeRed works!

Does the Pi's network interface (wifi?) have the correct default router defined? If the SonicWall is acting as the router, the Pi should point to that as the default router I believe.

ip route | grep default

Yes, the default route for each of the subnets points to the router’s address on that subnet. That is confirmed by successful pings in both directions.

You dont have both a network cable and the wireless connected do you ?

Craig

Can you show us the full startup log from starting node red in a terminal please? I don't know what might show but we are looking for something unusual here.
Apologies if you have already posted it, I am on my phone and the thread is getting long.
How did you install node red?