FingBox disrupting Raspberry Pi’s

niknick
niknick Member, Beta Tester Posts: 18
10 Comments Name Dropper First Anniversary Photogenic
edited June 4, 2021 in Fingbox #1

A strange and frustrating situation keeps occurring when the following happens.

If a device enters my wifi network which had previously been connected successfully and therefore still has valid wifi credentials, Fingbox of course correctly still blocks the device because I had removed it thinking it would not be connecting again.

In my router logs I can see a long list of DHCP declines, again as I imagine expected behaviour.

I have 3 raspberry pi’s, 2 of which are responsible for network wide DNS via Pi-hole and unbound.

Now when the above situation occurs, all 3 raspberry pi’s suddenly become inaccessible via their Ethernet connections. One of the pi’s also has a wifi connection with which I can still obtain access to it and can see that eth0 has been taken offline.

This brings down my whole network and the only fix is to power off and on the Pi’s assuming of course the reintroduced device is no longer attempting to connect to my network.

It seems to be an effect created by my Fingbox but my question would be why does it only affect the Ethernet connections on the Pi’s?

This is probably an unexpected side effect of normal functionality of the Fingbox but it would be great to understand how it is affecting the Pi’s and what could be done to mitigate this situation.

Thanks for your assistance.

Answers

  • Marc
    Marc Moderator, Beta Tester Posts: 2,652
    1,000 Likes 2500 Comments 100 Answers 250 Awesomes
    ✭✭✭✭✭✭
    Hi @niknick...  I moved this to the Fingbox area for relevance and am tagging @Robin from Fing to see if he can help with the behavior you are observing....
    Thats Daphnee, she's a good dog...
  • niknick
    niknick Member, Beta Tester Posts: 18
    10 Comments Name Dropper First Anniversary Photogenic

    Great. Thanks Marc

  • niknick
    niknick Member, Beta Tester Posts: 18
    10 Comments Name Dropper First Anniversary Photogenic
    Hi @Marc @Robin

    Just wondering if you had any thoughts regarding my post. Do you have any ideas as to where I should be looking to identify this issue further? 

    Is this something that needs amending within Fing?

    Thanks
    Nick
  • Marc
    Marc Moderator, Beta Tester Posts: 2,652
    1,000 Likes 2500 Comments 100 Answers 250 Awesomes
    ✭✭✭✭✭✭
    Do you have Fingbox automatically set to block new connections?
    Thats Daphnee, she's a good dog...
  • niknick
    niknick Member, Beta Tester Posts: 18
    10 Comments Name Dropper First Anniversary Photogenic
    Yes I do. 
  • Marc
    Marc Moderator, Beta Tester Posts: 2,652
    1,000 Likes 2500 Comments 100 Answers 250 Awesomes
    ✭✭✭✭✭✭
    Turn off that feature and see if the problem clears up.  I'm offering it as a troubleshooting step only at this point.
    Thats Daphnee, she's a good dog...
  • Robin_from_Fing
    Robin_from_Fing Administrator, Fing Team Posts: 4,727
    250 Answers 2500 Comments 500 Likes 100 Awesomes
    admin
    Thanks @Marc
    @niknick
    Apologies for delay in responding. As you mentioned when one of your old devices makes the connection again then the all 3 raspberry pie loses connection, is that right? Have you check if you have set correct network size on the Fing app settings?
    Also, instead of removing the unknown device, you can block it in Fing app and then check if the issue persists? Also, check if there is any firmware pending on your router.
    Robin (Admin at Fing)
    Getting Started? Please refer to Community guidelines & Community User Guides. HAPPY POSTING!!!
  • niknick
    niknick Member, Beta Tester Posts: 18
    10 Comments Name Dropper First Anniversary Photogenic

    Hi @Robin

    Thank you for your reply.

    That is correct, a previously joined device which knows my wifi credentials but one I have removed from Fing is the cause of the problem.

    I set the network size to /24 since my initial install however I have recently added an additional subnet due to having a HomeKit Router which handles all my Apple HomeKit devices. So now you mention this I guess I should change this setting to /23 ?

    All firmware on my devices are up to date, I’m pretty fastidious on that.

    If I were to block the device then yes the problem does not present itself. The only reason I haven’t is because I thought that device would not be in my network again. For example a workman doing something in my home who needed temporary wifi at the time.

    I will also try @Marc suggestion to turn off auto block and see what happens but I imagine all will be fine as auto block would seem to be the feature inadvertently causing the issue.

    So I wonder if it’s down to network size as you mentioned. I will make that change and observe, thanks for the suggestion.

    I will feedback on how I get on, thank you both for your help thus far.

    Kind regards

    Nick

  • Robin_from_Fing
    Robin_from_Fing Administrator, Fing Team Posts: 4,727
    250 Answers 2500 Comments 500 Likes 100 Awesomes
    admin
    @niknick
    Removing a device will only ignore the device and deletes from the Fing App. It means that you do not want to monitor that particular device but when you rescan the network and if the device is still connected to that network, it will appear again on the network. Removing a device does not delete the device from the network. 
    Robin (Admin at Fing)
    Getting Started? Please refer to Community guidelines & Community User Guides. HAPPY POSTING!!!
  • niknick
    niknick Member, Beta Tester Posts: 18
    10 Comments Name Dropper First Anniversary Photogenic

    @Robin

    Indeed and that’s exactly my intention as once a temporary user or an old device is no longer on my network I don’t want it listed in my Fing app.

    In the case of a temporary user I don’t have ability to have them forget my network credentials and of course if they were to return then the issue presents itself immediately.

    Unfortunately there have been quite a few scenarios recently in which this has happened.

    Do you think changing to /23 will be effective or perhaps further investigation is required?

    Thanks again

  • Robin_from_Fing
    Robin_from_Fing Administrator, Fing Team Posts: 4,727
    250 Answers 2500 Comments 500 Likes 100 Awesomes
    admin
    @niknick
    Changing network size could help resolve the issue. If the issue persists, try to assign static Ip address to Fingbox from router settings and then we can investigate further.
    Robin (Admin at Fing)
    Getting Started? Please refer to Community guidelines & Community User Guides. HAPPY POSTING!!!
  • niknick
    niknick Member, Beta Tester Posts: 18
    10 Comments Name Dropper First Anniversary Photogenic

    Thanks @Robin

    I have made the change to network size will let you know what happens.

    The Fingbox and the Raspberry Pi’s all have static IP addresses from the router. The Pi’s are also set to static mode themselves now too as I thought that my help prevent the problem but it seems this issue can override that too.

  • niknick
    niknick Member, Beta Tester Posts: 18
    10 Comments Name Dropper First Anniversary Photogenic
    Hi @Robin

    Just following up on this issue. The change made to the network size did not solve the issue unfortunately and the I had already issued static IP addresses to my Fingbox and the Pi’s however this problem seems to override those. 

    What are the next steps in diagnosing this?

    Thanks
    Nick
  • Robin_from_Fing
    Robin_from_Fing Administrator, Fing Team Posts: 4,727
    250 Answers 2500 Comments 500 Likes 100 Awesomes
    admin
    @niknick
    Can you remove Fingbox from the network for 24 hours and then check if the issue persists with Pi's or not? This will help to further isolate the issue.
    Robin (Admin at Fing)
    Getting Started? Please refer to Community guidelines & Community User Guides. HAPPY POSTING!!!
  • niknick
    niknick Member, Beta Tester Posts: 18
    10 Comments Name Dropper First Anniversary Photogenic
    @Robin
    Ive had Fingbox off for a week now and there has not been any occurrences of the issue.
  • Robin_from_Fing
    Robin_from_Fing Administrator, Fing Team Posts: 4,727
    250 Answers 2500 Comments 500 Likes 100 Awesomes
    admin
    niknick said:
    @Robin
    Ive had Fingbox off for a week now and there has not been any occurrences of the issue.
    It seems like both raspberry pie and Fingbox are sharing some ports which might be causing such issue. You need to have ports 80, 443, 4443, 5671 open so the Fingbox can connect to the Fing Software servers. 

    (If you are going to run a speed test, please also have ports 3001, 3002, and 3003 enabled also) 

    Can you check if the Pie is also using those ports? Thanks

    Robin (Admin at Fing)
    Getting Started? Please refer to Community guidelines & Community User Guides. HAPPY POSTING!!!
  • niknick
    niknick Member, Beta Tester Posts: 18
    10 Comments Name Dropper First Anniversary Photogenic

    @Robin

    So when you say open, to my knowledge I have no outbound restrictions on which ports can be opened from my network.

    Are you saying I need to allow those ports inbound to Fingbox?

    The raspberry pi’s use port 80 for the UI of pi-hole but none of the other ports you mentioned.

    So having port 80 in common what is fingbox doing to port 80 on the pi’s?


    Thanks for all your help on this.

  • LarsD
    LarsD Member Posts: 1
    First Comment First Anniversary Photogenic
    I am chasing a similar problem which started some some weeks ago. I am loosing IPV4 Adress on the the pi on a regular base (multiple times a day). This is what is shown in the log on the pi:

    journalctl -u dhcpcd

    output:

    Jul 01 09:11:44 raspberrypi4 dhcpcd[563]: eth0: hardware address f0:23:b9:ec:1f:?? claims 192.168.188.79

    Jul 01 09:11:44 raspberrypi4 dhcpcd[563]: eth0: hardware address f0:23:b9:ec:1f:?? claims 192.168.188.79

    Jul 01 09:11:44 raspberrypi4 dhcpcd[563]: eth0: 10 second defence failed for 192.168.188.79

    Jul 01 09:11:44 raspberrypi4 dhcpcd[563]: eth0: deleting route to 192.168.188.0/24

    Jul 01 09:11:44 raspberrypi4 dhcpcd[563]: eth0: deleting default route via 192.168.188.1

    Jul 01 09:11:44 raspberrypi4 dhcpcd[563]: eth0: probing address 192.168.188.79/24

    Jul 01 09:11:44 raspberrypi4 dhcpcd[563]: eth0: hardware address f0:23:b9:ec:1f:?? claims 192.168.188.79

    Jul 01 09:11:45 raspberrypi4 dhcpcd[563]: eth0: DAD detected 192.168.188.79


    (demaskier the MAC from my fingbox: f0:23:b9:ec:1f:?? is the MAC of my fingbox. Very strange. It looks like the router wants to assign the same IPV4 Adress to the fingbox and this is when my PI becomes unavailable. when I manually disconnect the ethernet cable and re-connect it it works fine again (for some time). I do have pi-hole installed on that pi (might be related)? Had there been some FW updates recently on the fingbox which could be related?

  • Robin_from_Fing
    Robin_from_Fing Administrator, Fing Team Posts: 4,727
    250 Answers 2500 Comments 500 Likes 100 Awesomes
    admin
    @niknick
    You need to have both inbound and outbound rules set for the ports needed by Fingbox. If pie is using port 80 then can you configure pie with another port than port 80 and see if the issue persists?
    Robin (Admin at Fing)
    Getting Started? Please refer to Community guidelines & Community User Guides. HAPPY POSTING!!!
  • niknick
    niknick Member, Beta Tester Posts: 18
    10 Comments Name Dropper First Anniversary Photogenic

    @Robin

    So I have to open those ports you listed inbound from the Internet into Fingbox?

    I am reluctant to want to open any inbound ports for obvious reasons and In all the time I have had fingbox, with the exception of this issue, it has worked perfectly fine without these ports open inbound and with showing any errors.

    I would imagine if not having them open all this time I would have received some notifications in the app to say fingbox cannot function properly.?

    does this also mean therefore that any other device on my network using any of the four ports would potentially have an issue. So far it’s limited to the pis but I do have other devices that use port 80 for example. And In this situation when fingbox is blocking would I be exposing port 80 etc on all devices to the internet?

    I wish to understand the requirement a bit more as it may be my understanding that not right so sorry for the questions but I just want to be very sure I am correctly implementing what you have asked.


    @LarsD

    Thanks for sharing your experience of similar situation. You seem to have been able to get further along with analysing the pi’s. I wasn’t aware of the disconnect and connect technique however on mine as I have poe I can’t try right away.

    have you had any thoughts on what’s triggering it for you? With me it’s when a device I have removed from Fingbox but still retains my wifi credentials then rejoins and fingbox attempts to auto block it but the device knowing the credentials keeps persisting.

  • niknick
    niknick Member, Beta Tester Posts: 18
    10 Comments Name Dropper First Anniversary Photogenic

    @Robin

    I was wondering if you had a chance to review my message? My Fingbox has been off for over a week now and of course that’s worrying.

    I just wanted to make sure i fully understand what your recommendation is regarding the ports which I outlined in my last message as to my concerns or misunderstanding.

    I reviewed again the documentation and while it mentions outbound possibilities there is no mention of any inbound requirements. And it would seem contrary to the whole vulnerability test etc.

    “Due to the distributed and resilient design of Fing services, we recommend giving Fing app and Fingbox access to the full Internet. If you want to limit outbound connections and still ensure minimum functionality, make sure to allow Fingbox to reach any IP address on the following TCP ports: 80, 443, 4443, 5671.”


    I have not limited outbound connections so Fingbox does have access to the full internet as suggested.

    look forward to hearing from you.

  • mozarella
    mozarella Member, Beta Tester Posts: 128
    100 Comments 5 Answers 25 Likes First Anniversary
    ✭✭✭
    I had some trouble with the autoblock-feature, too. Actually i don't see any difference between blocking a new device and blocking an existing device. In my case, blocked devices ask for dynamic ip address many times. Because the DHCP is answering and fingbox is returning (i guess) this will cause BAD_ADDRESS entries in DHCP-Server. Sometimes the scope filled up and no device will get dynamic ip anymore. I just could solve that problem during blocking the unwanted devices through my network-switches (block MAC-addresses).
    For more details about my experience: https://community.fing.com/discussion/5424/private-mac-in-ios-14-and-auto-block-new-devices-causes-bad-address#latest

  • niknick
    niknick Member, Beta Tester Posts: 18
    10 Comments Name Dropper First Anniversary Photogenic
    Hi @mozarella
    Thanks for sharing your scenario. It does have some similarities on what I’m experiencing. In your case, an Apple device with the private MAC address feature enabled would probably yield the same effect as in my situation, where a device that was once in Fing and I then removed, for then some time later to come back and as it knows my WiFi credentials it attempts to connect but of course Fing blocks it as a new device. 

    It’s simply the situation where a device has the correct WiFi credentials but as far as Fing is concerned it’s a new device to block. In this situation my router logs multiple dhcp-decline errors and all 3 Ethernet connections on my 3 pi’s stop responding. Their WiFi interfaces continue fine but as two of the three pis are responsible for dns (Pi-hole and unbound) and do that via their Ethernet connections, my whole network becomes unusable till I reboot the pis and remove the device from attempting to connect.

    @LarsD suggest that disconnecting the Ethernet cable and reconnecting solved a similar issue he had however mine are also tied into PoE but I do want to try and test this. 

    @Robin I have not heard from you following my two messages wishing to clarify your instructions to open inbound ports. In the time I have been using Fingbox I have been extremely satisfied with the product with this being the only exception. I hope we can pick up where we left off as I am with regret starting to think about finding an alternative solution to Fing, but I really hope we can find the solution to this. 

    Thank you all
    kind regards 

    Nick 

  • Robin_from_Fing
    Robin_from_Fing Administrator, Fing Team Posts: 4,727
    250 Answers 2500 Comments 500 Likes 100 Awesomes
    admin
    @niknick
    As you mentioned there is on restrictions on the outbound rules to the Fingbox and if the none of the ports are being shared by Pie and Fingbox then it should not create any issues. In few cases, we have seen that the inbound rules have helped users and thus, I suggested that. 

    I will seek further advice on this and get back to you with an update. Thanks


    Robin (Admin at Fing)
    Getting Started? Please refer to Community guidelines & Community User Guides. HAPPY POSTING!!!