Gen 3 - IP address connecting to

Quick background. I have the Rachio locked down via a firewall with only the required outbound ports opened. I also go one step more, I only allow Rachio to open a connection to a specific IP(s) address.

When I setup the Gen 3 this spring, only a single IP address was required in the router/firewall rules. It ran trouble free until I had to do some WIFI updates and my WIFI was up/down multiple times over a weekend/week. Now the Gen 3 is now wanting to talk to multiple IPs (port 8883) at initial connection establish. When it cannot reach an IP, it will timeout and go to the next IP to try. The problem is the Gen 3 won’t default on boot up to a consistent IP. I find that every reboot I have to add another IP to the “whitelist”. Perhaps, there is now a list of IPs for the Gen 3 to try in the initial connection process?

Has something changed in the last month? Is there a list of IPs that the Gen3 wants to connect to? Any way I can limit the IPs to 1 or 2? Or default it to a consistent IP on boot up?

This is not going to work with most services in today’s world when the servers are hosted virtually in the cloud. I’m currently getting:

$ nslookup rach.io
Server:         1.1.1.1
Address:        1.1.1.1#53

Non-authoritative answer:
Name:   rach.io
Address: 13.227.45.18
Name:   rach.io
Address: 13.227.45.97
Name:   rach.io
Address: 13.227.45.5
Name:   rach.io
Address: 13.227.45.9

These addresses are owned by AWS. You can find the list of IP’s you’ll need to allow at https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html.

2 Likes

Like @robnielsen said, it todays world of the cloud, I’m not sure it is feasible to really lock devices down like that. Rachio, and MANY other cloud based products utilize AWS, and I suppose there is a chance things change on occasion.

So, a bit more digging at the packet level. Rachio has a static host name that it queries which is hosted in AWS. DNS responses from AWS does return different IPs, but it would seem to currently rotate among a few. However, with AWS that could certainly change, which is probably what I ran into. Transitioned the firewall rules to that host name and all is good. I do have a timing race condition since my firewall/router caches DNS and updates only every 5 minutes, but so far the Rachio connects first time every time.

Perhaps I am being a bit paranoid with my lock down, but it is what it is.

@alecsmn - one is not paranoid if people are really after them.

1 Like