Community discussions

MikroTik App
 
marcobag
just joined
Topic Author
Posts: 5
Joined: Sun Sep 12, 2021 9:35 am

Issue with HiSense aircon

Tue Sep 21, 2021 11:34 am

Dear Community,
since i've switched to Mikrotik AC3 i'm able to use all my wireless devices apart the HiSense Aircon that use a wifi module to connect to their cloud.
The module itself is able to join the network but seams the traffic is somehow blocked.
I've sniffed all the traffic from those IP and i've enabled also uPnp, what i'm missing?
This is the communication that do not seams to work
forward: in:ether1 out:bridge, src-mac a4:91:b1:ee:fc:82, proto UDP, 35.158.106.156:55055->10.40.2.1:49162, NAT 35.158.106.156:55055->(10.39.0.10:49162->10.40.2.1:49162), len 68
forward: in:bridge out:ether1, src-mac ca:2c:4f:94:68:08, proto UDP, 10.40.2.1:49162->35.158.106.156:55055, NAT (10.40.2.1:49162->10.39.0.10:49162)->35.158.106.156:55055, len 68
Thanks in advance to anyone can help me sorting this out
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Issue with HiSense aircon

Thu Sep 23, 2021 1:01 am

The HiSense-Handbook says you should
Contact your local Internet Service Provider (ISP)

:lol: :lol: :lol:

The Documentation for the HiSense aircon is pure Bullsh*t
Check your Firewall again and make sure TCP ports 80/443/53/55055/55056 are opened.

If it doesn't work , post your config in the Forum so we can doppel check!


P.S: Unrelated Note
If possible deactivate the uPnp-Feature !
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Issue with HiSense aircon

Thu Sep 23, 2021 1:26 am

A related note: ports open, from inside to the outside.
 
marcobag
just joined
Topic Author
Posts: 5
Joined: Sun Sep 12, 2021 9:35 am

Re: Issue with HiSense aircon

Thu Sep 23, 2021 11:22 pm

Thank you so much, I know asking a lot but could you please help me creating the rule suggested?
Regards
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Issue with HiSense aircon

Thu Sep 23, 2021 11:57 pm

Thank you so much, I know asking a lot but could you please help me creating the rule suggested?
Regards
No problem !
post your config in the Forum
and we will give you a Firewall-Script
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Issue with HiSense aircon

Fri Sep 24, 2021 12:03 am

This could be as simple as the DNS settings within the HI AIRCON.
if the firmware is coded to provide domain name that is not in the right format (upper case lower whatever it is),
the MT device will accept the wrong domain name but when it returns traffic to the HIAIRCON it will fix the domain name and the HIAIRCON will reject it.

Most other vendors just COPY the domain name and provide the copy back.
My suggestion is to try setting DNS to 1.1.1.1. or 8.8.8.8 for that device only and see if you get connectivity then.

as was stated also please post config
/export hide-sensitive file=anynameyouwish
 
marcobag
just joined
Topic Author
Posts: 5
Joined: Sun Sep 12, 2021 9:35 am

Re: Issue with HiSense aircon

Fri Sep 24, 2021 10:02 am

No problem !
post your config in the Forum
and we will give you a Firewall-Script
Thank you so much! Here is my actual config:
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1 \
    protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward dst-address=10.40.0.0/16 src-address=\
    10.41.0.0/16
add action=drop chain=forward dst-address=10.41.0.0/16 src-address=\
    10.40.0.0/16
/ip firewall mangle
add action=mark-packet chain=forward comment="VOIP DL PACKET" dst-address=\
    10.0.0.0/8 new-packet-mark=VOIP-DL-PACKET passthrough=no \
    src-address-list="VoIP Services"
add action=mark-packet chain=forward comment="VOIP UL PACKET" \
    dst-address-list="VoIP Services" new-packet-mark=VOIP-UL-PACKET \
    passthrough=no src-address=10.0.0.0/8
add action=mark-connection chain=forward comment=\
    "WAN - ALL TRAFFIC DL CONNECTIONS" in-interface=ether1 \
    new-connection-mark=WAN-DL-ALL-CONN passthrough=yes
add action=mark-packet chain=forward comment="WAN - ALL TRAFFIC DL PACKETS" \
    connection-mark=WAN-DL-ALL-CONN dst-address=10.0.0.0/8 new-packet-mark=\
    WAN-DL-ALL-PACKET passthrough=no
add action=mark-connection chain=forward comment=\
    "WAN - ALL TRAFFIC DL CONNECTIONS" new-connection-mark=WAN-UL-ALL-CONN \
    out-interface=ether1 passthrough=yes
add action=mark-packet chain=forward comment="WAN - ALL TRAFFIC UL PACKETS" \
    connection-mark=WAN-UL-ALL-CONN new-packet-mark=WAN-UP-ALL-PACKET \
    passthrough=no src-address=10.0.0.0/8
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat src-address=10.41.0.0/16
/ip route
add distance=1 gateway=10.39.0.254
This could be as simple as the DNS settings within the HI AIRCON.
if the firmware is coded to provide domain name that is not in the right format (upper case lower whatever it is),
the MT device will accept the wrong domain name but when it returns traffic to the HIAIRCON it will fix the domain name and the HIAIRCON will reject it.

Most other vendors just COPY the domain name and provide the copy back.
My suggestion is to try setting DNS to 1.1.1.1. or 8.8.8.8 for that device only and see if you get connectivity then.
Thank you, unfortunately already tried to setup different DNS (used cloudflare ones) but seams doesn't help
 
marcobag
just joined
Topic Author
Posts: 5
Joined: Sun Sep 12, 2021 9:35 am

Re: Issue with HiSense aircon

Tue Sep 28, 2021 5:57 pm

Hi guys just to ask if someone could give me some example to put in place... sorry but very new to Mikrotik.
Regards
 
marcobag
just joined
Topic Author
Posts: 5
Joined: Sun Sep 12, 2021 9:35 am

Re: Issue with HiSense aircon

Sat Oct 16, 2021 7:21 pm

Just to update this topic, i've solved the issue if anyone facing the same the solution is simple:
Just reset the device CHECKING THE FIELD that avoids the default config to be applied.
There is something in the default config that do not allow to communicate with Hisense server's.
Be prepared because resetting without default config means that you need to use Winbox directly connected thru LAN to make a basic config
Regards!
 
MaeKrugern
just joined
Posts: 1
Joined: Mon Dec 27, 2021 7:33 pm

Re: Issue with HiSense aircon

Tue Dec 28, 2021 5:48 pm

Hello, marcobag! I also had the same kind of trouble with the Mikrotik AC3 system.
 
stassi4ek
just joined
Posts: 2
Joined: Sat Oct 24, 2020 1:16 pm

Re: Issue with HiSense aircon

Wed Sep 07, 2022 10:15 am

Hey, guys. I have the same problem. Maybe someone knows how to fix it without router reset?
I created few rules and they opened port 53 but 55055 and 55056 still closed even with similar rules. Don't know why. For port testing I use telnet www.example.com 55055.
Image
Also I enabled UpNP as variant of fix, but this also didn't help.

My config is:
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=55055 protocol=tcp to-addresses=192.168.88.1 to-ports=55055
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp to-addresses=192.168.88.1 to-ports=53
add action=dst-nat chain=dstnat dst-port=55056 protocol=tcp to-addresses=192.168.88.1 to-ports=55056
add action=src-nat chain=srcnat protocol=tcp src-port=55056 to-addresses=192.168.88.1 to-ports=55056
add action=src-nat chain=srcnat protocol=tcp src-port=55055 to-addresses=192.168.88.1 to-ports=55055
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Issue with HiSense aircon

Wed Sep 07, 2022 11:18 am

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=55055 protocol=tcp to-addresses=192.168.88.1 to-ports=55055
add action=dst-nat chain=dstnat dst-port=55056 protocol=tcp to-addresses=192.168.88.1 to-ports=55056

These rules set router as target of NATed packets ... which is not what you want. You have to set to-addresses property to IP address of your aircon. Before doing it make sure aircon gets same IP address every time ... by setting the appropriate DHCP lease to be static.

If you want to limit NAT rules only to act on packets originally targeting router (as you should), then add another property dst-address=<router's WAN IP address> (it'll work if router's WAN IP address doesn't change) or in-interface-list=WAN (assuming you still maintain WAN Interface list as you should). Both properties will fail if you want to control aircon using WAN IP address while inside LAN, in this case you have to implement hairpin NAT (not overly complex, but not as trivial as simple NAT).
 
Pomo
just joined
Posts: 14
Joined: Sat Feb 06, 2016 10:09 pm

Re: Issue with HiSense aircon

Thu Nov 02, 2023 6:03 pm

So, changing ISP, and the same issue occurs.
ISP on which everything is working is just handing out a public IP on my ether 1, and that connects the internet.
ISP2 has a PPPoE connection on vlan 998 created on ether1.
Only, I have 3 aircons, Fujitsu general.
As I found online, Hisense and Fujitsu have the same basis, aylanetworks.
https://docs.aylanetworks.com/docs
UPNP does not help.
Tried switching DNS, that did not help.
Ideas?
I will try opening ports for one aircon and see...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Issue with HiSense aircon

Thu Nov 02, 2023 7:03 pm

This is BS. any device connects to the cloud of the company and works.
The problem is not the MT as it does not block outbound traffic heading to the WWW.
The problem may be that the device AIRCON may have a hard coded DNS it needs to reach??

Have you sniffed the traffic leaving the device ( perhaps wireshark ).What DNS is being used what fqdn / addresses are being looked for??

https://help.mikrotik.com/docs/display/ ... et+Sniffer
https://www.youtube.com/watch?v=9UvFG9nUN0Q

Your config is not complete what are you trying to hide LOL

/export file=anynameyouwish ( minus router serial number, any public wanip info, keys, long list of dhcp leases etc. )
 
rplant
Member Candidate
Member Candidate
Posts: 281
Joined: Fri Sep 29, 2017 11:42 am

Re: Issue with HiSense aircon

Fri Nov 03, 2023 2:45 am

maybe it is an mtu issue.

/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=ether1 passthrough=yes protocol=tcp tcp-flags=syn

(courtesy anav)
 
Pomo
just joined
Posts: 14
Joined: Sat Feb 06, 2016 10:09 pm

Re: Issue with HiSense aircon

Fri Nov 03, 2023 6:43 am

Resolved this in the meantime.
DNS is the problem, but the DNS packet itself.
Packet sniffing revealed that response packet is somehow changed when going over new ISP, I'll attach a picture.
It is the same response packet, both originate from 8.8.8.8 one on the left is new ISP, one on the right is my old ISP. My MT configuration is identical, except for differences in ISP Internet connection, old one is just a dhcp client, new one is PPPoE on a vlan interface.
Aircon is probably hardcoded to receive packet on the right. Anything changes, and cloud control does not work. Even though DNS response in both cases points to correct address.
Solution is to transition to DoH, so that ISP cannot touch DNS packets.
This applies to Fujitsu General and Hisense aircons as far as I know.
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: JDF, Kanzler, sybadi and 38 guests