Roomba get stuck on firewall rules

Hi,

I have been struggling with my firewall setup, someting that i don’t see is denying acces to my robot vacuum cleaner (iRobot). The robot is supposed to use the MQTT port (1883,8883), both oppened still no success. The vacuum cleaner is paired successfully but it keeps reseting all the time from what i have seen on tcptrack. Even when i allow all tcp ports for his specific IP (192.168.178.51) it doesn’t work. When i modify the drop all rule to not drop TCP ports everything is working accordingly.

I don’t know if Docker can cause this because of rerouting rules.

Homeassistant is set up on the host network, on the Docker docs it’s stated that no rules are added for the host network.

tcptrack shows ESTABLISHED then RESET on port 8883.

here are the rules:

# Generated by iptables-save v1.8.9 (nf_tables) on Fri Oct 25 18:20:10 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [10711:2393709]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A INPUT -s 192.168.178.51/32 -p tcp -m tcp --sport 8883 -j ACCEPT
-A INPUT -s 192.168.178.51/32 -p tcp -m tcp --sport 1883 -j ACCEPT
-A INPUT -s 192.168.178.94/32 -p tcp -m tcp --dport 7000 -j ACCEPT
-A INPUT -s 192.168.178.90/32 -p tcp -m tcp --dport 7000 -j ACCEPT
-A INPUT -s 192.168.178.87/32 -p tcp -m tcp --dport 7000 -j ACCEPT
-A INPUT -s 192.168.178.0/24 -p tcp -m tcp --sport 7000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A INPUT -s 192.168.178.0/24 -p udp -m udp --dport 1900 -j ACCEPT
-A INPUT -s 192.168.178.0/24 -p tcp -m tcp --dport 35247 -j ACCEPT
-A INPUT -s 192.168.178.0/24 -p udp -m udp --dport 2049 -j ACCEPT
-A INPUT -s 192.168.178.0/24 -p udp -m udp --dport 57316 -j ACCEPT
-A INPUT -s 192.168.178.0/24 -p tcp -m tcp --dport 2049 -j ACCEPT
-A INPUT -s 192.168.178.0/24 -p udp -m udp --dport 111 -j ACCEPT
-A INPUT -s 192.168.178.0/24 -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -s 192.168.178.0/24 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s 192.168.178.0/24 -p tcp -m tcp --dport 139 -j ACCEPT
-A INPUT -s 192.168.178.0/24 -p udp -m udp --dport 138 -j ACCEPT
-A INPUT -s 192.168.178.0/24 -p udp -m udp --dport 137 -j ACCEPT
-A INPUT -s 192.168.178.51/32 -p tcp -j ACCEPT
-A INPUT -s 192.168.178.107/32 -p tcp -m tcp --sport 6053 -j ACCEPT
-A INPUT -s 192.168.178.0/24 -p tcp -m tcp --dport 8123 -j ACCEPT
-A INPUT -s 192.168.178.0/24 -p udp -m udp --sport 5353 -j ACCEPT
-A INPUT -s 192.168.178.0/24 -p udp -m udp --sport 5678 -j ACCEPT
-A INPUT -s 192.168.178.0/24 -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p udp -m udp --dport 5656 -j ACCEPT
-A INPUT -p udp -m udp --dport 5678 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-8de03e914fdc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-8de03e914fdc -j DOCKER
-A FORWARD -i br-8de03e914fdc ! -o br-8de03e914fdc -j ACCEPT
-A FORWARD -i br-8de03e914fdc -o br-8de03e914fdc -j ACCEPT
-A FORWARD -o br-6d3d9ad54a10 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-6d3d9ad54a10 -j DOCKER
-A FORWARD -i br-6d3d9ad54a10 ! -o br-6d3d9ad54a10 -j ACCEPT
-A FORWARD -i br-6d3d9ad54a10 -o br-6d3d9ad54a10 -j ACCEPT
-A FORWARD -o br-4085b7309d37 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-4085b7309d37 -j DOCKER
-A FORWARD -i br-4085b7309d37 ! -o br-4085b7309d37 -j ACCEPT
-A FORWARD -i br-4085b7309d37 -o br-4085b7309d37 -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-6d3d9ad54a10 -o br-6d3d9ad54a10 -p tcp -m tcp --dport 8989 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-4085b7309d37 -o br-4085b7309d37 -p tcp -m tcp --dport 8096 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-6d3d9ad54a10 -o br-6d3d9ad54a10 -p tcp -m tcp --dport 6767 -j ACCEPT
-A DOCKER -d 172.18.0.4/32 ! -i br-6d3d9ad54a10 -o br-6d3d9ad54a10 -p tcp -m tcp --dport 7878 -j ACCEPT
-A DOCKER -d 172.18.0.5/32 ! -i br-6d3d9ad54a10 -o br-6d3d9ad54a10 -p tcp -m tcp --dport 5055 -j ACCEPT
-A DOCKER -d 172.19.0.3/32 ! -i br-4085b7309d37 -o br-4085b7309d37 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.18.0.7/32 ! -i br-6d3d9ad54a10 -o br-6d3d9ad54a10 -p tcp -m tcp --dport 6881 -j ACCEPT
-A DOCKER -d 172.18.0.7/32 ! -i br-6d3d9ad54a10 -o br-6d3d9ad54a10 -p udp -m udp --dport 6881 -j ACCEPT
-A DOCKER -d 172.18.0.7/32 ! -i br-6d3d9ad54a10 -o br-6d3d9ad54a10 -p tcp -m tcp --dport 8112 -j ACCEPT
-A DOCKER -d 172.18.0.7/32 ! -i br-6d3d9ad54a10 -o br-6d3d9ad54a10 -p tcp -m tcp --dport 58846 -j ACCEPT
-A DOCKER -d 172.18.0.8/32 ! -i br-6d3d9ad54a10 -o br-6d3d9ad54a10 -p tcp -m tcp --dport 9696 -j ACCEPT
-A DOCKER -d 172.18.0.9/32 ! -i br-6d3d9ad54a10 -o br-6d3d9ad54a10 -p tcp -m tcp --dport 8191 -j ACCEPT
-A DOCKER -d 172.18.0.6/32 ! -i br-6d3d9ad54a10 -o br-6d3d9ad54a10 -p tcp -m tcp --dport 9443 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-8de03e914fdc ! -o br-8de03e914fdc -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-6d3d9ad54a10 ! -o br-6d3d9ad54a10 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-4085b7309d37 ! -o br-4085b7309d37 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-8de03e914fdc -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-6d3d9ad54a10 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-4085b7309d37 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Fri Oct 25 18:20:10 2024
# Generated by iptables-save v1.8.9 (nf_tables) on Fri Oct 25 18:20:10 2024
*nat
:PREROUTING ACCEPT [22782:2419468]
:INPUT ACCEPT [648:118513]
:OUTPUT ACCEPT [1747:179187]
:POSTROUTING ACCEPT [1779:182122]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.20.0.0/16 ! -o br-8de03e914fdc -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-6d3d9ad54a10 -j MASQUERADE
-A POSTROUTING -s 172.19.0.0/16 ! -o br-4085b7309d37 -j MASQUERADE
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 8989 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p tcp -m tcp --dport 8096 -j MASQUERADE
-A POSTROUTING -s 172.18.0.3/32 -d 172.18.0.3/32 -p tcp -m tcp --dport 6767 -j MASQUERADE
-A POSTROUTING -s 172.18.0.4/32 -d 172.18.0.4/32 -p tcp -m tcp --dport 7878 -j MASQUERADE
-A POSTROUTING -s 172.18.0.5/32 -d 172.18.0.5/32 -p tcp -m tcp --dport 5055 -j MASQUERADE
-A POSTROUTING -s 172.19.0.3/32 -d 172.19.0.3/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.18.0.7/32 -d 172.18.0.7/32 -p tcp -m tcp --dport 6881 -j MASQUERADE
-A POSTROUTING -s 172.18.0.7/32 -d 172.18.0.7/32 -p udp -m udp --dport 6881 -j MASQUERADE
-A POSTROUTING -s 172.18.0.7/32 -d 172.18.0.7/32 -p tcp -m tcp --dport 8112 -j MASQUERADE
-A POSTROUTING -s 172.18.0.7/32 -d 172.18.0.7/32 -p tcp -m tcp --dport 58846 -j MASQUERADE
-A POSTROUTING -s 172.18.0.8/32 -d 172.18.0.8/32 -p tcp -m tcp --dport 9696 -j MASQUERADE
-A POSTROUTING -s 172.18.0.9/32 -d 172.18.0.9/32 -p tcp -m tcp --dport 8191 -j MASQUERADE
-A POSTROUTING -s 172.18.0.6/32 -d 172.18.0.6/32 -p tcp -m tcp --dport 9443 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-8de03e914fdc -j RETURN
-A DOCKER -i br-6d3d9ad54a10 -j RETURN
-A DOCKER -i br-4085b7309d37 -j RETURN
-A DOCKER ! -i br-6d3d9ad54a10 -p tcp -m tcp --dport 8989 -j DNAT --to-destination 172.18.0.2:8989
-A DOCKER ! -i br-4085b7309d37 -p tcp -m tcp --dport 8096 -j DNAT --to-destination 172.19.0.2:8096
-A DOCKER ! -i br-6d3d9ad54a10 -p tcp -m tcp --dport 6767 -j DNAT --to-destination 172.18.0.3:6767
-A DOCKER ! -i br-6d3d9ad54a10 -p tcp -m tcp --dport 7878 -j DNAT --to-destination 172.18.0.4:7878
-A DOCKER ! -i br-6d3d9ad54a10 -p tcp -m tcp --dport 5055 -j DNAT --to-destination 172.18.0.5:5055
-A DOCKER ! -i br-4085b7309d37 -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.19.0.3:443
-A DOCKER ! -i br-6d3d9ad54a10 -p tcp -m tcp --dport 6881 -j DNAT --to-destination 172.18.0.7:6881
-A DOCKER ! -i br-6d3d9ad54a10 -p udp -m udp --dport 6881 -j DNAT --to-destination 172.18.0.7:6881
-A DOCKER ! -i br-6d3d9ad54a10 -p tcp -m tcp --dport 8112 -j DNAT --to-destination 172.18.0.7:8112
-A DOCKER ! -i br-6d3d9ad54a10 -p tcp -m tcp --dport 58846 -j DNAT --to-destination 172.18.0.7:58846
-A DOCKER ! -i br-6d3d9ad54a10 -p tcp -m tcp --dport 9696 -j DNAT --to-destination 172.18.0.8:9696
-A DOCKER ! -i br-6d3d9ad54a10 -p tcp -m tcp --dport 8191 -j DNAT --to-destination 172.18.0.9:8191
-A DOCKER ! -i br-6d3d9ad54a10 -p tcp -m tcp --dport 9443 -j DNAT --to-destination 172.18.0.6:9443
COMMIT
# Completed on Fri Oct 25 18:20:10 2024

Broadcast? Multicast? IPv6?

I’m not really sure what u re asking. The Broadcast and Multicast works in my subnet. i don’t get any response from the roomba (192.168.178.51) when i ping on Multicast or Broadcast even without firewall rules.
i don’t use IPv6, it’s connect as IPv4 only.

Looking back at my own MQTT logs it seems to be standard that it disconnects all the time, so that is not it.
Maybe you need to research the MQTT protocol. It might be opening extra connections, like opposite direction.