Writing Firewall rules for the Elgato Light

[BigTechDaddy]

Today I purchased an Elgato Key Light. I should prefice this by saying I have a home network with different VLANS, the two you should know about are the IoT and LAN. I should also mention I'm using pfsense as firewall.

I took a PCAP of turning the light on and off a few times.

Here's the firewall rule from LAN to elgato key light, at first I was trying port 80, but then I switched it to any just to see it if would work.

I added a rule from the light on its subnet to any device on LAN

I do have avahi enabled

 

Looking for ideas on how to get this light working across VLANS.

thanks

 

 

[LAwLz]

Are you able to ping the light when you have the firewall rule set to "any"?

[BigTechDaddy]

6 hours ago, LAwLz said:

Are you able to ping the light when you have the firewall rule set to "any"?

Yes I am
PING xx.xx.20.79 (xx.xx.20.79) from xx.xx.50.1: 56 data bytes
64 bytes from xx.xx.20.79: icmp_seq=0 ttl=255 time=2.555 ms
64 bytes from xx.xx.20.79: icmp_seq=1 ttl=255 time=2.480 ms
64 bytes from xx.xx.20.79: icmp_seq=2 ttl=255 time=3.755 ms

--- xx.xx.20.79 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 2.480/2.930/3.755/0.584 ms

[LAwLz]

58 minutes ago, BigTechDaddy said:

Yes I am
PING xx.xx.20.79 (xx.xx.20.79) from xx.xx.50.1: 56 data bytes
64 bytes from xx.xx.20.79: icmp_seq=0 ttl=255 time=2.555 ms
64 bytes from xx.xx.20.79: icmp_seq=1 ttl=255 time=2.480 ms
64 bytes from xx.xx.20.79: icmp_seq=2 ttl=255 time=3.755 ms

--- xx.xx.20.79 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 2.480/2.930/3.755/0.584 ms

I see.

 

I did a quick Google search and managed to find this page.

According to it, Elgao products use Bonjou (which in turn uses multicast) for pairing and then HTTP for commands.

 

My guess is that something in the pairing process breaks. I don't have much experience with pfSense and I don't have access to your firewall, but I did find a mention on NetGate's website that pfSense blocks all packets with IP Options set by default. Bonjour 

So if you go into that firewall rule you just made, go to the advanced tab and then click "enable IP options" it might work.

 

 

Once you got everything working, you can probably modify that firewall rule to only allow port TCP/80 and UDP/5353. That should be enough for your Elgato lights.

[BigTechDaddy]

8 hours ago, LAwLz said:

I see.

 

I did a quick Google search and managed to find this page.

According to it, Elgao products use Bonjou (which in turn uses multicast) for pairing and then HTTP for commands.

 

My guess is that something in the pairing process breaks. I don't have much experience with pfSense and I don't have access to your firewall, but I did find a mention on NetGate's website that pfSense blocks all packets with IP Options set by default. Bonjour 

So if you go into that firewall rule you just made, go to the advanced tab and then click "enable IP options" it might work.

 

 

Once you got everything working, you can probably modify that firewall rule to only allow port TCP/80 and UDP/5353. That should be enough for your Elgato lights.

Great idea, I Added another rule for 244.0.0.251 for 5353 coz I saw it reaching out to that too. MDNS

Ok, so I feel like we're making progress.

 

When I connect to the IoT wifi, and then disconnect it stays in the app, I can press it and it will turn the light on, one time I Was able to turn it on and off before it dissapers.

So I know the communication is being made and achieved, however there's some check that happens after the button press which removes it from the interface.

 

Thanks for the feedback

[BigTechDaddy]

23 minutes ago, BigTechDaddy said:

Great idea, I Added another rule for 244.0.0.251 for 5353 coz I saw it reaching out to that too. MDNS

Ok, so I feel like we're making progress.

 

When I connect to the IoT wifi, and then disconnect it stays in the app, I can press it and it will turn the light on, one time I Was able to turn it on and off before it dissapers.

So I know the communication is being made and achieved, however there's some check that happens after the button press which removes it from the interface.

 

Thanks for the feedback

figured it out!

I overthought it, it just needed a TCP rule and a ICMP rule.

You were right, when I tried the ping I tried it from the firewall, I forgot to allow ping between light and PC.

 

Many thanks !

 

[BigTechDaddy]

On 2/15/2022 at 2:10 AM, BigTechDaddy said:

figured it out!

I overthought it, it just needed a TCP rule and a ICMP rule.

You were right, when I tried the ping I tried it from the firewall, I forgot to allow ping between light and PC.

 

Many thanks !

 

Ok, I was wrong. I didn't need all of these.

I only needed TCP to port 9123.