What's new

MQTT publish from router not working; what's blocking it?

XIII

Very Senior Member
Somehow I can publish MQTT messages from my Raspberry Pi to my own MQTT broker (on the same Raspberry Pi), but not from my router.

I'm not sure what's wrong. Who can help?

Setup:
  • Mosquitto MQTT server with valid Let's Encrypt certificates on Raspberry Pi on port 8883
  • Personal domain name mqtt.domain.com redirected to hostname.asuscomm.com
  • Port 8883 on router forwarded to Raspberry Pi
  • Entware packages ca-bundle and ca-certificates installed on router
  • AC86U router with Merlin 384.13 firmware

Working on Pi (using domain name, DDNS, and port forwarding):
Code:
mosquitto_pub -h mqtt.domain.com -p 8883 -u username -P password -t topic -m message --capath /etc/ssl/certs
NOT working on router (using domain name, DDNS, and port forwarding):
Code:
mosquitto_pub -h mqtt.domain.com -p 8883 -u username -P password -t topic -m message --capath /opt/etc/ssl/certs
Error message:
Code:
Error: Connection refused
Working on router (direct access to Pi):
Code:
mosquitto_pub -h pi.home.lan -p 8883 -u username -P password -t topic -m message --capath /opt/etc/ssl/certs --insecure
(The --insecure is needed because the domain name will not match the certificate)

It looks like something is blocking the router to connect to the MQTT broker via domain name, DDNS, and port forwarding?

On Pi (domain name):
Code:
nmap mqtt.domain.com -p 8883
reports
Code:
8883/tcp open  secure-mqtt
On router (domain name):
Code:
nmap mqtt.domain.com -p 8883
reports
Code:
8883/tcp closed  secure-mqtt
On router (Pi):
Code:
nmap pi.home.lan -p 8883
reports
Code:
8883/tcp open secure-mqtt
Note: I run the "ufw" firewall on the Raspberry Pi, with this rule for port 8883:
Code:
8883 ALLOW Anywhere
I do run SkyNet, but don't see anything being added to its log while trying this.

What can be blocking the router to publish MQTT messages? How to fix it?
 
Last edited:

XIII

Very Senior Member
Publishing from the router does work if I add a custom dnsmasq entry that redirects mqtt.domain.com to the IP address of the Raspberry Pi!

Would my issue be that (without that redirect) port forwarding does not kick in, because if I try to publish from the router I hit internal instead of external port 8883?

(or am I talking nonsense now?)
 

XIII

Very Senior Member
Instead of redirecting all traffic I would rather only do it for (tcp) port 8883.

Seems like this might work?

Code:
iptables -t nat -A OUTPUT -p tcp --dport 8883 -j DNAT --to-destination 192.168.1.3:8883
(where 192.168.1.3 is the IP address of the Raspberry Pi)

What would be a good script to put this in, to make it run after router reboots?
 
Last edited:

XIII

Very Senior Member
I think this nat "solution" is only a (bad) workaround, since it will probably redirect all traffic to port 8883 to the Pi; also when (if) I want to communicate with other MQTT brokers from the router?

(No time for experiments right now; hope to continue later)
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top