Connecting a photon from behind a firewall

Hello, I’ve been having difficulty connecting my photon at my school network. It connects fine at home.

When I put it in listening mode and go through the setup process, it give “checkmarks” for each step and then give me a yellow triangle error that says

Your device has been successfully claimed to your account, however it is offline. If the device was already claimed before this setup, then the Wi-Fi connection may have failed and you should try setup again

I suspect that it is a firewall issue because https://docs.particle.io/guide/getting-started/start/photon/ says you can’t be behind a firewall or in an Enterprise setting.

Configuring Wifi routers/Firewalls for Particle devices HELP talks about some ports needing to be open, the but thread is vague as to specifically which ports are needed, and I can’t find any documentation to that effect.

Oddly enough, it sometimes blinks green, and sometimes blinks cyan with orange bursts, like in this thread ( Photon flashing cyan and blinking orange ) but resetting keys in DFU mode didn’t help.

I’m kind of confused because in the setup process it says it was able to get to the cloud, and then moments later says it couldn’t.

TL;DR Is there documentation somewhere about how to configure an enterprise firewall that I could pass on to my network administrator?

Thanks in advance

I can tell you it definitely is the firewall. I have the same issue.
So far I have not found information about any port I can open an exception with, in order to get it to connect. Turning off the firewall immediately gets past the issue you experienced.

One thing that is mentioned multiple times in the forum here (I know since I’ve written many of these posts ;-)) is the CoAP port 5683 - at least once in the second link in the OP too.
And other ports are also mentioned in that thread.

1 Like

Just to clarify a point about opening firewall port 5683. Some managed service providers in the education sector seem to not want to open ports on URL but rather want a specific IP address. The IP address(es) for device.particle.io OR device.spark.io seem to be continually changing (I guess because they are being load balanced and managed). If I do a lookup on device.particle.io I get this IP address Name:

device.particle.io
Address: 92.242.132.16

whereas if I do a lookup on device.spark.io I get this range of IP addresses:

device.spark.io	canonical name = device.tcp.particle.io.
device.tcp.particle.io	canonical name = tcp-green.us-east-1.metropolis.particle.io.
Name:	tcp-green.us-east-1.metropolis.particle.io
Address: 107.20.71.170
Name:	tcp-green.us-east-1.metropolis.particle.io
Address: 34.237.141.248
Name:	tcp-green.us-east-1.metropolis.particle.io
Address: 34.205.143.159
Name:	tcp-green.us-east-1.metropolis.particle.io
Address: 18.215.16.45
Name:	tcp-green.us-east-1.metropolis.particle.io
Address: 54.159.170.67
Name:	tcp-green.us-east-1.metropolis.particle.io
Address: 35.153.39.159
Name:	tcp-green.us-east-1.metropolis.particle.io
Address: 54.210.222.113
Name:	tcp-green.us-east-1.metropolis.particle.io
Address: 18.206.150.141
Name:	tcp-green.us-east-1.metropolis.particle.io
Address: 34.229.191.158
Name:	tcp-green.us-east-1.metropolis.particle.io
Address: 54.209.210.255
Name:	tcp-green.us-east-1.metropolis.particle.io
Address: 54.226.234.255

Any advice which is the preferred or least likely to change?

The Photon looks up device.spark.io using DNS. It is load balanced by DNS, and you’ll get one of the following addresses. Ideally it’s best to allow unlimited outbound TCP 5683, or whitelist by Photon MAC address, but if this is not possible, you should whitelist all of the addresses, as they change about once a minute.

This list is subject to change as servers are added or removed, which is why whitelisting by destination IP address is not recommended.

tcp-blue.us-east-1.metropolis.particle.io. 60 IN A 52.23.188.212
tcp-blue.us-east-1.metropolis.particle.io. 60 IN A 107.23.86.140
tcp-blue.us-east-1.metropolis.particle.io. 60 IN A 52.87.113.144
tcp-blue.us-east-1.metropolis.particle.io. 60 IN A 34.201.17.242
tcp-blue.us-east-1.metropolis.particle.io. 60 IN A 35.153.73.148
tcp-blue.us-east-1.metropolis.particle.io. 60 IN A 52.207.255.232
tcp-blue.us-east-1.metropolis.particle.io. 60 IN A 34.239.110.65
tcp-blue.us-east-1.metropolis.particle.io. 60 IN A 52.90.182.92
tcp-blue.us-east-1.metropolis.particle.io. 60 IN A 52.207.210.24
tcp-blue.us-east-1.metropolis.particle.io. 60 IN A 52.55.104.91
tcp-blue.us-east-1.metropolis.particle.io. 60 IN A 18.213.151.3

tcp-green.us-east-1.metropolis.particle.io. 60 IN A 34.205.143.159
tcp-green.us-east-1.metropolis.particle.io. 60 IN A 54.209.210.255
tcp-green.us-east-1.metropolis.particle.io. 60 IN A 34.237.141.248
tcp-green.us-east-1.metropolis.particle.io. 60 IN A 54.159.170.67
tcp-green.us-east-1.metropolis.particle.io. 60 IN A 54.210.222.113
tcp-green.us-east-1.metropolis.particle.io. 60 IN A 107.20.71.170
tcp-green.us-east-1.metropolis.particle.io. 60 IN A 54.226.234.255
tcp-green.us-east-1.metropolis.particle.io. 60 IN A 35.153.39.159
tcp-green.us-east-1.metropolis.particle.io. 60 IN A 34.229.191.158
tcp-green.us-east-1.metropolis.particle.io. 60 IN A 18.206.150.141
tcp-green.us-east-1.metropolis.particle.io. 60 IN A 18.215.16.45

4 Likes

Rick thanks for the prompt reply - really useful. Would it be possible to add this information to a tutorial or guide?