Hi
We are doing some installations with Venus GX in a closed network. We need to make an opening in the customer firewall, to be able to connect to the VRM.
We are not able to do a DNS lookup on the http://ccgxlogging.victronenergy.com/
Cabn you guys provide us with the correct IP adress and port numbers.
Thanks in advance.
BR. Jonas
Hi @JonasIQ herewith the full and official answer:
That earlier this week announced IP change is about the Remote Console on VRM relay server. Which is not the server to which a Venus-device sends its VRM data.
A full overview of all used network connectivity is here:
https://www.victronenergy.com/live/ccgx:ccgx_faq#q15what_type_of_networking_is_used_by_the_color_control_gx_tcp_and_udp_ports
So, its more than just one (!)
With regards to the one you asked for: I've looked it up and it is:
H:\>ping ccgxlogging.victronenergy.com
Pinging ccgxlogging.victronenergy.com [52.28.98.25] with 32 bytes of data:
Reply from 52.28.98.25: bytes=32 time=128ms TTL=50
I fail to understand though why you couldn't do that ping yourself? I'm just curious :-).
Then lastly: we might ofcourse one day change that IP address behind ccgxlogging.victronenergy.com. If that happens, we will just like last time I'll send out an email again about that.
ps I'll accept my own answer to make sure its on the top :).
Hi
Thanks for the quick reply. Can you confirm that the new IP adress is open from today. Since this is a new installation, we will like only to open to the new Ip and not the old one also?
Thanks in advance.
Br. Jonas
Sorry for being unclear. So if you want to configure your firewall outbound rules:
ccgxlogging.victronenergy.com IP: 52.28.98.25 Ports: 80, 443 # Logging Data
supporthost.victronenergy.com IP: 84.22.107.120 Ports: 22, 80, 443 # Remote Console on VRM
mqtt-rpc.victronenergy.com IP: 84.22.105.209 Port: 443 # Remote VEconfig / FW Update
updates.victronenergy.com IP: 46.19.36.138 Port: 443 # Venus Firmware Update
Essentially needed for logging data to VRM is only the first one. The other ones are optional, if the functions are used.
Keep in mind, that the IP addresses could change in future.
I deleted my other misleading posts.
Regards,
Markus
Ok; and one bit of further info: just now someone who replied to me on the IP Address change email learned me that his firewall can whitelist on DNS name; rather than IP address.
So for anyone reading this looking to whitelist; try that first.
UPDATE: but make sure to know what you're doing. DNS can be hacked. And I don't know enough about that to say anything authorative on it.
I have been monitoring my firewall for the past two days and have found numerous outgoing connections to many different IP addresses on port 123. Here is a sample of the addresses:
91.236.251.129
81.94.123.17
128.0.142.251
45.87.77.15
185.242.112.53
188.125.64.7
213.209.109.45
193.252.223.86
194.54.80.27
62.116.130.3
80.74.64.1
185.51.192.34
185.117.82.70
185.229.201.12
There are many more than this. Additionally there was one access to 163.171.130.131 on port 443.
I am very concerned that there is a trojan operating within my MultiPlus II GX running v2.70 large-18. Please can @mvader (Victron Energy) confirm whether this behaviour is normal. It certainly doesn't look that way to me! Maybe it has something to do with Node-Red but that also seems unlikely.
Needless to say I have blocked all outbound traffic from the Multi other than the victronenergy.com addresses @Markus specified above.
UPDATE - when I blocked all other traffic my live vrm stopped working. I've added 3.125.86.187 in to the allowable IPs and it seems to be working again. It would be helpful if there was a definitive list of IPs to be enabled in the firewall.
Regards, Paul
3.125.86.187 is an Amazon cloud computing server, seems likely that victron is hiring such services for VRM.
Hi, port 123 is the NTP port, time sync. There is no big harm in blocking that, as long as you check the time on your GX device now and then.
more information on used ports in the manual, FAQ chapter, Q15 or Q16.
This is what could find quickly in the Connman configuration for NTP:
If you don't want us to login, please let me know.
correction, remote support is disabled. So we cannot log in, even if we wanted to.
Anyway, here is the theory: if you're blocking outgoing connections on port 123, then the NTP client will try all sorts of things. And to get an idea of how many servers and ip addresses are involved, see here: https://www.ntppool.org/zone/europe
I've rebooted my GX and the problem has gone away. However I still have a constant stream of traffic (10 kbit/s) to mqtt2.victronenergy.com. This is about 2.5 GB per month and seems a little excessive. Is this normal please?
