cnMaestro URL format restrictions on cnPilot E-series

Hi Cambium,

I would like to know is cnPilot E series > Configure > System > cnMaestro URL does support WAN IP?

What I mean is, I hosted an on-prem in our company with static LAN IP (https://192.168.1.2) and I have static WAN IP (102.88.xx.xx). So I do a TCP port forwarding from 102.88.xx.xx:5443 map to 192.168.1.2:443 and port 80 as well.
I’m able to browse https://102.88.xx.xx:5443 from offsite.
But if I put https://102.88.xx.xx or https://102.88.xx.xx:5443 under >> cnMaestro URL, it doesnt work.

So I doubt that is the URL can put WAN IP or DDNS (if I have).
If Yes, any details or manual guide of configuration?

Anyone know this?
Anyone try before?

I’ve moved this question to the Enterprise Wi-Fi category because I think it’s probably related to the firmware on the device, rather than cnMaestro itself.

I can’t imagine that the device cares whether the IP address is on the internet or on a LAN. Do the device logs mention anything about the device agent being unable to connect?

Does it make any difference if you enter just the IP address and port number, without the https:// prefix?

Device accepts URL either with IP only or complete URL with HTTP(S).

Hi Nicky,

I checked with similar setup as yours.
AP (public)–>WAN (public)----ip/port forward 5443 to 443----> on-prem(private).

The reason on-boarding fails because when we configure “CnMaestro URL”->“https://public-wan-ip:5443”, AP does initial TCP&TLS handshake with port 5443, but after that AP tries to create websocket to CnMastro with port 443. As port 443 is not forwarded to private ip, it fails there.

So, added a ip forward rule for port 443 as well, then onboarding works. Can you please try the same.

Will check with team, creating websocket also can be made in the same port as configured in “CnMaestro URL” (ie port 5443), we will plan to do it in the upcoming release.

Below is the two rules added,

AP (public)–>WAN (public)----ip/port forward 5443 to 443----> on-prem(private).
AP (public)–>WAN (public)----ip/port forward 443 to 443----> on-prem(private).

iptables -t nat -A PREROUTING -d wan-public-ip -p tcp --dport 5443 -j DNAT --to-destination on-prem-private-ip:443
iptables -t nat -A PREROUTING -d wan-public-ip -p tcp --dport 443 -j DNAT --to-destination on-prem-private-ip:443

Thanks,
Divakar

2 Likes


sorry for super late reply.
what did you means by adding one more port 443?
create a same rule with WAN IP:443 > cnmaestro:443?

complete url which means if i have dns?
example my company have dns for my wan ip, xxxddns.com.
I can use it in URL? https://xxxddns.com:5443??

Yes, Same rule with “WAN IP:443 > cnmaestro:443”.
And, configure “CnMaestro-URL”-> “https://wan-ip:5443

Is it possible to put ddns url? Eg: https://mycompanyddns.com:443?

Yes, you can use, if DNS resolves to correct IP address, then it will work.

but if direct to port forward 443 is like too exposed already. because 443 too common. cant change to another external port?

I managed to onboard by adding the URL with https://publicip or ddns:443.

But like I said, it will exposed my WAN IP:443 directly to outside world. Is it possible to change the port to another like 5443,1443,6443 etc…?