OH 4+ Ensuring network connectivity... FAILED... now it's OK (personal FIREWALL issue)

When installing OH from Raspberry distribution, can someone please tell me what the first boot “Ensuring network connectivity” is actually looking for? is it trying to ping an external host (ICMP), or resolve a DNS record? or something else to verify it has internet connectivity?

When doing a clean install of Openhab 4 using “Raspberry Pi Imager”… first boot always failed to connect to the internet.

2024-07-04_00:18:19_UTC [openHABian] Setting up NetworkManager and Wi-Fi connection... 2024-07-04_00:18:20_UTC [openHABian] Ensuring network connectivity... **FAILED**
2024-09-07_04:10:44_UTC [openHABian] Installing Comitup hotspot... OK
OK
2024-09-07_04:11:59_UTC [openHABian] The public internet is not reachable. Please check your local network environment.
                          We have launched a publicly accessible hotspot named openHABian-<n>.
                          Use a device to connect and go to http://raspberrypi.local or http://10.41.0.1/
                          and select the WiFi network you want to connect your openHABian system to.
                          After about an hour, we will continue trying to get your system installed,
                          but without proper Internet connectivity this is not likely to be going to work.

After mucking around in the forums and tinkering with Raspbian conf flies and IP v6 I finally turned my attention to my firewall… a Cisco thing.

Solution
I disabled all my firewall outbound protocol filtering and TCP filtering and the OH 4 first boot has successfully “found” the internet.
2024-09-07_04:21:50_UTC [openHABian] Setting up NetworkManager and Wi-Fi connection... 2024-09-07_04:21:51_UTC [openHABian] Ensuring network connectivity... OK

I would like to put all my firewall rules back in… but not sure what I need to add to ensure future OH connectiivty tests succeed.

hardware is Pi 4.

cat /etc/os-release

PRETTY_NAME=“Raspbian GNU/Linux 12 (bookworm)”
VERSION=“12 (bookworm)”
VERSION_CODENAME=bookworm
ID=raspbian

Well, you have to allow openHAB to communicate at least for initial installation.
Afterwards, you have to ensure that openHAB is allowed to communicate with all its sources (e.g. ntp server if not local, weather service, any cloud service…)
If you want to do updates, you’ll have to allow openHAB to communicate with jfrog and github (see apt/sources.list and community store). Community store is also needed if you want to install any Addon online.

thanks for reply.
all other outbound traffic on my network works fine. All the usual web traffice is allowed.
I have since changed the rule to any any and things work fine… but i’d like to work out what I need to allow specifically to allow the first boot process to work without needing the open any any rule.

I’ve attached a screen shot of the configuration that does not work. This does not allow first boot process to successfully test for internet connecvitiy. note ICMP, HTTP, HTTPS, and DNS are all available.

I’ll retry building a new OH4 server as a test in the coming days and configure my outbound firewall rules to use the Artifactory Jfrog tcp ports specified in here. TCP 8081 & 8015
https://jfrog.com/help/r/jfrog-installation-setup-documentation/artifactory-network-ports

Do you have any idea what the script is that runs at first boot? i’ll open it and have a look at what it’s calling to test for internet connectivity.

Well, you could mirror the port fire up wireshark filter on the Ip or even the MAC of the RPi and actually look and see exactly what protocols and what ports are being used during the setup process.