Ring video doorbell behind PFsense firewall?
-
If www.grc.com survives their ongoing DOS attack you can go there and see how to set up another router to place your IOT device behind to protect your 'home' network from your 'IOT' network.
Sorry can't help on your Ring doorbell.
-
If www.grc.com survives their ongoing DOS attack you can go there and see how to set up another router to place your IOT device behind to protect your 'home' network from your 'IOT' network.
Completely unnecessary when you are working with tools like pfSense. An IOT interface is much more elegant.
-
If www.grc.com survives their ongoing DOS attack you can go there and see how to set up another router to place your IOT device behind to protect your 'home' network from your 'IOT' network.
Completely unnecessary when you are working with tools like pfSense. An IOT interface is much more elegant.
Can you give me some additional info on a pfSense "IOT interface"? This is something I've been interested in setting up since I have a Nest thermostat and have been accumulating a number of other IOT devices.
Even more important now with the discovery of the glibc stack-based buffer overflow security flaw.
Thnx
-
Yeah - I spent the night last night running apt-get dist-upgrade.
I am considering doing a walkthrough that basically does sggrc's 3-router "solution" - only properly.
This is going to require hardware vendors to start putting real functionality into their gear OR consumers willing to buy real gear like managed switches and APs and probably pay someone to maintain their network.
Or there will be massive pwnage which is what I expect to happen.
But, in a nutshell, you would put an AP (or SSID) on another ethernet segment (or VLAN) that blocks all access to local assets, passes DNS to, say, 8.8.8.8 and 8.8.4.4, and either passes access to the internet or only those things the IoT devices need to talk to. You could use pfSense's resolver for DNS but, like you just mentioned, you never know what vulnerabilities are going to be discovered.
I need to lab this up because you will lose things like mDNS from your management LAN so things won't be as seamless as your general consumers expect, but we have avahi for that though I've never used it.
-
"UDP range between 16500-32768"
You need that large of a range inbound??? Ie from the public net to your device behind pfsense, this seems really really BAD design or unlikely… Those ports are needed outbound maybe?
They talk about access to their cloud, so you don't even need inbound ports?? Just outbound?
"Connecting to our cloud ensures that your Ring Doorbell can manage sessions and reach your smartphone and tablet whether you are home or away.""turned off port redirection for the static IP address that my doorbell uses" What does this mean??? What did you do exactly? Are you using a captive portal in pfsense??
I would take it those ports are outbound only... So you really should not have to do anything special in pfsense for this to work with the default rules..
As to security of such devices, I agree they need to be isolated from your normal network... I have a nest thermostat and protect, and harmony hub and directv dvr. They are on their own vlans that do not have any access to my normal networks.
Firewalls rules are by default any any outbound... So have you modified these??
-
Yeah, I got one of these last week. I'm pretty appalled by just how insecure-by-design they are. And their Android app is one of the most intrusive I've ever seen "appalling" is the word that comes to mind again (along with 'criminal', but that implies malicious intent. Oh, wait….). Or if it isn't deliberate, then 'negligent' and 'lazy' are the other words that come to mind. I can mitigate (somewhat) that intrusiveness of the android app by various, well' privacy apps. And I did post a question to their tech support about firewall settings. I haven't decided yet if I'm going to send it back in disgust. Depends on their answer to the firewall questionn and whether I feel like going to all this trouble for what is essentially a novelty.
I suppose I have some vague thought of intercepting their datastream and redirecting to my own services, but probably not.
Anyway, here's the question I posted. I'll post a link to any answer I get
Per this page:
https://support.ring.com/hc/en-us/articles/205385394-What-Ports-do-I-need-to-ope
n-in-my-firewall-for-Ring-Doorbells-and-Chimes-All my firewalls are default drop on incoming and default reject outgoing. I have set up
the Ring in it's own isolated wireless zone [actually it's own access point].1. Which of these are outgoing from the local home network and which are incoming (to the
local device).
2. Where is the list of public ip addresses that need to be whitelisted?Please be advised I am a network engineer with all that that implies. I speak and
understand techno.Thank you.
-
Here are the two responses I got from Ring.com to my query:
Jun 6, 5:33 AM PDT
Hello,
Thank you for contacting us. I apologize but the information that you are asking for us to
provide is proprietary. The only public information of what you are asking is the link
that you have sent in.–-----------
And another one:
Jun 4, 1:53 PM PDT
Hi there!
Just open up all out going and incoming and there are no Ip's that cn be white listed
cause the always change.
-
Here are the two responses I got from Ring.com to my query:
Thank you for contacting us. I apologize but the information that you are asking for us to
provide is proprietary. The only public information of what you are asking is the link
that you have sent in.Firewall ports are proprietary? Good luck, Ring.
Hi there!
Just open up all out going and incoming and there are no Ip's that cn be white listed
cause the always change.Just open all the ports inbound and don't source limit.
That person should not be allowed near a customer network in any capacity.
Out of curiosity, did your ring not work or are you just wondering about their answers?
-
Both.
Everything seems to work -except- the live video from the RING to my android phone…arguably the most significant function. The Ring android app is currently installed as-is; I haven't firewalled or app-limited it in any way (yet) (though why they need access to my contacts list, passwords, phone, location, etc, etc, etc is beyond me. I'm betting they don't; they just got somebody in bangalore-or-wherever to 'whip up' an app for them quick and cheap). So the app is (apparently) not the problem. Though all of my firewalls in all the places I normally hang out are pretty fascist (I know because I set most of them up); I supposed the incoming video to my phone from their [proprietary] servers could be blocked from there.
So yes, I was curious about their answers too. Their answers, plus the intrusive app, tell me that they're dismissive about network and systems security and stablity. That doesn't leave me all warm and fuzzy so I'm sending it back.
Just as a datapoint, I took a quick look at Skybell (a competitor) and they're even less informative. I did see a comment that someone was complaining that he couldn't DHCP assign anIP to his skybell. When asked about it he said Skybell says they 'rotate MAC's as a security measure' .
-
I have a new Ring Video Doorbell Pro, couldn't get it to work, similar problems listed here, even though I have an ASUS router. I hope this info helps someone else as I got my issues resolved simply by turning off NAT acceleration, also referred to as hardware acceleration, CTF (Cut-Through Forwarding), or FA (Flow Accelerator).
You can read more about this "feature" here:
https://routerguide.net/nat-acceleration-on-or-off/
For ASUS routers, go here in the router's settings: LAN -> Switch Control -> NAT Acceleratinon -> Disable.
BTW, things that I tried that didn't make a difference inlcude: enabling WAN ping, setting the doorbell to a static IP, setting the doobell's static IP as the DMZ, disabling the firewall completely, port forwarding all ports as suggested by Ring tech support.
-
In case anyone is still wondering about this. I have a Palo Alto firewall and had issues with my new Ring Elite. Took about an hour to figure out. I had to disable SIP inspection on the firewall. Its likely the same issue for everyone here.
-
My ring doorbell works fairly well with PFsense. The problem seems to be associated with the windows client which is slowly being updated. Be sure to assign a static IP address, exclude from squid, and possibly a custom NAT depending on your config. The doorbell needs unrestricted access out.
-
I have a Ring doorbell too, made sure that it gets an assigned address and it's working perfectly.
The only issue I have is that on one of my two Android phones, the alert takes about 5 minutes to come through. My wife has two iPhones and they work perfectly well, it's just the one Android device that is delayed. Must have some strange routing via Mars or something.
-
Is the Android slow on wifi and 3/4g? Please test individually by disabling the other and report back.
-
I have two Android phones, only one of them is slow.
Actually, someone just rang the bell, so this time the delay between the two phones was about 2 seconds, but it has been up to five minutes.
I'll check it out later on wifi and 3/4G and see which one has the issue.
-
I also recently installed a Ring doorbell. On my home wifi, same network as Ring, it works great. I did not do anything extra with pfSense. It is setup on a multi-WAN setup with 3 AT&T hotspots to an SG-2440 with latest pfSense to a Netgear X4 wifi router.
On cell service it works great.
At my parents home, it sometimes works great and other times not. The setup there is a Comcast cable connection to a APU2D4 with latest pfSense to a Netgear WNDR4500 wifi router.
To clarify, I am now talking about going through my parents network to the Ring system to my home network.
If I start with a fresh reset of pfSense the app will load instantly and everything works great - alerts and live video. Over time, sometimes a day or two, something happens where I try to load the app and it will take probably 30 seconds before it loads. Once loaded it works well enough, though a little slower I think. And alerts are slow. But if I reset the pfSense router it will work fast again like it should. I have not adjusted anything on this pfSense box either.That is my experience and so far I have not been able to find the problem. Actually I can't even tell what's different. I tried resetting states and made no difference. But resetting the whole box will correct it.
-
Reset which router?
-
Reset which router?
I have only ever needed to reset the pfSense router at my parents house. That is the only place it sometimes doesn't work. Works great from my house (same network as ring) and great from cell data.
-
Not running anything like squid there? It should just be an outbound connection to ring I figure.
-
Not running anything like squid there? It should just be an outbound connection to ring I figure.
Nothing else, just the basics. I think about the most I have configured is using Google DNS for clients. Actually using it for IPv4 and IPv6. But otherwise pfSense is pretty much how it installed. No changes to firewall or anything else that I recall. Which is why it's strange that it works great most of the time, but will occasionally seem to get hung up and require a reboot to get the app back up to speed.