Ring video doorbell behind PFsense firewall?
-
"UDP range between 16500-32768"
You need that large of a range inbound??? Ie from the public net to your device behind pfsense, this seems really really BAD design or unlikely… Those ports are needed outbound maybe?
They talk about access to their cloud, so you don't even need inbound ports?? Just outbound?
"Connecting to our cloud ensures that your Ring Doorbell can manage sessions and reach your smartphone and tablet whether you are home or away.""turned off port redirection for the static IP address that my doorbell uses" What does this mean??? What did you do exactly? Are you using a captive portal in pfsense??
I would take it those ports are outbound only... So you really should not have to do anything special in pfsense for this to work with the default rules..
As to security of such devices, I agree they need to be isolated from your normal network... I have a nest thermostat and protect, and harmony hub and directv dvr. They are on their own vlans that do not have any access to my normal networks.
Firewalls rules are by default any any outbound... So have you modified these??
-
Yeah, I got one of these last week. I'm pretty appalled by just how insecure-by-design they are. And their Android app is one of the most intrusive I've ever seen "appalling" is the word that comes to mind again (along with 'criminal', but that implies malicious intent. Oh, wait….). Or if it isn't deliberate, then 'negligent' and 'lazy' are the other words that come to mind. I can mitigate (somewhat) that intrusiveness of the android app by various, well' privacy apps. And I did post a question to their tech support about firewall settings. I haven't decided yet if I'm going to send it back in disgust. Depends on their answer to the firewall questionn and whether I feel like going to all this trouble for what is essentially a novelty.
I suppose I have some vague thought of intercepting their datastream and redirecting to my own services, but probably not.
Anyway, here's the question I posted. I'll post a link to any answer I get
Per this page:
https://support.ring.com/hc/en-us/articles/205385394-What-Ports-do-I-need-to-ope
n-in-my-firewall-for-Ring-Doorbells-and-Chimes-All my firewalls are default drop on incoming and default reject outgoing. I have set up
the Ring in it's own isolated wireless zone [actually it's own access point].1. Which of these are outgoing from the local home network and which are incoming (to the
local device).
2. Where is the list of public ip addresses that need to be whitelisted?Please be advised I am a network engineer with all that that implies. I speak and
understand techno.Thank you.
-
Here are the two responses I got from Ring.com to my query:
Jun 6, 5:33 AM PDT
Hello,
Thank you for contacting us. I apologize but the information that you are asking for us to
provide is proprietary. The only public information of what you are asking is the link
that you have sent in.–-----------
And another one:
Jun 4, 1:53 PM PDT
Hi there!
Just open up all out going and incoming and there are no Ip's that cn be white listed
cause the always change.
-
Here are the two responses I got from Ring.com to my query:
Thank you for contacting us. I apologize but the information that you are asking for us to
provide is proprietary. The only public information of what you are asking is the link
that you have sent in.Firewall ports are proprietary? Good luck, Ring.
Hi there!
Just open up all out going and incoming and there are no Ip's that cn be white listed
cause the always change.Just open all the ports inbound and don't source limit.
That person should not be allowed near a customer network in any capacity.
Out of curiosity, did your ring not work or are you just wondering about their answers?
-
Both.
Everything seems to work -except- the live video from the RING to my android phone…arguably the most significant function. The Ring android app is currently installed as-is; I haven't firewalled or app-limited it in any way (yet) (though why they need access to my contacts list, passwords, phone, location, etc, etc, etc is beyond me. I'm betting they don't; they just got somebody in bangalore-or-wherever to 'whip up' an app for them quick and cheap). So the app is (apparently) not the problem. Though all of my firewalls in all the places I normally hang out are pretty fascist (I know because I set most of them up); I supposed the incoming video to my phone from their [proprietary] servers could be blocked from there.
So yes, I was curious about their answers too. Their answers, plus the intrusive app, tell me that they're dismissive about network and systems security and stablity. That doesn't leave me all warm and fuzzy so I'm sending it back.
Just as a datapoint, I took a quick look at Skybell (a competitor) and they're even less informative. I did see a comment that someone was complaining that he couldn't DHCP assign anIP to his skybell. When asked about it he said Skybell says they 'rotate MAC's as a security measure' .
-
I have a new Ring Video Doorbell Pro, couldn't get it to work, similar problems listed here, even though I have an ASUS router. I hope this info helps someone else as I got my issues resolved simply by turning off NAT acceleration, also referred to as hardware acceleration, CTF (Cut-Through Forwarding), or FA (Flow Accelerator).
You can read more about this "feature" here:
https://routerguide.net/nat-acceleration-on-or-off/
For ASUS routers, go here in the router's settings: LAN -> Switch Control -> NAT Acceleratinon -> Disable.
BTW, things that I tried that didn't make a difference inlcude: enabling WAN ping, setting the doorbell to a static IP, setting the doobell's static IP as the DMZ, disabling the firewall completely, port forwarding all ports as suggested by Ring tech support.
-
In case anyone is still wondering about this. I have a Palo Alto firewall and had issues with my new Ring Elite. Took about an hour to figure out. I had to disable SIP inspection on the firewall. Its likely the same issue for everyone here.
-
My ring doorbell works fairly well with PFsense. The problem seems to be associated with the windows client which is slowly being updated. Be sure to assign a static IP address, exclude from squid, and possibly a custom NAT depending on your config. The doorbell needs unrestricted access out.
-
I have a Ring doorbell too, made sure that it gets an assigned address and it's working perfectly.
The only issue I have is that on one of my two Android phones, the alert takes about 5 minutes to come through. My wife has two iPhones and they work perfectly well, it's just the one Android device that is delayed. Must have some strange routing via Mars or something.
-
Is the Android slow on wifi and 3/4g? Please test individually by disabling the other and report back.
-
I have two Android phones, only one of them is slow.
Actually, someone just rang the bell, so this time the delay between the two phones was about 2 seconds, but it has been up to five minutes.
I'll check it out later on wifi and 3/4G and see which one has the issue.
-
I also recently installed a Ring doorbell. On my home wifi, same network as Ring, it works great. I did not do anything extra with pfSense. It is setup on a multi-WAN setup with 3 AT&T hotspots to an SG-2440 with latest pfSense to a Netgear X4 wifi router.
On cell service it works great.
At my parents home, it sometimes works great and other times not. The setup there is a Comcast cable connection to a APU2D4 with latest pfSense to a Netgear WNDR4500 wifi router.
To clarify, I am now talking about going through my parents network to the Ring system to my home network.
If I start with a fresh reset of pfSense the app will load instantly and everything works great - alerts and live video. Over time, sometimes a day or two, something happens where I try to load the app and it will take probably 30 seconds before it loads. Once loaded it works well enough, though a little slower I think. And alerts are slow. But if I reset the pfSense router it will work fast again like it should. I have not adjusted anything on this pfSense box either.That is my experience and so far I have not been able to find the problem. Actually I can't even tell what's different. I tried resetting states and made no difference. But resetting the whole box will correct it.
-
Reset which router?
-
Reset which router?
I have only ever needed to reset the pfSense router at my parents house. That is the only place it sometimes doesn't work. Works great from my house (same network as ring) and great from cell data.
-
Not running anything like squid there? It should just be an outbound connection to ring I figure.
-
Not running anything like squid there? It should just be an outbound connection to ring I figure.
Nothing else, just the basics. I think about the most I have configured is using Google DNS for clients. Actually using it for IPv4 and IPv6. But otherwise pfSense is pretty much how it installed. No changes to firewall or anything else that I recall. Which is why it's strange that it works great most of the time, but will occasionally seem to get hung up and require a reboot to get the app back up to speed.
-
Yeah. there is nothing that rebooting the firewall would clear there.
It could be something with IPv6. If a device thinks it has IPv6 it will generally try to use that first. If it is broken it will fall back to IPv4 if available. That is a common cause of things that "take 30 seconds to load."
That is where I could concentrate at first.
It also sounds like you might be double-NAT there. Should work but might also be a place to look.
-
Oh good idea, I hadn't really thought about IPv6. I don't have it on my home network and everything works even with my unavoidable multi-NAT setup. My parents have Comcast (no double-NAT, modem in bridge mode and Netgear as AP) and it has IPv6. I didn't really think I had to do anything since pfSense just worked so all I did was add Google DNS. Maybe I'll play with it more. I don't really know much about it but sounds like it's time to learn.
Thanks for your help!
-
This post is deleted! -
FYI, I was able to get this to work by disabling my DNS Resolver and enabling the DNS Forwarder service instead. I didn't need to add any additional Firewall rules or NAT/PAT rules since all of the connections are initiated outbound.
I don't have a good idea what about the DNS Resolver the Ring was incompatible with, but wanted to put this out there so if others want, they can track down the cause.
