Recomendations for rules using a Ring Pro doorbell

rdmeyers

Hello everyone.
I have successfully setup a brand new pfsense firewall on a new hardware.
I want to install a Ring Pro doorbell.
The number of ports that the ring company said is required to make the device work with real time and recorded video as well as alerts and log info etc..... is quite extensive.

Quote from the Ring Pro Company: https://support.ring.com/hc/en-us/articles/205385394-What-Ports-Do-I-Need-to-Open-in-My-Firewall-for-Ring-Doorbells-and-Chimes-

Powered devices:
UDP in 53, 67, 137 & 8610 - 61000
UDP out 53, 68, 123 & 5001 - 64854
TCP in 32768 - 61000
TCP out 80, 443, 5201, 9999, 15063

IOS:
TCP In 59720 - 59840
TCP out 80, 443, 5223, 15064
UDP in 68, 123, 49400 - 64951
UDP out 53, 123, 18306 - 63919

During the setup phase I enabled a DHCP static address outside the DHCP pool and associated the Ring Pro to it.
I also have an ARP table entry for both IP and MAC of the Ring.

I'm looking for suggestions on how to write the rules that would allow the Ring to work without completely screwing up the firewall as security is concerned.

I really appreciate your input.

Thanks.

Derelict

I would never put a device on my network that required port forwards in like that. Ever. So the recommendation from me is to return it.

hbauer

I would at least put it in a separate network segment

NogBadTheBad

@derelict said in Recomendations for rules using a Ring Pro doorbell:

I would never put a device on my network that required port forwards in like that. Ever. So the recommendation from me is to return it.

Yeah I’m with you here, it makes me laugh that they’re a sponsor on the Security Now podcast.

johnpoz

I find it highly unlikely it needs those ports inbound..

They more than likely talking outbound. A google finds.
http://www.adscon.com/sites/blog/Lists/Posts/Post.aspx?ID=52
I spoke to Level 2 support and they recommended opening up inbound ports as well, but I was able to get it working by only allowing outbound ports.

I don't have 1 to play with either - but with Derelict if you need to open ports inbound - return it!!!

rdmeyers

Thanks everyone for the input on this topic. I really appreciate the feedback.
I had already tried the setup from the link "johnpoz" posted and it did not work.

I agree with all of you reference opening ports inbound.

If I create a DMZ with a completely different private network and take a typical homeowner type router/AP, (like the ones you get from an ISP), from the DMZ to only the ring that should keep my internal network safe correct?
I have never used a DMZ before so I want to make sure I understand how the DMZ feature would work to accomplish that.

I have a 6 port Protectli Vault so I have the hardware to create the DMZ.

To be very honest, I need to setup this ring doorbell because, well my wife wants it for her phone to access the front door.

So it would be setup like this:

Internet -- FW -- DMZ port -- old router/AP -- Ring Pro
Internet -- FW -- LAN port -- private LAN inside house

Then they would not talk to each other, correct?

johnpoz

You can for sure isolate a segment, be it you call it a "dmz" or a firewalled segment where inbound traffic would would be allowed to a device/network that can not create unsolicited traffic to your other networks/vlans.

You do not need what your calling old router/ap unless that is the only way you can create a isolated segment on wifi. Any actual AP would allow for vlan segment based upon SSID for example. Any of the AP from unifi can do this for example.

But sure if you have a old wifi router you want to us as AP to add wifi to a isolated network segment sure that can work too.

So your saying the other guy linked too is mistaken and he had to open up inbound ports? I control my lights and stuff with no inbound ports. My grandkinds can call my alexa for video calls without any inbound ports. That such a simple device would inbound inbound ports for such basic features - and that many too boot is just plain asinine...

I will have to put this device on my list of stuff to get - just to play with ;) Pretty sure it works with the echo show to show video when someone rings bell. So might be able to sell it to the wife as a valid purchase ;)

rdmeyers

Thanks again for the feedback.
I wanted you to know the ring worked fine when it was hooked up to my old ISP provided router/AP, without opening any ports at all.

I don't know if the guy from the link is mistaken only that following what he wrote did not work for me.

I'm not sure what else has changed with the Ring Pro doorbell since they were bought out by Amazon.

I guess I will learn about setting up a VLAN and attaching an AP to it so I can have a completely segregated network for the Ring with no traffic to or from my LAN. Then opening up ports should only affect the ring and nothing else.

johnpoz

Does it work if you allow it to unrestricted outbound. From what I was reading their listing of ports is borked.. Even the listed outbound ones.

Kind of given they don't really have a clue or how to write documentation when they say it needs dhcp ports inbound and outbound... Come on this is just nonsense 67,68 udp.. And the discover goes out on dest 67 so how are you needing that in? Its running a dhcp server via a relay? ;)

I do not get why these companies can not just be clear and concise to what ports are needed.. Same goes for the game makers..

This is just utter nonsense.
udp inbound > 8610 - 61000

That is just not possible through a nat and port forwards.. You wouldn't be able to use any other devices using UDP if you had to forward unsolicited udp in that whole range to 1 IP..

It needs 53 inbound? So its running a dns server?

If you allow it the default any any rules for your lan devices - does it work?

Derelict

@johnpoz said in Recomendations for rules using a Ring Pro doorbell:

I find it highly unlikely it needs those ports inbound..

They more than likely talking outbound. A google finds.
http://www.adscon.com/sites/blog/Lists/Posts/Post.aspx?ID=52
I spoke to Level 2 support and they recommended opening up inbound ports as well, but I was able to get it working by only allowing outbound ports.

I don't have 1 to play with either - but with Derelict if you need to open ports inbound - return it!!!

IMHO, even TELLING people to open the ports is just as bad as actually requiring they be open. Maybe even worse. IoT companies will only hear one thing.

rdmeyers

Ok. I took advice from all of you and setup a vlan with an old AP I had laying around. Set a static IP on the ring and hooked it up to the new vlan AP. It works now completely separate from my LAN.

It would be great if Amazon would step up to the plate and make this little doorbell great. Maybe make it less of a security hole and make it more security friendly for LAN setup and local video capture without compromising our home or business networks. Sorry just hoping someone at Amazon may be reading these forums.

Again thanks to all of you that gave me feedback and ideas.

Looking forward to being a contributing member here.

chpalmer

@rdmeyers said in Recomendations for rules using a Ring Pro doorbell:

Looking forward to being a contributing member here.

Well.. Nest cams do not require port forwards..

johnpoz

@rdmeyers said in Recomendations for rules using a Ring Pro doorbell:

It works now completely separate from my LAN.

With what rules exactly? I would remove all port forwards inbound, and leave outbound any any on this network.

rdmeyers

Exactly what you said. Outbound any any nothing inbound. And first rule is block all to local LAN.

johnpoz

And it works? Then as we all seem to agree their nonsense post about ports is just that nonsense.