Ring video doorbell behind PFsense firewall?



  • Anyone using a Ring video doorbell behind PFSense?  I have a Ring video doorbell, and I've been unsuccessful in getting PFSense to pass the traffic required for the video portion of the doorbell to work, although the notification portion works, so I get the message on my phone app that someone is ringing the doorbell, and it attempts to display video, but times out.  Ring uses SIP and RTP for the video portion.  According to Ring, the ports required are: 
    TCP 80
    TCP 443
    TCP & UDP 15063
    UDP range between 16500-32768
    UDP 51504/51506

    I've passed all traffic on these ports, and I've turned off port redirection for the static IP address that my doorbell uses.
    I've even tried siproxd, and still the SIP invite packet doesn't get out to Ring's servers, hence they never setup the RTP session.  I've put a network analyzer on both sides of the firewall, and confirmed that the SIP invite packet is issued from the doorbell destined to Ring's public server IP address, but it doesn't make it past the firewall.  I have a cellular hotspot that I travel with, and if I connect the doorbell to that it works fine, but that's obviously not a longterm solution.

    Any thoughts?



  • I've just come from a security conference which had a guest speaker from PenTest Partners. Part of the talk concerned how easy it was to hack into wifi-enabled devices you can buy for the home, including children's toys and kitchen appliances. Personally, I wouldn't be inclinded to install this doorbell anywhere near my network. A bit ironic that something which promotes greater security in your home is actually undermining it. Have a look at the link.

    http://www.cnet.com/uk/news/rings-smart-doorbell-can-leave-your-house-vulnerable-to-hacks/



  • Thank you muswellhillbilly for bringing that information to my attention.  That is very good to know, and I do appreciate the heads up.  Now that I have it, however, and I can't return it, I might as well try to get it functional and if so, I can think of a couple ways of disabling the pairing function once it's paired, which I believe would put it in a similar security vulnerability level as a mobile phone, etc.  I live in a pretty rural area (countryside off the road) as well, so the likelihood of hackers is not as high as an urban setting (I realize that's no excuse for security, however).



  • So no one has any feedback re: my original SIP issue?



  • If www.grc.com survives their ongoing DOS attack you can go there and see how to set up another router to place your IOT device behind to protect your 'home' network from your 'IOT' network.

    Sorry can't help on your Ring doorbell.


  • LAYER 8 Netgate

    @TAC57:

    If www.grc.com survives their ongoing DOS attack you can go there and see how to set up another router to place your IOT device behind to protect your 'home' network from your 'IOT' network.

    Completely unnecessary when you are working with tools like pfSense. An IOT interface is much more elegant.



  • @Derelict:

    @TAC57:

    If www.grc.com survives their ongoing DOS attack you can go there and see how to set up another router to place your IOT device behind to protect your 'home' network from your 'IOT' network.

    Completely unnecessary when you are working with tools like pfSense. An IOT interface is much more elegant.

    Can you give me some additional info on a pfSense "IOT interface"?  This is something I've been interested in setting up since I have a Nest thermostat and have been accumulating a number of other IOT devices.

    Even more important now with the discovery of the glibc stack-based buffer overflow security flaw.

    Thnx


  • LAYER 8 Netgate

    Yeah - I spent the night last night running apt-get dist-upgrade.

    I am considering doing a walkthrough that basically does sggrc's 3-router "solution" - only properly.

    This is going to require hardware vendors to start putting real functionality into their gear OR consumers willing to buy real gear like managed switches and APs and probably pay someone to maintain their network.

    Or there will be massive pwnage which is what I expect to happen.

    But, in a nutshell, you would put an AP (or SSID) on another ethernet segment (or VLAN) that blocks all access to local assets, passes DNS to, say, 8.8.8.8 and 8.8.4.4, and either passes access to the internet or only those things the IoT devices need to talk to. You could use pfSense's resolver for DNS but, like you just mentioned, you never know what vulnerabilities are going to be discovered.

    I need to lab this up because you will lose things like mDNS from your management LAN so things won't be as seamless as your general consumers expect, but we have avahi for that though I've never used it.


  • LAYER 8 Global Moderator

    "UDP range between 16500-32768"

    You need that large of a range inbound???  Ie from the public net to your device behind pfsense, this seems really really BAD design or unlikely… Those ports are needed outbound maybe?

    They talk about access to their cloud, so you don't even need inbound ports??  Just outbound?
    "Connecting to our cloud ensures that your Ring Doorbell can manage sessions and reach your smartphone and tablet whether you are home or away."

    "turned off port redirection for the static IP address that my doorbell uses"  What does this mean???  What did you do exactly?  Are you using a captive portal in pfsense??

    I would take it those ports are outbound only...  So you really should not have to do anything special in pfsense for this to work with the default rules..

    As to security of such devices, I agree they need to be isolated from your normal network... I have a nest thermostat and protect, and harmony hub and directv dvr.  They are on their own vlans that do not have any access to my normal networks.

    Firewalls rules are by default any any outbound...  So have you modified these??



  • Yeah, I got one of these last week.  I'm pretty appalled by just how insecure-by-design they are.  And their  Android app is one of the most intrusive I've ever seen "appalling" is the word that comes to mind again (along with 'criminal', but that implies malicious intent.  Oh, wait….).  Or if it isn't deliberate, then 'negligent' and 'lazy' are the other words that come to mind.  I can mitigate (somewhat) that intrusiveness of the android app by various, well' privacy apps.  And I did post a question to their tech support about firewall settings.  I haven't decided yet if I'm going to send it back in disgust. Depends  on their answer to the firewall questionn and whether I feel like going to all this  trouble for what is essentially a novelty.

    I suppose I have some vague thought of intercepting their datastream and redirecting to my own services, but probably not.

    Anyway, here's the question I posted.  I'll post a link  to any answer I get

    Per this page:

    https://support.ring.com/hc/en-us/articles/205385394-What-Ports-do-I-need-to-ope
    n-in-my-firewall-for-Ring-Doorbells-and-Chimes-

    All my firewalls are default drop on  incoming and default reject outgoing.  I have set up
    the Ring in it's own isolated wireless zone [actually it's own access point].

    1.  Which of these are outgoing from the local home network and which are incoming (to the
    local device).
    2.  Where is the list of public ip addresses that need to be whitelisted?

    Please be advised I am a network engineer with all that that implies.  I speak and
    understand techno.

    Thank you.



  • Here are the two responses I got from Ring.com to my query:

    Jun 6, 5:33 AM PDT

    Hello,

    Thank you for contacting us. I apologize but the information that you are asking for us to
    provide is proprietary. The only public information of what you are asking is the link
    that you have sent in.

    –-----------

    And another one:

    Jun 4, 1:53 PM PDT

    Hi there!

    Just open up all out going and incoming and there are no Ip's that cn be white listed
    cause the always change.



  • LAYER 8 Netgate

    @jeauxbleaux:

    Here are the two responses I got from Ring.com to my query:

    Thank you for contacting us. I apologize but the information that you are asking for us to
    provide is proprietary. The only public information of what you are asking is the link
    that you have sent in.

    Firewall ports are proprietary? Good luck, Ring.

    Hi there!

    Just open up all out going and incoming and there are no Ip's that cn be white listed
    cause the always change.

    Just open all the ports inbound and don't source limit.

    That person should not be allowed near a customer network in any capacity.

    Out of curiosity, did your ring not work or are you just wondering about their answers?



  • Both.

    Everything seems to work -except- the live video from the RING to my android phone…arguably the most significant function.  The Ring android app is currently installed as-is; I haven't firewalled or app-limited it in any way (yet)  (though why they need access to my contacts list, passwords, phone, location, etc, etc, etc is beyond me.  I'm betting they don't; they just got somebody in bangalore-or-wherever to 'whip up' an app for them quick and cheap).  So the app is (apparently) not the problem.  Though all of my firewalls in all the places I normally hang out are pretty fascist (I know because I set most of them up); I supposed the incoming video to my phone from their [proprietary] servers could be blocked from there.

    So yes, I was curious about their answers too. Their answers, plus the intrusive app, tell me that they're dismissive about network and systems security and stablity.  That doesn't leave me all warm and fuzzy so I'm sending it back.

    Just as a datapoint, I took a quick look at Skybell (a competitor) and they're even less informative.  I did see a comment that someone was complaining that he couldn't DHCP assign anIP to his skybell.  When asked about it he said Skybell says they 'rotate MAC's as a security measure' .



  • I have a new Ring Video Doorbell Pro, couldn't get it to work, similar problems listed here, even though I have an ASUS router.  I hope this info helps someone else as I got my issues resolved simply by turning off NAT acceleration, also referred to as hardware acceleration, CTF (Cut-Through Forwarding), or FA (Flow Accelerator).

    You can read more about this "feature" here:

    https://routerguide.net/nat-acceleration-on-or-off/

    For ASUS routers, go here in the router's settings:  LAN -> Switch Control -> NAT Acceleratinon -> Disable.

    BTW, things that I tried that didn't make a difference inlcude:  enabling WAN ping, setting the doorbell to a static IP, setting the doobell's static IP as the DMZ, disabling the firewall completely, port forwarding all ports as suggested by Ring tech support.



  • In case anyone is still wondering about this.  I have a Palo Alto firewall and had issues with my new Ring Elite.  Took about an hour to figure out.  I had to disable SIP inspection on the firewall.  Its likely the same issue for everyone here.



  • My ring doorbell works fairly well with PFsense. The problem seems to be associated with the windows client which is slowly being updated. Be sure to assign a static IP address, exclude from squid, and possibly a custom NAT depending on your config. The doorbell needs unrestricted access out.



  • I have a Ring doorbell too, made sure that it gets an assigned address and it's working perfectly.

    The only issue I have is that on one of my two Android phones, the alert takes about 5 minutes to come through. My wife has two iPhones and they work perfectly well, it's just the one Android device that is delayed. Must have some strange routing via Mars or something.



  • Is the Android slow on wifi and 3/4g? Please test individually by disabling the other and report back.



  • I have two Android phones, only one of them is slow.

    Actually, someone just rang the bell, so this time the delay between the two phones was about 2 seconds, but it has been up to five minutes.

    I'll check it out later on wifi and 3/4G and see which one has the issue.



  • I also recently installed a Ring doorbell. On my home wifi, same network as Ring, it works great. I did not do anything extra with pfSense. It is setup on a multi-WAN setup with 3 AT&T hotspots to an SG-2440 with latest pfSense to a Netgear X4 wifi router.

    On cell service it works great.

    At my parents home, it sometimes works great and other times not. The setup there is a Comcast cable connection to a APU2D4 with latest pfSense to a Netgear WNDR4500 wifi router.

    To clarify, I am now talking about going through my parents network to the Ring system to my home network.
    If I start with a fresh reset of pfSense the app will load instantly and everything works great - alerts and live video. Over time, sometimes a day or two, something happens where I try to load the app and it will take probably 30 seconds before it loads. Once loaded it works well enough, though a little slower I think. And alerts are slow. But if I reset the pfSense router it will work fast again like it should. I have not adjusted anything on this pfSense box either.

    That is my experience and so far I have not been able to find the problem. Actually I can't even tell what's different. I tried resetting states and made no difference. But resetting the whole box will correct it.


  • LAYER 8 Netgate

    Reset which router?



  • @Derelict:

    Reset which router?

    I have only ever needed to reset the pfSense router at my parents house. That is the only place it sometimes doesn't work. Works great from my house (same network as ring) and great from cell data.


  • LAYER 8 Netgate

    Not running anything like squid there? It should just be an outbound connection to ring I figure.



  • @Derelict:

    Not running anything like squid there? It should just be an outbound connection to ring I figure.

    Nothing else, just the basics. I think about the most I have configured is using Google DNS for clients. Actually using it for IPv4 and IPv6. But otherwise pfSense is pretty much how it installed. No changes to firewall or anything else that I recall. Which is why it's strange that it works great most of the time, but will occasionally seem to get hung up and require a reboot to get the app back up to speed.


  • LAYER 8 Netgate

    Yeah. there is nothing that rebooting the firewall would clear there.

    It could be something with IPv6. If a device thinks it has IPv6 it will generally try to use that first. If it is broken it will fall back to IPv4 if available. That is a common cause of things that "take 30 seconds to load."

    That is where I could concentrate at first.

    It also sounds like you might be double-NAT there. Should work but might also be a place to look.



  • Oh good idea, I hadn't really thought about IPv6. I don't have it on my home network and everything works even with my unavoidable multi-NAT setup. My parents have Comcast (no double-NAT, modem in bridge mode and Netgear as AP) and it has IPv6. I didn't really think I had to do anything since pfSense just worked so all I did was add Google DNS. Maybe I'll play with it more. I don't really know much about it but sounds like it's time to learn.

    Thanks for your help!


  • Banned

    This post is deleted!

Log in to reply