The pfSense Store

Author Topic: Ring video doorbell behind PFsense firewall?  (Read 6468 times)

0 Members and 1 Guest are viewing this topic.

Offline sdbenner

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Ring video doorbell behind PFsense firewall?
« on: February 11, 2016, 07:37:18 pm »
Anyone using a Ring video doorbell behind PFSense?  I have a Ring video doorbell, and I've been unsuccessful in getting PFSense to pass the traffic required for the video portion of the doorbell to work, although the notification portion works, so I get the message on my phone app that someone is ringing the doorbell, and it attempts to display video, but times out.  Ring uses SIP and RTP for the video portion.  According to Ring, the ports required are: 
TCP 80
TCP 443
TCP & UDP 15063
UDP range between 16500-32768
UDP 51504/51506

I've passed all traffic on these ports, and I've turned off port redirection for the static IP address that my doorbell uses.
I've even tried siproxd, and still the SIP invite packet doesn't get out to Ring's servers, hence they never setup the RTP session.  I've put a network analyzer on both sides of the firewall, and confirmed that the SIP invite packet is issued from the doorbell destined to Ring's public server IP address, but it doesn't make it past the firewall.  I have a cellular hotspot that I travel with, and if I connect the doorbell to that it works fine, but that's obviously not a longterm solution.

Any thoughts?

Offline muswellhillbilly

  • Hero Member
  • *****
  • Posts: 935
  • Karma: +73/-4
    • View Profile
Re: Ring video doorbell behind PFsense firewall?
« Reply #1 on: February 12, 2016, 02:35:08 am »
I've just come from a security conference which had a guest speaker from PenTest Partners. Part of the talk concerned how easy it was to hack into wifi-enabled devices you can buy for the home, including children's toys and kitchen appliances. Personally, I wouldn't be inclinded to install this doorbell anywhere near my network. A bit ironic that something which promotes greater security in your home is actually undermining it. Have a look at the link.

http://www.cnet.com/uk/news/rings-smart-doorbell-can-leave-your-house-vulnerable-to-hacks/

Offline sdbenner

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Ring video doorbell behind PFsense firewall?
« Reply #2 on: February 12, 2016, 09:01:19 am »
Thank you muswellhillbilly for bringing that information to my attention.  That is very good to know, and I do appreciate the heads up.  Now that I have it, however, and I can't return it, I might as well try to get it functional and if so, I can think of a couple ways of disabling the pairing function once it's paired, which I believe would put it in a similar security vulnerability level as a mobile phone, etc.  I live in a pretty rural area (countryside off the road) as well, so the likelihood of hackers is not as high as an urban setting (I realize that's no excuse for security, however).

Offline sdbenner

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Ring video doorbell behind PFsense firewall?
« Reply #3 on: February 16, 2016, 03:45:49 pm »
So no one has any feedback re: my original SIP issue?

Offline TAC57

  • Jr. Member
  • **
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Re: Ring video doorbell behind PFsense firewall?
« Reply #4 on: February 18, 2016, 10:39:09 am »
If www.grc.com survives their ongoing DOS attack you can go there and see how to set up another router to place your IOT device behind to protect your 'home' network from your 'IOT' network.

Sorry can't help on your Ring doorbell.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9236
  • Karma: +1051/-308
    • View Profile
Re: Ring video doorbell behind PFsense firewall?
« Reply #5 on: February 18, 2016, 10:52:47 am »
If www.grc.com survives their ongoing DOS attack you can go there and see how to set up another router to place your IOT device behind to protect your 'home' network from your 'IOT' network.

Completely unnecessary when you are working with tools like pfSense. An IOT interface is much more elegant.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline TAC57

  • Jr. Member
  • **
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Re: Ring video doorbell behind PFsense firewall?
« Reply #6 on: February 18, 2016, 11:20:29 am »
If www.grc.com survives their ongoing DOS attack you can go there and see how to set up another router to place your IOT device behind to protect your 'home' network from your 'IOT' network.

Completely unnecessary when you are working with tools like pfSense. An IOT interface is much more elegant.

Can you give me some additional info on a pfSense "IOT interface"?  This is something I've been interested in setting up since I have a Nest thermostat and have been accumulating a number of other IOT devices.

Even more important now with the discovery of the glibc stack-based buffer overflow security flaw.

Thnx 


Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9236
  • Karma: +1051/-308
    • View Profile
Re: Ring video doorbell behind PFsense firewall?
« Reply #7 on: February 18, 2016, 12:19:50 pm »
Yeah - I spent the night last night running apt-get dist-upgrade.

I am considering doing a walkthrough that basically does sggrc's 3-router "solution" - only properly.

This is going to require hardware vendors to start putting real functionality into their gear OR consumers willing to buy real gear like managed switches and APs and probably pay someone to maintain their network.

Or there will be massive pwnage which is what I expect to happen.

But, in a nutshell, you would put an AP (or SSID) on another ethernet segment (or VLAN) that blocks all access to local assets, passes DNS to, say, 8.8.8.8 and 8.8.4.4, and either passes access to the internet or only those things the IoT devices need to talk to. You could use pfSense's resolver for DNS but, like you just mentioned, you never know what vulnerabilities are going to be discovered.

I need to lab this up because you will lose things like mDNS from your management LAN so things won't be as seamless as your general consumers expect, but we have avahi for that though I've never used it.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14460
  • Karma: +1339/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Ring video doorbell behind PFsense firewall?
« Reply #8 on: February 18, 2016, 12:39:14 pm »
"UDP range between 16500-32768"

You need that large of a range inbound???  Ie from the public net to your device behind pfsense, this seems really really BAD design or unlikely... Those ports are needed outbound maybe?

They talk about access to their cloud, so you don't even need inbound ports??  Just outbound?
"Connecting to our cloud ensures that your Ring Doorbell can manage sessions and reach your smartphone and tablet whether you are home or away."

"turned off port redirection for the static IP address that my doorbell uses"  What does this mean???  What did you do exactly?  Are you using a captive portal in pfsense??

I would take it those ports are outbound only...  So you really should not have to do anything special in pfsense for this to work with the default rules..

As to security of such devices, I agree they need to be isolated from your normal network... I have a nest thermostat and protect, and harmony hub and directv dvr.  They are on their own vlans that do not have any access to my normal networks.

Firewalls rules are by default any any outbound...  So have you modified these??
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline jeauxbleaux

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Ring video doorbell behind PFsense firewall?
« Reply #9 on: June 03, 2016, 05:40:08 pm »
Yeah, I got one of these last week.  I'm pretty appalled by just how insecure-by-design they are.  And their  Android app is one of the most intrusive I've ever seen "appalling" is the word that comes to mind again (along with 'criminal', but that implies malicious intent.  Oh, wait....).  Or if it isn't deliberate, then 'negligent' and 'lazy' are the other words that come to mind.  I can mitigate (somewhat) that intrusiveness of the android app by various, well' privacy apps.  And I did post a question to their tech support about firewall settings.  I haven't decided yet if I'm going to send it back in disgust. Depends  on their answer to the firewall questionn and whether I feel like going to all this  trouble for what is essentially a novelty.   

I suppose I have some vague thought of intercepting their datastream and redirecting to my own services, but probably not.

Anyway, here's the question I posted.  I'll post a link  to any answer I get


Per this page:

 https://support.ring.com/hc/en-us/articles/205385394-What-Ports-do-I-need-to-ope
n-in-my-firewall-for-Ring-Doorbells-and-Chimes-

All my firewalls are default drop on  incoming and default reject outgoing.  I have set up
the Ring in it's own isolated wireless zone [actually it's own access point].

1.  Which of these are outgoing from the local home network and which are incoming (to the
local device).
2.  Where is the list of public ip addresses that need to be whitelisted?

Please be advised I am a network engineer with all that that implies.  I speak and
understand techno.

Thank you.


Offline jeauxbleaux

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Ring video doorbell behind PFsense firewall?
« Reply #10 on: June 06, 2016, 12:31:07 pm »
Here are the two responses I got from Ring.com to my query:

Jun 6, 5:33 AM PDT

Hello,

Thank you for contacting us. I apologize but the information that you are asking for us to
provide is proprietary. The only public information of what you are asking is the link
that you have sent in.

-------------

And another one:

Jun 4, 1:53 PM PDT

Hi there!

Just open up all out going and incoming and there are no Ip's that cn be white listed
cause the always change.

-----------------------




Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9236
  • Karma: +1051/-308
    • View Profile
Re: Ring video doorbell behind PFsense firewall?
« Reply #11 on: June 06, 2016, 07:04:25 pm »
Here are the two responses I got from Ring.com to my query:

Thank you for contacting us. I apologize but the information that you are asking for us to
provide is proprietary. The only public information of what you are asking is the link
that you have sent in.
Firewall ports are proprietary? Good luck, Ring.

Quote
Hi there!

Just open up all out going and incoming and there are no Ip's that cn be white listed
cause the always change.

Just open all the ports inbound and don't source limit.

That person should not be allowed near a customer network in any capacity.

Out of curiosity, did your ring not work or are you just wondering about their answers?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline jeauxbleaux

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Ring video doorbell behind PFsense firewall?
« Reply #12 on: June 07, 2016, 01:21:01 pm »
Both.

Everything seems to work -except- the live video from the RING to my android phone...arguably the most significant function.  The Ring android app is currently installed as-is; I haven't firewalled or app-limited it in any way (yet)  (though why they need access to my contacts list, passwords, phone, location, etc, etc, etc is beyond me.   I'm betting they don't; they just got somebody in bangalore-or-wherever to 'whip up' an app for them quick and cheap).  So the app is (apparently) not the problem.  Though all of my firewalls in all the places I normally hang out are pretty fascist (I know because I set most of them up); I supposed the incoming video to my phone from their [proprietary] servers could be blocked from there.

So yes, I was curious about their answers too. Their answers, plus the intrusive app, tell me that they're dismissive about network and systems security and stablity.  That doesn't leave me all warm and fuzzy so I'm sending it back.

Just as a datapoint, I took a quick look at Skybell (a competitor) and they're even less informative.  I did see a comment that someone was complaining that he couldn't DHCP assign anIP to his skybell.  When asked about it he said Skybell says they 'rotate MAC's as a security measure' .
« Last Edit: June 07, 2016, 01:27:48 pm by jeauxbleaux »

Offline pitmancd

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: Ring video doorbell behind PFsense firewall?
« Reply #13 on: February 17, 2017, 12:14:04 pm »
I have a new Ring Video Doorbell Pro, couldn't get it to work, similar problems listed here, even though I have an ASUS router.  I hope this info helps someone else as I got my issues resolved simply by turning off NAT acceleration, also referred to as hardware acceleration, CTF (Cut-Through Forwarding), or FA (Flow Accelerator).
 
You can read more about this "feature" here:
 
https://routerguide.net/nat-acceleration-on-or-off/
 
For ASUS routers, go here in the router's settings:  LAN -> Switch Control -> NAT Acceleratinon -> Disable.

BTW, things that I tried that didn't make a difference inlcude:  enabling WAN ping, setting the doorbell to a static IP, setting the doobell's static IP as the DMZ, disabling the firewall completely, port forwarding all ports as suggested by Ring tech support.
 

Offline huthmakerj

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: Ring video doorbell behind PFsense firewall?
« Reply #14 on: July 21, 2017, 03:56:43 pm »
In case anyone is still wondering about this.  I have a Palo Alto firewall and had issues with my new Ring Elite.  Took about an hour to figure out.  I had to disable SIP inspection on the firewall.  Its likely the same issue for everyone here.