Miserable Ooma setup ... Did Ooma support open up my router just now?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
A few hours into setting up the Ooma with tier 2 customer support
(866-493-662), they had me open up my Linksys WRT54G router to the
following settings.

Can someone (Jeff?) tell me what the heck this is doing from the
standpoint of security?
 


Linksys WRT54G->Applications & Gaming->Port Range Forward
 Application Start to End Protocol IP Address     Enable
 ooma        53       53  Both     102.168.1.104  [x]
 ooma        53       53  Both     102.168.1.104  [x]
 ooma        53       53  Both     102.168.1.104  [x]
 ooma        53       53  Both     102.168.1.104  [x]
 ooma        53       53  Both     102.168.1.104  [x]
 ooma        53       53  Both     102.168.1.104  [x]
 ooma        53       53  Both     102.168.1.104  [x]
 ooma        53       53  Both     102.168.1.104  [x]
 ooma        53       53  Both     102.168.1.104  [x]


Re: Miserable Ooma setup ... Did Ooma support open up my router just now?
Ooops. While cutting and pasting, I accidentally hit the 'send' keyboard
sequence. Here I start over ...

A few hours into setting up the Ooma with tier 2 customer support
(866-493-662), they had me open up my Linksys WRT54G router to the
following settings.
 
Can someone (Jeff?) tell me what the heck this is doing from the
standpoint of security?
 


After logging into the router, I went to the following tabs:
 Linksys WRT54G->Applications & Gaming->Port Range Forward

And, then Ooma 2nd-tier support had me enter the following:
Application Start to End   Protocol IP Address     Enable
  ooma      53       53    Both     192.168.1.104  [x]
  ooma      110      110   TCP      192.168.1.104  [x]
  ooma      123      123   UDP      192.168.1.104  [x]
  ooma      443      443   TCP      192.168.1.104  [x]
  ooma      514      514   UDP      192.168.1.104  [x]
  ooma      1194     1194  UDP      192.168.1.104  [x]
  ooma      3386     3386  UDP      192.168.1.104  [x]
  ooma      3480     3480  UDP      192.168.1.104  [x]
  ooma      10000    20000 UDP      192.168.1.104  [x]

My questions are many - but the key questions are all about what I am
actually doing (with respect to security). Am I opening up my router too
much?

My stated problem is that 'some' incoming calls go through yet others
don't ... so the second tier support had me set up port forwarding as
above.

But ... won't that IP address (192.168.1.104) change every time I reboot
my router (which is set up as a DHCP server to hand out IP addresses
starting at 192.168.1.100)?


Re: Miserable Ooma setup ... Did Ooma support open up my router just now?
On Wed, 20 Jun 2012 20:37:54 +0000, Arklin K. wrote:

Quoted text here. Click to load it

I called Ooma technical support and their 3rd tier had me also set up the
ooma to a static ip address of 192.168.1.104
 


But ...

Won't the router, set up as a DHCP server starting at 192.168.1.100, give
out that static IP address (192.168.1.104) to another device if I don't
boot up the devices in just the right order?


Re: Miserable Ooma setup ... Did Ooma support open up my router just now?
On Wed, 20 Jun 2012 21:19:00 +0000 (UTC), "Arklin K."

Quoted text here. Click to load it

Your router could easily give out that IP address regardless of boot
order, so you should really do one of two things:
1. Adjust the router's DHCP scope so that .104 is outside of its
range.
Or 2. Adjust the Ooma's static IP to an address that's outside of the
router's current DHCP scope. Note that if you change the Ooma's IP
address, you'll have to adjust the port forwarding that you mentioned
earlier.

Option 1 is probably easier at this point.


Re: Miserable Ooma setup ... Did Ooma support open up my router just now?
On Wed, 20 Jun 2012 17:12:03 -0500, Char Jackson wrote:

Quoted text here. Click to load it

Interesting.
Are you saying that I set the Ooma to be .104 and then I set the router
to star, say, at .105 so that the router can't give out a .104?

If so, I never knew that you could set an IP address OUTSIDE the
automatic DHCP range of the router - but if that works - it makes sense.

The other option you mentioned, would also work ... which is to set the
Ooma to a large number inside the router's DHCP range (say .150) which
the router will never get to by automatic sequential assignment.

Both make sense. Thanks for the advice.

Re: Miserable Ooma setup ... Did Ooma support open up my router just now?
On Wed, 20 Jun 2012 22:19:02 +0000 (UTC), "Arklin K."

Quoted text here. Click to load it

Yes.


Not only can you, but in general it's bad practice to statically
assign an IP address that's INSIDE the DHCP scope. The cheap routers
we typically use aren't always smart enough to check if an address is
being used before they assign it to a requesting host, so a conflict
could occur. Bottom line, if you're going to make static assignments,
make them from outside of the DHCP scope.

As Warren mentioned, though, if your router allows you to configure a
'reserved DHCP' address for your Ooma device, then that becomes a good
option. In that case, .104 can stay inside your DHCP scope but the
router will never assign it to any device except the Ooma.

Quoted text here. Click to load it

I wouldn't do that. IP addresses aren't always assigned sequentially
and you might be surprised to encounter a conflict. Never statically
assign an address from your DHCP pool. There are plenty of available
addresses that are outside of the pool.

Quoted text here. Click to load it

Sure thing.


Re: Miserable Ooma setup ... Did Ooma support open up my router just now?

Quoted text here. Click to load it

Some routers will let you reserve specific IP addresses. I have a bunch
set for our LAN computers, so I can put stuff in /etc/hosts and know
it's going to keep working.
--

... do not cover a warm kettle or your stock may sour. -- Julia Child

Re: Miserable Ooma setup ... Did Ooma support open up my router just now?
On Wed, 20 Jun 2012 18:56:51 -0400, Warren Oates

Quoted text here. Click to load it

Good point, that's what I've done here at my place, but I wasn't sure
if his router offered that feature. If so, that's a good option.


Re: Miserable Ooma setup ... Did Ooma support open up my router just now?
BTW, they told me in Ooma customer support that the WPA2/PSK wireless WiFi
password can only be 32 characters long!

Does that make any sense?
 http://www.ooma.com/forums/viewtopic.php?t=12539#p88037
 "Wi-Fi Password: The Ooma Telo can take up to a 32 Character password
 for the Wireless Wi-Fi USB dongle Adapter."


Re: Miserable Ooma setup ... Did Ooma support open up my router just now?
On Wed, 20 Jun 2012 20:37:54 +0000, Arklin K. wrote:

Quoted text here. Click to load it

When I asked the Ooma support WHY they had me open up my router as shown
above, they pointed me to this web page:
 http://www.ooma.com/app/support/advanced-connections-and-service -
ports#anchor-0

But, I'm still not sure what effect this has on security.


Re: Miserable Ooma setup ... Did Ooma support open up my router just now?
On Wed, 20 Jun 2012 20:37:54 +0000 (UTC), "Arklin K."

Quoted text here. Click to load it

I dunno.  I hate discussing security and don't know much about Ooma.
What they had you do is probably not necessary.  If you were running
SERVERS behind your WRT54G, then some of the items listed are
necessary.  However, not for a lousy VoIP adapter.  There are only two
things that MIGHT be necessary:
- Incoming SIP on 5060 which is usually not need if a STUN server is
being used (highly likely)
- Remote access by Ooma so they can tinker with settings in your
router.

Quoted text here. Click to load it

Ok, let's do this by the numbers:
<http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml

Quoted text here. Click to load it
  ooma      53       53    
      DNS.  Are you running a DNS server?  Probably not.
  ooma      110      110  
      POP3.  Are you running a mail server?  Probably not.
  ooma      123      123  
      NTP.  Are you running a time server?  Probably not.   ooma
443      443  
      TLS/SSL.  Are you running an SSL server?  Probably not.
  ooma      514      514  
      syslog.  Are you runing a SYSLOG server and having some
      device on the internet sending you log entries?  Probably not.
  ooma      1194     1194  
      OpenVPN.  Now, this might be used by Ooma for remote access to
      you box.  However, using a VPN for this is dumb.
  ooma      3386     3386  
      GPRS.  Now, that's really strange as that's the control port
      for a GSM data modem.  Maybe Ooma uses it for some unknown
      purpose.
  ooma      3480     3480  
      CSMS.  SMS messaging on a cell phone.  Lovely.
  ooma      10000    20000
      AAAAGH.  All ports form 10000 to 20000?  This has to be totally
      wrong.  You're not running H.263 which requires such a  dumb
      arrangement.

Bottom line.... You're not running servers so nothing for ports <1024
should be open to the internet.  Some of the other ports MIGHT be
needed by Ooma for remote access, but I doubt it.  10000 to 20000 open
is a major problem and should not be needed.

Quoted text here. Click to load it

See above comments.  I don't know for sure.  It really depends what
you have running on your computah that might accept incoming
connections on the above ports.  If a PC, run:
   netstat -a -n | find "LISTENING"
to see what ports are open.  There are also some PC utilties that will
test for this.  I'm too lazy to look right now.

Quoted text here. Click to load it

Opening the router to the world is not going to solve that problem.

Quoted text here. Click to load it

Yes.  Port forwarding should be setup using a static IP for your PC.
The easy way to do that is to use "pre-assigned DHCP" in the router.
You didn't specify which WRT54G mutation you're using so I can't offer
the specific web page.  Just look for a table that pre-assigns IP
address based on the MAC address of your PC.  Leave the PC set to
DHCP.

Good luck

--
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558

Re: Miserable Ooma setup ... Did Ooma support open up my router just now?
On 6/20/2012 4:21 PM, Arklin K. wrote:
Quoted text here. Click to load it
Sounds like you should have asked for 5th or 6th tier support...

According to oumas own reference none of what they had you do makes
sense or is necessary:

http://www.ooma.com/app/support/advanced-connections-and-service-ports




Site Timeline