Ooops. While cutting and pasting, I accidentally hit the 'send' keyboard sequence. Here I start over ...
A few hours into setting up the Ooma with tier 2 customer support (866-493-662), they had me open up my Linksys WRT54G router to the following settings. Can someone (Jeff?) tell me what the heck this is doing from the standpoint of security?
After logging into the router, I went to the following tabs: Linksys WRT54G->Applications & Gaming->Port Range Forward
And, then Ooma 2nd-tier support had me enter the following: Application Start to End Protocol IP Address Enable ooma 53 53 Both 192.168.1.104 [x] ooma 110 110 TCP 192.168.1.104 [x] ooma 123 123 UDP 192.168.1.104 [x] ooma 443 443 TCP 192.168.1.104 [x] ooma 514 514 UDP 192.168.1.104 [x] ooma 1194 1194 UDP 192.168.1.104 [x] ooma 3386 3386 UDP 192.168.1.104 [x] ooma 3480 3480 UDP 192.168.1.104 [x] ooma 10000 20000 UDP 192.168.1.104 [x]
My questions are many - but the key questions are all about what I am actually doing (with respect to security). Am I opening up my router too much?
My stated problem is that 'some' incoming calls go through yet others don't ... so the second tier support had me set up port forwarding as above.
But ... won't that IP address (192.168.1.104) change every time I reboot my router (which is set up as a DHCP server to hand out IP addresses starting at 192.168.1.100)?
Your router could easily give out that IP address regardless of boot order, so you should really do one of two things:
Adjust the router's DHCP scope so that .104 is outside of its range. Or 2. Adjust the Ooma's static IP to an address that's outside of the router's current DHCP scope. Note that if you change the Ooma's IP address, you'll have to adjust the port forwarding that you mentioned earlier.
Interesting. Are you saying that I set the Ooma to be .104 and then I set the router to star, say, at .105 so that the router can't give out a .104?
If so, I never knew that you could set an IP address OUTSIDE the automatic DHCP range of the router - but if that works - it makes sense.
The other option you mentioned, would also work ... which is to set the Ooma to a large number inside the router's DHCP range (say .150) which the router will never get to by automatic sequential assignment.
Not only can you, but in general it's bad practice to statically assign an IP address that's INSIDE the DHCP scope. The cheap routers we typically use aren't always smart enough to check if an address is being used before they assign it to a requesting host, so a conflict could occur. Bottom line, if you're going to make static assignments, make them from outside of the DHCP scope.
As Warren mentioned, though, if your router allows you to configure a 'reserved DHCP' address for your Ooma device, then that becomes a good option. In that case, .104 can stay inside your DHCP scope but the router will never assign it to any device except the Ooma.
I wouldn't do that. IP addresses aren't always assigned sequentially and you might be surprised to encounter a conflict. Never statically assign an address from your DHCP pool. There are plenty of available addresses that are outside of the pool.
I dunno. I hate discussing security and don't know much about Ooma. What they had you do is probably not necessary. If you were running SERVERS behind your WRT54G, then some of the items listed are necessary. However, not for a lousy VoIP adapter. There are only two things that MIGHT be necessary:
- Incoming SIP on 5060 which is usually not need if a STUN server is being used (highly likely)
- Remote access by Ooma so they can tinker with settings in your router.
Ok, let's do this by the numbers:
ooma 53 53 DNS. Are you running a DNS server? Probably not. ooma 110 110 POP3. Are you running a mail server? Probably not. ooma 123 123 NTP. Are you running a time server? Probably not. ooma
443 443 TLS/SSL. Are you running an SSL server? Probably not. ooma 514 514 syslog. Are you runing a SYSLOG server and having some device on the internet sending you log entries? Probably not. ooma 1194 1194 OpenVPN. Now, this might be used by Ooma for remote access to you box. However, using a VPN for this is dumb. ooma 3386 3386 GPRS. Now, that's really strange as that's the control port for a GSM data modem. Maybe Ooma uses it for some unknown purpose. ooma 3480 3480 CSMS. SMS messaging on a cell phone. Lovely. ooma 10000 20000 AAAAGH. All ports form 10000 to 20000? This has to be totally wrong. You're not running H.263 which requires such a dumb arrangement.
Bottom line.... You're not running servers so nothing for ports My questions are many - but the key questions are all about what I am
See above comments. I don't know for sure. It really depends what you have running on your computah that might accept incoming connections on the above ports. If a PC, run: netstat -a -n | find "LISTENING" to see what ports are open. There are also some PC utilties that will test for this. I'm too lazy to look right now.
Opening the router to the world is not going to solve that problem.
Yes. Port forwarding should be setup using a static IP for your PC. The easy way to do that is to use "pre-assigned DHCP" in the router. You didn't specify which WRT54G mutation you're using so I can't offer the specific web page. Just look for a table that pre-assigns IP address based on the MAC address of your PC. Leave the PC set to DHCP.