Miserable Ooma setup ... Did Ooma support open up my router just now?

A few hours into setting up the Ooma with tier 2 customer support (866-493-662), they had me open up my Linksys WRT54G router to the following settings.

Can someone (Jeff?) tell me what the heck this is doing from the standpoint of security?

formatting link
Linksys WRT54G->Applications & Gaming->Port Range Forward Application Start to End Protocol IP Address Enable ooma 53 53 Both 102.168.1.104 [x] ooma 53 53 Both 102.168.1.104 [x] ooma 53 53 Both 102.168.1.104 [x] ooma 53 53 Both 102.168.1.104 [x] ooma 53 53 Both 102.168.1.104 [x] ooma 53 53 Both 102.168.1.104 [x] ooma 53 53 Both 102.168.1.104 [x] ooma 53 53 Both 102.168.1.104 [x] ooma 53 53 Both 102.168.1.104 [x]

Reply to
Arklin K.
Loading thread data ...

Ooops. While cutting and pasting, I accidentally hit the 'send' keyboard sequence. Here I start over ...

A few hours into setting up the Ooma with tier 2 customer support (866-493-662), they had me open up my Linksys WRT54G router to the following settings. Can someone (Jeff?) tell me what the heck this is doing from the standpoint of security?

formatting link
After logging into the router, I went to the following tabs: Linksys WRT54G->Applications & Gaming->Port Range Forward

And, then Ooma 2nd-tier support had me enter the following: Application Start to End Protocol IP Address Enable ooma 53 53 Both 192.168.1.104 [x] ooma 110 110 TCP 192.168.1.104 [x] ooma 123 123 UDP 192.168.1.104 [x] ooma 443 443 TCP 192.168.1.104 [x] ooma 514 514 UDP 192.168.1.104 [x] ooma 1194 1194 UDP 192.168.1.104 [x] ooma 3386 3386 UDP 192.168.1.104 [x] ooma 3480 3480 UDP 192.168.1.104 [x] ooma 10000 20000 UDP 192.168.1.104 [x]

My questions are many - but the key questions are all about what I am actually doing (with respect to security). Am I opening up my router too much?

My stated problem is that 'some' incoming calls go through yet others don't ... so the second tier support had me set up port forwarding as above.

But ... won't that IP address (192.168.1.104) change every time I reboot my router (which is set up as a DHCP server to hand out IP addresses starting at 192.168.1.100)?

Reply to
Arklin K.

I called Ooma technical support and their 3rd tier had me also set up the ooma to a static ip address of 192.168.1.104

formatting link
But ...

Won't the router, set up as a DHCP server starting at 192.168.1.100, give out that static IP address (192.168.1.104) to another device if I don't boot up the devices in just the right order?

Reply to
Arklin K.

BTW, they told me in Ooma customer support that the WPA2/PSK wireless WiFi password can only be 32 characters long!

Does that make any sense?

formatting link
"Wi-Fi Password: The Ooma Telo can take up to a 32 Character password for the Wireless Wi-Fi USB dongle Adapter."

Reply to
Arklin K.

Your router could easily give out that IP address regardless of boot order, so you should really do one of two things:

  1. Adjust the router's DHCP scope so that .104 is outside of its range. Or 2. Adjust the Ooma's static IP to an address that's outside of the router's current DHCP scope. Note that if you change the Ooma's IP address, you'll have to adjust the port forwarding that you mentioned earlier.

Option 1 is probably easier at this point.

Reply to
Char Jackson

Interesting. Are you saying that I set the Ooma to be .104 and then I set the router to star, say, at .105 so that the router can't give out a .104?

If so, I never knew that you could set an IP address OUTSIDE the automatic DHCP range of the router - but if that works - it makes sense.

The other option you mentioned, would also work ... which is to set the Ooma to a large number inside the router's DHCP range (say .150) which the router will never get to by automatic sequential assignment.

Both make sense. Thanks for the advice.

Reply to
Arklin K.

When I asked the Ooma support WHY they had me open up my router as shown above, they pointed me to this web page:

formatting link

But, I'm still not sure what effect this has on security.

Reply to
Arklin K.

Some routers will let you reserve specific IP addresses. I have a bunch set for our LAN computers, so I can put stuff in /etc/hosts and know it's going to keep working.

Reply to
Warren Oates

Good point, that's what I've done here at my place, but I wasn't sure if his router offered that feature. If so, that's a good option.

Reply to
Char Jackson

Yes.

Not only can you, but in general it's bad practice to statically assign an IP address that's INSIDE the DHCP scope. The cheap routers we typically use aren't always smart enough to check if an address is being used before they assign it to a requesting host, so a conflict could occur. Bottom line, if you're going to make static assignments, make them from outside of the DHCP scope.

As Warren mentioned, though, if your router allows you to configure a 'reserved DHCP' address for your Ooma device, then that becomes a good option. In that case, .104 can stay inside your DHCP scope but the router will never assign it to any device except the Ooma.

I wouldn't do that. IP addresses aren't always assigned sequentially and you might be surprised to encounter a conflict. Never statically assign an address from your DHCP pool. There are plenty of available addresses that are outside of the pool.

Sure thing.

Reply to
Char Jackson

Sounds like you should have asked for 5th or 6th tier support...

According to oumas own reference none of what they had you do makes sense or is necessary:

formatting link

Reply to
George

I dunno. I hate discussing security and don't know much about Ooma. What they had you do is probably not necessary. If you were running SERVERS behind your WRT54G, then some of the items listed are necessary. However, not for a lousy VoIP adapter. There are only two things that MIGHT be necessary:

- Incoming SIP on 5060 which is usually not need if a STUN server is being used (highly likely)

- Remote access by Ooma so they can tinker with settings in your router.

Ok, let's do this by the numbers:

ooma 53 53 DNS. Are you running a DNS server? Probably not. ooma 110 110 POP3. Are you running a mail server? Probably not. ooma 123 123 NTP. Are you running a time server? Probably not. ooma

443 443 TLS/SSL. Are you running an SSL server? Probably not. ooma 514 514 syslog. Are you runing a SYSLOG server and having some device on the internet sending you log entries? Probably not. ooma 1194 1194 OpenVPN. Now, this might be used by Ooma for remote access to you box. However, using a VPN for this is dumb. ooma 3386 3386 GPRS. Now, that's really strange as that's the control port for a GSM data modem. Maybe Ooma uses it for some unknown purpose. ooma 3480 3480 CSMS. SMS messaging on a cell phone. Lovely. ooma 10000 20000 AAAAGH. All ports form 10000 to 20000? This has to be totally wrong. You're not running H.263 which requires such a dumb arrangement.

Bottom line.... You're not running servers so nothing for ports My questions are many - but the key questions are all about what I am

See above comments. I don't know for sure. It really depends what you have running on your computah that might accept incoming connections on the above ports. If a PC, run: netstat -a -n | find "LISTENING" to see what ports are open. There are also some PC utilties that will test for this. I'm too lazy to look right now.

Opening the router to the world is not going to solve that problem.

Yes. Port forwarding should be setup using a static IP for your PC. The easy way to do that is to use "pre-assigned DHCP" in the router. You didn't specify which WRT54G mutation you're using so I can't offer the specific web page. Just look for a table that pre-assigns IP address based on the MAC address of your PC. Leave the PC set to DHCP.

Good luck

Reply to
Jeff Liebermann

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.