UDP proxy for Ooma
Upgrading to the latest firmware came with consequences - my Ooma hub is no longer connecting to their service (VOIP).
The device scans for TCP/UDP ports like TCP/UDP 53 or UDP123 among others and lists that none of them are accessible. I'm trying to figure out how to 'reopen' these ports despite they shouldn't be closed as my default TCP/UDP proxy should allow all outgoing. I did test the same device on my neighbors network by plugging it into this network switch and it works w/o issues to confirm that the Ooma device itself is ok.
So I'm left with 2 options later this weekend - either to downgrade or to figure out how to get a rule in place which opens these ports back up and I don't seem to be successful with the latter after repeated attempts.
When looking at my log on the dimension server - I can't find any denied packets/connections - but that might be due to logging not enabled on all policies.
Any suggestions what to do? Here's the list of ports:
Denied Ports :
TCP 53,TCP 443, UDP 53, UDP 123, UDP 514, UDP 1194, UDP 3386, UDP 3480,
UDP range 10000 - 20000
Last note: I unfortunately have another problem that the Ooma device doesn't let me assign a static IP address - the configuration should allow it but it doesn't save so I have to open these ports potentially to a range of IP addresses and not just a single one :-( - bad idea?
Comments
What firewall model do you have and what software version is it running?
You can set up a DHCP reservation for the MAC addr of this device - then you will know the IP addr that it has.
Then you can set up an Any packet filter From: that IP addr and turn on Logging on it so that you can see what packets from this device are getting to the firewall.
Since you have a TCP-UDP proxy in place, all of these packets should be allowed anyway, so adding the Any packet filter should not be a security issue
as always - Bruce to the rescue
T35 and 12.5.5 (ran 12.3.1 before w/o issues)
yes I did think of the MAC address reservation
hmm - filter any packet - forgot about that one
well - after now repeatedly adding - back in business - thank you as always!!!
still probably have to ensure that the ports are only allowing the Ooma device to respond to - so will need to review the logs for a while
Ultimately it seems if I need to have port 1194 open - then everything works - the rest is still denied.
Thanks for your help as always - merry Xmas!!!
I am having the exact same Ooma issue with my T35 12.5.3. I know the Ooma IP but can't seem to find the packet filter to be able to see what packets are being denied. I watch the traffic through Traffic Monitor, but i don't see how to filter that. I can see that there do not seem to be many if any DENY on the Ooma IP. I setup and enabled a firewall policy to allow all the ports listed above for the Ooma IP, but it made no difference.
Add an Any packet filter From: the IP addr, To: Any-external, with Logging enabled.
Move this policy to the top of your policy list
I realized I did not have my Ooma policy high enough on the list to allow the required traffic. Kind of a DUH moment. When I moved the TCP-UDP policy for that IP up to the top the device started working. Thanks Bruce!