The following instructions will enable your WEMO devices to communicate through your firewall without Upnp enabled. Disabling Upnp is a best practice because otherwise any device inside your network would be able to open up any port to the outside world. The screen shots will be from a
pfSense 2.4 firewall but would apply to other firewalls as well.
There are two things your WEMO devices will require:
1. Ability to ping your gateway device (ICMP traffic)
2. Allow these Inbound and outbound TCP and UDP ports:
- TCP 8080
- TCP 8443
- TCP/UDP 3475-3478
- TCP/UDP 5223-5228
- TCP/UDP 8445-8663
0. Preparatory work
To simplify the following steps, we are going to assign static IP addresses to our WEMO devices then create two firewall aliases. A firewall alias is just a list of ports or IP addresses that can be referenced without typing them in over and over again.
Assign Static IPs for WEMO Devices
You'll need to log into your DHCP server, i.e. wireless router or firewall, to assign those devices static IP addresses. Go ahead and write them down for future reference.
Firewall aliases:
- WEMO_Devices - for this alias put in the static IP address for all of your WEMO devices. A screen shot not provided for obvious reasons.
- WEMO_Ports - for this alias put in the list and ranges of TCP & UDP ports which we will need to allow through the firewall
1. Ability to ping your gateway device
By default I disable pinging the gateway device, just because it is unnecessary traffic. To enable this for the WEMO devices, create a rule allowing ICMP traffic from WEMO devices to hit the gateway IP address.
2. Enable Communication Over Specific Ports
Enable outbound communication
Allow communication on those ports from the WEMO devices to the internet.
Enable inbound communication
Allow communication on those ports from the internet only to WEMO devices. This step shouldn't be necessary but I did it just in case. I'm interested in feedback from my readers on this!
Security
By the time you are done doing the above, you'll wonder why you bought a WEMO device to begin with, but embrace the ease of use and probably give up (allow them in your network)- just isolate these devices so that they are unable to communicate with your other machines on the network (another firewall rule); so that, if a hacker was able to enter through one of the many ports above and compromise one of the WEMO devices, there would be nothing else accessible. The worse thing that could happen is your lights or coffee maker turning on and off without your permission.
No comments:
Post a Comment