Something on your mind? Want to give us feedback on something in particular or everything in general? Tell us how we are doing!
#9497 by HankJones
Mon May 11, 2009 10:18 pm
I have my Hub behind a firewall and am trying to lock it down. The first thing I'm trying to figure out is what the IP address are of the PSTN gateways being used. From all the information I've gathered, OOMA is NO longer routing ANY calls through other customer devices. (This really should be documented somewhere official since i was about to return my device because of this.) This being the case, there should be static PSTN gateways that I can lock my firewall down with. Once I figure the ip addresses, it would be nice to be able to lock down the ports also. I understand that OOMA is going to be bringing up more gateways for load balancing/redundancy and it would be up to me to keep my firewall up to date.

Sooooo are these the internet addresses I can lock my firewall down with? And do they change if I move from the west coast to the east coast?

38.102.149.4/32 SYSLOG
208.83.244.0/24 UDP and HTTPS
various ip address for NTP
#9594 by Pandora
Wed May 13, 2009 10:58 am
I run an SPI firewall (Tomato 1.23 on a Linksys WRTSL54GS router) and haven't had to do anything to configure either of the two Ooma hubs which run behind it.

When I look at connections, I see the Ooma hubs connecting to vpn3-eqix-sv4.ooma.com and vpn4-eqix-sv4.ooma.com servers respectively. They call out using port 1194 their destination port is 1194.

Does the above help you?
#9628 by HankJones
Wed May 13, 2009 5:50 pm
That is very interested. I don't think my ooma hub is doing the same thing yours is. I'm still using my HUB without a landline. I actually see the following:

Every minute or so, I have a syslog connection going to 38.102.149.4

Whenever I make a phone call, i see UDP traffic to something in the 208.83.224.x network

Every 30 sec or so I see NTP traffic to:
208.83.224.20 ns1.ooma.com
208.83.224.21 ns2.ooma.com
72.232.254.202 gordon.bruno-me.org

When I make a phone call, i see UDP traffic to:
208.83.244.90 xc10-eqix-sv4.ooma.com
208.83.244.100 xc1-eqix-sv4.ooma.com
208.83.244.102 xc3-eqix-sv4.ooma.com
208.83.244.103 xc4-eqix-sv4.ooma.com
208.83.244.104 xc5-eqix-sv4.ooma.com
208.83.244.106 xc6-eqix-sv4.ooma.com
208.83.244.107 xc7-eqix-sv4.ooma.com
208.83.224.120 vpn1-eqix-sv4.ooma.com
208.83.244.122 vpn3-eqix-sv4.ooma.com
208.83.244.123 vpn4-eqix-sv4.ooma.com
208.83.244.145 myxprov.ooma.com
#9706 by CloaknDagr
Fri May 15, 2009 12:10 am
It depends on what kind of firewall appliance you're using. If you're using a real honest-to-god firewall, there's some serious configuration to do in order to get Ooma to work properly with good voice quality. I'm running a SonicWALL TZ-210 and it wasn't an easy task to get it all working.

Ooma provides some documentation on this, the ports that have to be opened, etc. You can't just 'plug it in and go', sorry to pop everyones bubble on that. Most people in this forum may be fairly savvy at home networking but there is a BIG difference between a LinkSys router's firewall features and a real hardware firewall. You can find that documentation here:

http://cp-ooma.talismaonline.com/al/126 ... =0.2560541

You'll need to know what you're doing as far as setting up QOS goes if you want the best possible voice quality. Being as it can vary between firewalls I won't go into that but you'll want to go over the manual if you haven't done so already.

Connect the MODEM port to your upstream firewall appliance. The Ooma CSR told me to connect the Home port and I curse his fleas for the time it took me to figure that one out and all the stuff I tried and had to do/undo by the time I found it. If you want to access the Ooma setup Http page you'll have to run an ethernet cable back from the firewall/router/switch to the Ooma Home port, then you can get to the configuration webpage without having to unplug anything every time. I've got lots of extra ethernet ports so it's OK with me, maybe less so with others. Doing that won't cause collisions or conflicts, the Ooma hub does a good job of isolating its two ports.

After finally getting it all working I made some test calls to my family and they all said it sounded MUCH better than it had with Ooma between the firewall and the DOCSIS cable modem. So good in fact that the background noise of the fans on all the computers and networking gear in this room is slightly distracting. They said they could hear every single sound in the room... The SonicWALL does a much better job of traffic shaping than the Ooma hub does, but then that's what it was made for.

As far as "locking your firewall down" goes, if it's a decent firewall you don't need to restrict traffic to only the current Ooma server IP's, the firewall should take care of any hanky-panky tickling your Ooma ports. If you do restrict that traffic on those ports then if and when Ooma does any expansion/redirects/geographical relocations/DNS record modifications/IPv6 implementations on the web, etc. you risk losing your service. DNS should resolve all of that but can't if you don't let it. If you're like me, that will happen a year from now and you won't remember that you locked that service to those IP's and it will be extremely frustrating to figure out why your phone stopped working for no apparent reason. Additionally all VOIP traffic is encrypted so I'm not going to get too anal about the rest, it's not impossible but tapping a VOIP conversation is orders of magnitude tougher than slapping a wire on your local telephone trunk. If that's a concern then remember they can just pull it off the other end if you're not talking to another VOIP number. The odds of inbound attack through that vector are negligible, cache poisoning or something in the ambient is more likely to get your network.

If anyone has any more on this, post and I'll check back from time to time.
#9718 by HankJones
Fri May 15, 2009 6:09 am
Thanks for the link, that was what I was looking for! Not sure how I didn't find that.

I am running a Juniper SSG5 in my network and set the QoS for all OOMA traffic to the highest priority and found that nobody has complained of my voice quality yet.

It's true that for the most part you don't have to worry about the outbound traffic ports. I guess I'm just a little paranoid about the IP addresses since I know the technology is there to route my calls through another customer's hub (impossible to secure the POTS line, no matter what people say). The fact that it was done like that originally means it could be done again if OOMA's business model changes. I was hoping to lock down the ip address to known OOMA servers/gateways and if i see a dramatic change to random dynamic IP's it may signify that the OOMA hubs are doing some peer to peer function.
#9728 by CloaknDagr
Fri May 15, 2009 9:50 am
Thanks bw1, for fixing that link. I'm new to these forums and I do appreciate the helping hand.

Don't feel bad HankJones, I had to call customer service to get pointed to that information myself. Ooma documentation is geared towards the non-technical user, which kind of makes sense percentage-wise. But for the technically experienced it's pretty dumbed down which makes it tough initially to get what you really want. It can be done, I'm getting excellent voice quality and service but better documentation would have saved me a few hours and headaches. It would really have helped if the Customer Service Rep. had told me the correct port to use but I should have known that couldn't be right, the Ooma had to go downstream from the firewall and the Modem port is it's upstream port.

It would also be helpful if in that nice, expensively printed manual that comes with the system they put a page in with the information at that link printed on it.

I'm not too concerned over P2P routing as long as the encryption strength is sufficient, peers will only get a fragment of the data that would be nearly impossible to decrypt and unintelligible even if it was. If you want to get really paranoid about it, at the end of the day you still have to trust Ooma that they didn't put a back door into the system, and if they did that someone at their office isn't compromised and selling access. I'm sure there must be a backdoor, come to think of it, the Feds would demand it as a condition of licensing. Can't have our citizens running around unmonitored you know. Whole 'nother topic, whole 'nother forum.

I'm a consultant and I work out of my home, doing most of my work by remoting into client systems. Because I handle and have access to proprietary information, security is paramount. Not only for liability reasons but my integrity and reputation are on the line also. The weak link has always been POTS, easy to tap, hard to secure etc.

I'm on a cable connection and I was going to go with their telephone service, I spent several hours going over the setup with their sales and technical people. I told them that the telephone system MUST go BEHIND my firewall, that under no circumstances would I tolerate anything inside the modem that wasn't firewalled. The installer came out and sure enough, it had to go between the firewall and the modem and he had no clue what to do. I sent him away, uninstalled. The cable company called and wanted to know what the problem was and I explained and they couldn't understand. I told them that the only way I was going to use their phone service is if they dropped the hardware at my front door and I hooked it all up, otherwise; No Deal. They wouldn't go for that.

At this point I was paying $62 a month for an AT&T phone with various features plus a long distance package.

I had come across some information on Ooma a few months ago and I studied long and hard before deciding to go with Ooma for my phone services. Frankly it seemed a bit too good to be true when I first heard of it. After all these years on the internet one gets wary of such things. All of the reviews were excellent as far as the service goes, quite a few people are still nervous about how long Ooma will be around. I can understand that, after almost 30 years in the IT industry I've seen a lot of good ideas come and go. I decided to take a chance anyway and go with Ooma. NewEgg ran a special with a decent discount on a hub/scout package so I took the plunge.

I'm happy with Ooma so far, I'm waiting for my number port to go through and when that happens I'll be fully functional again.
#47632 by rpoomatelo
Thu Feb 18, 2010 9:11 am
CloaknDagr,

Can you share what was required to get your TZ210 working with Ooma. I have a TZ200 replacing a TZ170. I had no problems when using telo with the TZ170 (modem->tz1700->telo). I never opened anything in the firewall to support the telo in the past, but with the TZ200, some calls work just fine, others do not. For example, I call a number and hear nothing (no ring, or answer) yet if I wait and talk, the receiving party hears me. Also, some numbers just get a fast busy when they call my telo. Also, any qos config info you could share would be great.

Who is online

Users browsing this forum: No registered users and 7 guests