Doorbird doesn't work behind Sophos XG Firewall

We have a Doorbird-doorbell behind our Sophos XG Firewall with Firmware....

I also read these articles:

https://community.sophos.com/sophos-xg-firewall/f/discussions/125260/doorbird-connected-to-sophos-xg

The article says using SSL/TLS-Decryption this is the solution but I tried it and it doesn't work, too: https://community.sophos.com/sophos-xg-firewall/f/discussions/124615/how-to-unblock-ring-doorbell-app-when-sophos-xg-is-using-ssl-tls-decryption

So here is another article with the same problem and also no solution:

https://community.sophos.com/sophos-xg-firewall/f/discussions/128958/doorbird-connected-to-sophos-xg-with-no-external-access/473281?focus=true#473279

I posted the details in the article above but I am afraid nobody see it in the discussion. So I open this new question.

Here is my summary:

The Doorbird doesn't get a connection with the XG-Firewall.

Have the same rule as described here https://community.sophos.com/sophos-xg-firewall/f/discussions/128958/doorbird-connected-to-sophos-xg-with-no-external-access/473281?focus=true#473279:

Additional I added an SSL/TLS Inspection-Rule as described here https://community.sophos.com/sophos-xg-firewall/f/discussions/124615/how-to-unblock-ring-doorbell-app-when-sophos-xg-is-using-ssl-tls-decryption:

But I see a lot of errors in the log:

And I also see this in capturing mode - the Local-ACL-violation is strange. Tried this Question to help but I don`t understand a solution:

https://community.sophos.com/sophos-xg-firewall/f/discussions/102533/local_acl

This is the detail-view:

Packet information
Ethernet header
Source MAC address:1c:ca:e3:7b:0c:8e
Destination MAC address: ff:ff:ff:ff:ff:ff
Ethernet type IPv4 (0x800)
 
IPv4 Header
Source IP address:192.168.0.60
Destination IP address:255.255.255.255
Protocol: UDP
Header:20 Bytes
Type of service: 0
Total length: 49 Bytes
Identification:0
Fragment offset:16384
Time to live: 64
Checksum: 31192
 
UDP Header:
Source port:3074
Destination port: 35344
Length: 29
Checksum: 47622

So I don't know what to do. I changed the doorbird hardware but with the new part it's still the same problem. So I think it's an FW-Error.

Please - is there anyone with a solution?

I couldn't find it in the other questions. A lot of people describe the same problem but nobody has an answer.

David



Edited TAGs
[edited by: emmosophos at 5:12 PM (GMT -7) on 14 Oct 2021]
  • Hi,

    what the logs you have posted are showing it the the dirtied does not match any firewall rule. Change your door bird service toany and then review the logs to see which ports it is using. Your logs show that the ports configured in service are not used in the rule.

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • It uses Broadcast to "find something". Sophos Firewall (like many other products) will not forward this to anything. Therefore this product currently looking in the same network (broadcast domain) something, which respond to its call. But nothing will actually respond as it is simply a call to everybody.

    Plenty of IoT hardware is badly written like this (it seems like?). 

    You should be able to instead point to a single IP. This broadcast will not lead to anything. 

    Wondering how this hardware works: Because it expect something to answer on those calls. Do you need a wireless device with a certain App to be enabled in the same network? 

    Thats most likely how IoT Devices work nowadays because this will work for 99% of the home customers. They have one wireless of there ISP and it "simply works and connect". 

    But with Sophos Firewall you can actually segment the networks, leading to stop working such hardware. 

    __________________________________________________________________________________________________________________

  • Thank you for your help!

    So I changed the service to any:

    The captured packets looks better now, no ACL-violation:

    But in the Log-viewer there is still the same error:

    And I can't connect to Doorbird with my mobile phone.

  • Hi,

    am not sure how to match your answer to my problem. Yes, I want to use both devices in the same network.

  • Update: The Local-ACL-Violation is back:

    Ethernet header
    Source MAC address:1c:ca:e3:7b:0c:8e
    Destination MAC address: ff:ff:ff:ff:ff:ff
    Ethernet type IPv4 (0x800)
     
    IPv4 Header
    Source IP address:192.168.0.60
    Destination IP address:255.255.255.255
    Protocol: UDP
    Header:20 Bytes
    Type of service: 0
    Total length: 49 Bytes
    Identification:0
    Fragment offset:16384
    Time to live: 64
    Checksum: 31192
     
    UDP Header:
    Source port:3074
    Destination port: 35344
    Length: 29
    Checksum: 49165
  • If so, the firewall will actually ignore the packets. 

    So lets recap quickly on what is going on: 

    The device is doing a broadcast, its like screaming in a room, hoping somebody is answering. 

    If you have multiple network segments, its like having multiple rooms in a house. Your device only screams in the living room, your application is in another room. 

    Most products cannot "forward" this scream, as this is highly untwanted by a network administrator. There are reasons not to forward this. And the firewall does not know, in which room in has to forward this etc. 

    What you can do: You could increase the room size by building a network bridge. This means, it will increase the subnet of the network to a bigger size network. 

    Can you link us a screenshot of your interfaces? Where is the application / mobile device? 

    PS: This packets will not reach the Internet in any way. You cannot configure that. So it seems like you have to configure the device with a mobile app first. 

    __________________________________________________________________________________________________________________

  • The documentation from doorbird is here: https://www.doorbird.com/downloads/misc/ports_en.pdf

    The doorbird is in my local net, the same net like the android-device. But also when I try to connect with the android-device from the internet I get no streaming video from the doorbird. So I don't think it's only a broadcast-problem. I get no video but I receive the notifcations from the doorbell (ringing, motion) as notification on android.

    So I think the main problem is that the doorbell doesn't reach its internet gateway correctly. And the ACL-violation in the sophos log is an indicator for an error.

    But what can I do now in the sophos?

  • This is highly not an issue with the firewall. The packets you are seeing are broadcast and not internet traffic. If those packets are the only packets you are seeing, it looks like the app is broken. 

    You could try to create a firewall rule for this services and the FQDN like you mentioned in the app. 

    __________________________________________________________________________________________________________________

  • See my screenshots at the top of thebsite and the Sophos error messages (ACL violation).

    No idea what I can change. Would be nice you give me a detailled advice which of my rulesbis not correct. Only to say "it is not the sophos" cant be the solution. See the errors in the log.

  • The firewall rule seems to be perfectly fine. 

    The ACLs, as mentioned earlier, are only broadcast packets. Therefore not the packets, you can forward to the internet. 

    Check the firewall log, if you see any 443 or 80 packets. If not, its not the firewall, instead the doorbell is wrongly configured. 

    __________________________________________________________________________________________________________________