DMZ for MyQ garage door gateway

wannagofast83 · April 30, 2016, 5:42pm

One of my clients has a Chamberlain MyQ gateway(Model 828LM) It is used to open the garage door with his phone. I replaced the router with a Mikrotik and now it doesn’t connect to the internet, well according to the diagnostic lights and manual. The device is wired and pulls a reservation that I have setup.

According to the manual this is what needs to happen:
The Internet Gateway uses User Datagram Protocol (UDP) port 80 for inbound and outbound data
messages. Transmission Control Protocol (TCP) port 2165 is used for firmware updates. If a firewall
or network security appliance is on the network (e.g. SonicWALL®), the User Datagram Protocol (UDP)
Timeout setting needs to be set to 180 seconds or greater. See the Incompatible Router and Switch
section for more information.

Here is my rules for the nat to allow this traffic to the internal IP

 ;;; testGdoor
      chain=dstnat action=dst-nat to-addresses=192.168.40.23 
      dst-address=67.XX.XX.XX log=no log-prefix="" 

   ;;; testGdoor
      chain=dstnat action=dst-nat to-addresses=192.168.40.242 protocol=tcp 
      in-interface=ether1 dst-port=2165 log=no log-prefix=""

And I changed the UDP time out

 udp-timeout: 3m
        udp-stream-timeout: 3m

Will the above rules allow both directions of traffic to the Myq?

I have tried a number of things to make it work and I always get the same error. I was thinking a DMZ might do it but I am not sure if I set it up incorrectly.

This is another rule that I tried

 ;;; GdoorUDP2165
      chain=dstnat action=dst-nat to-addresses=192.168.40.242 to-ports=2165 
      protocol=tcp in-interface=ether1 dst-port=2165 log=no log-prefix=""

The previous router(non mikrotik) worked. Any one have any ideas?

luidoltp · April 30, 2016, 9:10pm

Hi,

I just had a look at the manual for the Chamberlain MyQ gateway 828LM. In all manuals I found, you just need to connect the “Chamberlain gateway” to your router in such a way, that it can connect to the internet.
As far as I understood, the “Chamberlain gateway” will establish a connection to some server at Chamberlain (so outgoing traffic only).
When you open your garage door you also connect with your smartphone to the Chamberlain server (also outgoing connection). The opening command is then transmitted over the Chamberlain server.

Well … I could be mistaken and this communication is only necessary for the first initialization.

I would suggest you try the following:
Make a DMZ that can connect to the internet (setup should be similar to the LAN; you need a DHCP server, default firewall rules, masquarade rule, …). Devices in the DMZ should be able to connect to the Internet.
Does it work there?

If not then please post the configuration of the MikroTik (/export) and a description of the network and the IP addresses.

Best regards,
Lui

wannagofast83 · May 2, 2016, 12:58am

I tried to setup a DMZ but I am not sure the config was correct. I setup DMZ bridge and added only the one port that the device was connected to. Then configured DHCP on the Bridge. and then gave the Chamberlain device an IP reservation on the new DHCP. I configured firewall rules

/ip firewall nat
add chain=dstnat action=dst-nat in-interface=[WAN INTERFACE NAME] protocol=tcp dst-port=80 to-addresses=[INSIDE IP ADDRESS OF DMZ HOST]

and it still flashed that it wasn’t able to connect. but I didn’t try another device to see if it connected.Do I still need a masquerade?

Do you have a walk through for a DMZ?

Here is the exporthttps://drive.google.com/open?id=0Bw_tsNmNus8DNXc2UHVQSWR1YVU

Revelation · May 2, 2016, 1:24am

I have the same garage door opener. I created a simple /30 network for the Chamberlin.

Example:
192.168.5.0/30
ether1 = 192.168.5.1
Chamberlin pulls 192.168.5.2

I also configured the port to only negotiate for 10/100M.

Once I setup the above configurations my Chamberlin started working just fine.

wannagofast83 · May 2, 2016, 2:18am

Is the /30 separate than the rest of your network? So I would create /30 network on the ether8 that the myq is attached to?

Lan1 = 192.168.40.0/24
ether8 = 192.168.60.0/30

luidoltp · May 2, 2016, 6:45am

Hi,

Assumptions:
Your WAN port is ether1
Your DMZ port is ether8
Your DMZ netwok: 192.168.60.0/30

Here is a recipe how to create a DMZ that can reach the Internet.

Create an ip address for the new DMZ network

/ip address add address=192.168.60.1/30 interface=ether8 network=192.168.60.0

Create a DHCP server. Note that we have only one address in the pool. So the MyQ will get this address.
As DNS server you can adjust to your liking (in this example I used the Google DNS server).

/ip pool add name=pool-dmz ranges=192.168.60.2
/ip dhcp-server network add address=192.168.60.0/30 dns-server=8.8.8.8 gateway=192.168.60.1
/ip dhcp-server add address-pool=pool-dmz disabled=no interface=ether8 lease-time=3h name=dhcp-dmz

Now we need a firewall rule that allows traffic from the DMZ to the Internet.

/ip firewall filter add chain=forward in-interface=ether8 out-interface=ether1

Please check that you change your masquerade rule to the following. Outgoing traffic to the Internet should always be masqueraded (so remove the src-address restriction).

/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1

Further you should remove the port ether8 from the bridge LAN1. You have two separate networks and do not want to have a layer 2 connection.

In your config, the firewall rules seem to miss some important things and do not protect your router or network properly. A basic version should look something like this:
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Basic_examples
http://wiki.mikrotik.com/wiki/Basic_universal_firewall_script

Best regards,
Peter

jarda · May 2, 2016, 7:22am

Sorry for off topic question. Are you fine with the fact that whoever controls the server, controls your door?

Revelation · May 2, 2016, 1:28pm

Yes it is separate from the rest of my network. When I had the MyQ Home Gateway connected to a port that was part of my data subnet, it would never “talk” home successfully. It wasn’t until I dedicated a specific port / network at 10/100M did it work.

I will say that I recommend that you put in a block in your firewall for the entire 6.0.0.0/8 address space. This is a DoD network and Chamberlin Support could not answer why the gateway “reached” out to this network. I have it blocked on the forward, inbound and outbound.

wannagofast83 · May 5, 2016, 1:08pm

Revelation:

wannagofast83:

Revelation:

I have the same garage door opener. I created a simple /30 network for the Chamberlin.

Example:
192.168.5.0/30
ether1 = 192.168.5.1
Chamberlin pulls 192.168.5.2

I also configured the port to only negotiate for 10/100M.

Once I setup the above configurations my Chamberlin started working just fine.

Is the /30 separate than the rest of your network? So I would create /30 network on the ether8 that the myq is attached to?

Lan1 = 192.168.40.0/24
ether8 = 192.168.60.0/30

Yes it is separate from the rest of my network. When I had the MyQ Home Gateway connected to a port that was part of my data subnet, it would never “talk” home successfully. It wasn’t until I dedicated a specific port / network at 10/100M did it work.

I will say that I recommend that you put in a block in your firewall for the entire 6.0.0.0/8 address space. This is a DoD network and Chamberlin Support could not answer why the gateway “reached” out to this network. I have it blocked on the forward, inbound and outbound.

Yes it was ether8 that it was connected to. I think that solved the problem. The device isn’t flashing green anymore. Thanks for you help!

Yes, its a service form a well known company, not the hobo down the street.