Making A Tivo Internet Connection Thru A Smoothwall 3.0 Firewall

February 8th, 2008 · 1 Comment

A friend asked me the other day how to get his Tivo to make it’s daily call through his home network. Besides simply getting on the network via a wired or wireless connection, the real problem most people don’t think about is that the Tivo uses a large number of network ports to call home. This causes a problem for a default Smoothwall Firewall install since it blocks outgoing connections to the majority of these ports when the requests come from your ‘Green’ network. This isn’t a bug on the Smoothwall’s part — it is a deliberate design decision made for enhanced security.

Most people think they only need to worry about inbound connections to their machines to protect them, and indeed most firewall devices you can buy do just that. But hackers have gotten smarter and they’ve realized they can avoid those blocks if they can trick you into installing software that initiates connections on your end, or trick you into directly initiating connections to their machines. Either way, then their machines can send whatever commands, read whatever of your data, etc. that they want over these connections. The Smoothwall is one of the few firewalls I know of that attempts to block these outgoing connections by default.

So if your Smoothwall only allows a few outbound connection types from your ‘Green’ LAN (things like e-mail, web, IM, multimedia, gaming, and remote access are allowed) then how do we allow a Tivo to connect to all those ports that it wants to? The easiest way is to ensure that (a) your Tivo always has the same IP address, and (b) then add that IP address to the list ‘Current Always Allowed Machines’ in your Smoothwall config. Here’s how I did these two steps…

  1. Ensure the Tivo will always be at the same IP address.
    I have my IP addresses assigned by DHCP from the Smoothwall. So I wanted to tell it to always assign the same IP address to my Tivo. To do this, I first logged into the Smoothwall web console and went to the Services->DHCP tab. On that page, I edited the section entitled ‘Add a new static assignment’:

    1. Use whatever name you like for the hostname. I used ‘tivo-s3-1’.
    2. Put whatever you want in the description field. I put ‘Media room Tivo S3’.
    3. For the MAC address, enter the value shown on your Tivo’s network infomation screen. On my Tivo Series 3, this is shown on the Network Connection page (Tivo->Messages & Settings->Settings->Phone & Network) in the top right as ‘MAC ID’.
    4. For the IP address, enter a value that is outside of the DHCP assigned range shown at the top of the page. For example, if your start address is 192.168.1.100 and the end address is 192.168.1.200, then pick any value ending with a number less than 100, such as 192.168.1.50.
    5. Ensure that the enabled check-box is checked.
    6. Click the ‘Add’ button.
    7. IMPORTANT: You must also click the ‘Save’ button in the middle of the page (above the Add a new static assignment section.) If you don’t do this, then the DHCP configuration is not saved and restarted and thus your changes don’t take effect!
    8. Once that save operation is complete, go back to the Network Connection page (see step 3) on your Tivo and select the ‘Change network settings->Get automatically from a DHCP server (typical)’ settings. After a minute or two, the Tivo should report that it is now using new network settings and show an IP address on the Network Connection page that matches the one you entered in step 4.
  2. Now you need to ensure that outbound connections from this Tivo are allowed through the firewall. To do that, configure the Smoothwall to allow all outgoing connnections from the Tivo’s new IP address.
    1. In your Smoothwall web config screen go to ‘Networking->Outgoing’ and scroll to the bottom.
    2. In the ‘Add always allowed machine’ section, set the IP address to the value used in Step 4 of the first instruction set. Type any value for a comment. Then ensure ‘enabled’ is checked and click the ‘Add’ button.
    3. Wait for the page to finished reloading, which indicates the settings are now in effect.

You should now be able to go to your Tivo and force a daily call or repeat guided setup and have everything work!

Yes, you could have explicitly listed the various ports as outgoing exceptions for the Tivo’s IP, but I’ve found that Tivo software updates occasionally install new features that need new ports. None of the upgrade process make it clear which ports these are, so I’ve just found it easier to allow all outgoing connections from the Tivos.

Tags: Home Theater · IT/Network

1 response so far ↓

Leave a Comment