That page states that these ports need to terminate at the internet, thus I assume none of them need to terminate at the LAN. Is that a safe assumption?
I am surprised that all of the network activity is from the Rachio3, and that no incoming ports are defined. I plan to setup my firewall to enable the five ports listed for outgoing and block all incoming ports to my Rachio3. Will that work?
Most people don’t need to adjust anything on the port forwarding as most routers allow outgoing port traffic as a matter of course. You must have some pretty restrictive iptables in place such as at a school or business that allows restricted public wifi.
Unless your border router egress rules are default deny (quite unusual) or you have those ports explicitly blocked for egress (likewise unusual): Nothing need be done.
I suspect that, by “terminate at” you mean “egress to” the Internet and “ingress to” your LAN, since what we’re talking about is allowing traffic through the Internet border router.
There will be two-way communications, of course. Those communications are established by the Rachio3.
I think you may be conflating two things: Allowing traffic vs. facilitating traffic. Take port 123 (NTP - Network Time Protocol) for example. The R3 will reach out to an NTP server on the Internet and that server will answer the R3. You don’t need to facilitate the return traffic by means of a port-forwarding rule because the router will know where to guide the answer on your LAN.
Again: Unless your border router egress policy is “default deny” you don’t have to enable anything for outgoing. Explicitly blocking all incoming ports to your R3 will break the R3’s communications.
Here’s what those five ports are:
53: DNS (network name resolution) (can be UDP or TCP
8883: Rachio3-specific protocol
123: NTP (Network Time Protocol) (UTP)
443: HTTPS (Hyper-Text Transfer Protocol Secure [SSL]) (TCP)
@jseymour thank you, that is helpful and more detailed than what I was able to find on the Rachio support page. My router’s firewall policy is default deny for any ports on the VLAN that I will connect the Rachio3 to. I’ll make sure these outgoing ports are opened.
Just to be sure, the document on the Rachio site does not deal with VLANs. The 4 ports mentioned for “outbound” traffic are from wherever the Rachio controller is, all the way outbound to the Internet. In a typical VLAN setup, the VLAN has a default gateway that then routes to the Internet.
If this is an IOT kind of VLAN you generally still want outbound to WAN to be mostly unrestricted and default deny may not be what you want. On the other hand, you may not want this VLAN to communicate with any other VLAN. This can be accomplished by either configuring rules on the other VLANS that block any new connections from the IOT VLAN (but do not put that on the WAN), or by tying the deny on the outbound from the IOT VLAN to the specific other VLANs you want to deny, but again not the WAN.
You can also achieve this, but adding, before the default deny a rule that explicitly allows all new connections (state new) to WAN. These connections will then establish an allowed return path for existing connections, allowing replies to come back properly.
Still, generally you do not need to port forward any specific ports (btw this terminology is most often used for inbound WAN connections). So, whatI would try, only briefly, is to disable your default,deny on the IOT VLAN and see if things work. This will confirm no specific port arrangements are needed. Once you confirm that, you can think of the best way to protect the rest of your (internal network), ultimately removing the default, deny.
And while you can restrict outbound destination ip ports, are you filtering by source ip too (of the Rachio) or have you an NGFW and filter on some destination url ?