1 Reply Latest reply: Apr 21, 2017 7:31 AM by jjvierra RSS

    Firewall / port forwarding for Slingbox M1

    xisset

      I'm posting this because I found it nowhere else on the web while trying to get my M1 working from behind a firewall.

       

      For ALL connections (direct and RELAY), the following is needed:
      ALLOW tcp from $M1_IP to 67.148.153.0/27 dport 80,443

       

      For RELAY connections (including the FireTV in particular, which doesn't even attempt direct connections), the following firewall rules are needed:
      ALLOW tcp from $M1_IP to 67.148.153.0/27 dports 5000-5999

      There was one outlier IP that it connected to, in the 8.x.x.x network, but the bulk went to this block... feel free to open it up to all destination IPs as you see fit.


      For direct connections over TCP (including the Slingplayer Mac app):

      FORWARD tcp from $CLIENT_IP to $FIREWALL_IP dport 5301, to $M1_IP dport 5301

      ALLOW tcp from $CLIENT_IP to $M1_IP dport 5301

       

      Some other interesting bits I found...

      While Slingplayer and the M1 were setting up connectivity over TCP, I noticed them exchanging UDP packets, but they seemed to fall back on TCP. The M1 sent packets to a bunch of ports, and got responses from one of them (creating 2-way traffic briefly) before the stream stopped. I'm guessing that the M1 prefers UDP, but found something about my connectivity unsavory so it fell back. The ports included: 5680, 5681,5753-5778 (that range includes both sides).


      Each time a connection was initiated, two HTTP streams were established. One had a header "Pragma: Sling-Connection-Type=Control, Session-Id=0" (obviously the out of band control channel) and the other "Pragma: Sling-Connection-Type=Stream, Session-Id=xxxxx" (obviously the in-band data stream). When connecting with the FireTV, the streams were initiated by the M1 to Sling's relay servers on ports 5000-5999. When connecting with Slingplayer, the connections are initiated by the client to port 5301 on the M1.

       

      Upon booting up, the M1 obtains an IP address via DHCP. It then uses broadcasts Simple Service Discovery Protocol M-SEARCH packets with a "service type" header of "urn:schemas-upnp-org:device:InternetGatewayDevice:1", i.e. it is looking for a UPnP gateway. It sends 2 of these at 20 second intervals, for a total of 6 packets. Since I don't have anything listening for UPnP on my network there were no responses... the M1 appeared to give up.


      At rest the M1 is listening on TCP ports 22, 5301, and 8888.

      Port 22 is running a DropBear ssh daemon.

      Port 5301 is the main service.

      Port 8888 is silent or some weird protocol. It doesn't respond to TLS, HTTP, and it doesn't even disconnect me or complain when I spam garbage at it (head -c 8192 /dev/random | nc $M1_IP 8888).

        • Re: Firewall / port forwarding for Slingbox M1
          jjvierra

          I'm having issues with not being able to add my new M1 to my sling account. Did you have issues even discovering the M1? When I run the setup it keeps telling me no Ethernet connection detected. My firewall (Cisco ASA) doesn't support UPnP. I found your post and had a question. From looking at it you are allowing outbound connections to 67.148.153.0/27 from your internal M1 address on 80, 443 and 5000-5999. I don't control outbound traffic so I'm good there. And then the only inbound port forwarding rule is from 5301. In that entry what is the $CLIENT_IP variable?

           

          Thanks