Posted: Mon Oct 16, 2017 19:42 Post subject: allowing all traffic through firewall (from wan) from IP
Hello. The company that provides our voip services are insistent that our firewall is causing call dropping/1-way calling issues. They have requested that we add some firewall rules that allow all traffic over certain ports, coming from their server, through our firewall.
I am not familiar with DD-WRT, but I know this is an iptables thing. Unfortunately I simply do not know how to use iptables effectively to make this happen.
For example, I need to accept UDP: 69, 5060, 9000, 16384-65535 from the WAN with source address X.X.X.X (of course not using the actual IP here).
What command would I have to use to make this happen? It would only be for a few days to confirm our firewall is not the issue.
Posted: Mon Oct 16, 2017 22:17 Post subject: Re: allowing all traffic through firewall (from wan) from IP
evacc44 wrote:
They have requested that we add some firewall rules that allow all traffic over certain ports, coming from their server, through our firewall.
This is possibly not what you are wanting to do.
To explain we need to talk about Network Address Translation NAT and the difference between internal and external IP ranges.
Typically because IPv4 addresses have always been limited, and we only have one public IP; but we have a large number of devices on our LAN, we use something called MASQUERADE to dynamically change the source address of an outgoing packet to the public IP of the router (so replies can be directed back), then change the destination of returning packets to the originating LAN IP based on dynamic state tables. This means lots of devices can connect to the internet through one public IP.
If new traffic is directed at the public IP of the router, that does not match a state in the MASQUERADE table, it is handled as being directed at the router itself (which is likely not what you want), or it can be forwarded to another device (is there one device that should be receiving all of your VOIP traffic?)
What the VOIP provider is likely asking you to do, is to allow traffic outbound to those particular ports, and to allow stateful return traffic back to the originating devices.
The good news is that this is the default factory configuration of most DD-WRT routers, and you could confirm this by using nmap or netcat to send a datagram to the UDP port on the server's IP.
If you have a VOIP phone that you are just plugging into a router without any iptables rules already in place, but there is definitely a firewall issue and the VOIP provider aren't just being idiots (confirmed by nmap/netcat), try looking upstream, some ISPs block RTP/RTSP and SIP as part of their T&Cs.
evacc44 wrote:
I know this is an iptables thing. Unfortunately I simply do not know how to use iptables effectively to make this happen
IPtables and its eventual replacement NFTables are difficult to learn, it took me a good couple of weeks of banging my head against the wall before I found a chapter in the book "Secure your network for free with Snort, Nessus and Ethereal", which explained with a few beautiful diagrams how the netfilter module works, and how tables, chains and rules all fit together... and suddenly it is a very simple thing to understand and use.
Posted: Tue Oct 17, 2017 21:49 Post subject: Re: allowing all traffic through firewall (from wan) from IP
Greenleafs wrote:
is there one device that should be receiving all of your VOIP traffic?)
What the VOIP provider is likely asking you to do, is to allow traffic outbound to those particular ports, and to allow stateful return traffic back to the originating devices.
The good news is that this is the default factory configuration of most DD-WRT routers, and you could confirm this by using nmap or netcat to send a datagram to the UDP port on the server's IP.
We are using hosted VOIP, so there is no one device that all VOIP traffic gets routed to. Just a bunch of IP phones on the network getting addressed via DHCP. We are using a default DD-WRT setup right now. I actually just flashed a newer version without any settings before undertaking this. The VOIP provider wants all incoming traffic from their public IP address block to not be touched by the firewall. I'm not looking to direct this traffic anywhere; just exclude it from the firewall.
Greenleafs wrote:
IPtables and its eventual replacement NFTables are difficult to learn, it took me a good couple of weeks of banging my head against the wall before I found a chapter in the book "Secure your network for free with Snort, Nessus and Ethereal", which explained with a few beautiful diagrams how the netfilter module works, and how tables, chains and rules all fit together... and suddenly it is a very simple thing to understand and use.
Would you have an example of what I should be putting in for a command to get this done?
First: Have you confirmed that there is no UDP connectivity with nmap?
Code:
nmap -Pn -n -SU -p 69,5060,9000 X.X.X.X
If the ports are open: Stupid VOIP provider.
If there is not, have you turned off the firewall in the security tab and tried again?
If still no connectivity: The blockage is measurably upstream because your firewall is off.
If your firewall measurably and replicably stops UDP datagrams based on a sigma 2 outcome (Do it 4 times):
1) It is not in default firewall configuration, default is SPI with LAN2WAN acceptance (and stateful returns)
You have broader issues to fix.
2) If you have honestly done the above
But this is again likely won't solve your problem.
PLEASE READ ABOVE FIRST and note that there are a million different ways you can shoot yourself in the foot with iptables. Always use the CLI before putting commands in the firewall GUI box (so rebooting will unfubar you) and I take no responsibility for whatyou decide to do on your own router.
Joined: 04 Jan 2007 Posts: 11564 Location: Wherever the wind blows- North America
Posted: Wed Oct 18, 2017 12:27 Post subject:
Someone correct me if I'm wrong...but why not just put the VOiP unit IP address as DMZ on the NAT/QoS page. It will open it up to all ports but keep the rest of your network secure.
redhawk _________________ The only stupid question....is the unasked one.
why not just put the VOIP unit IP address as DMZ on the NAT/QoS page.
evacc44 wrote:
We are using hosted VOIP, so there is no one device that all VOIP traffic gets routed to. Just a bunch of IP phones on the network getting addressed via DHCP.
I think he has a bunch of the 'CISCO IP phone like' VOIP phones, that take standard client IPv4 settings from his LAN, and send SIP messages to a single server on the internet belonging to his VOIP provider; which then returns SIP on the same datagram socket.
He needs UDP:69 for the phones to check for new firmware.
Traffic almost certainly won't initiate from the VOIP provider, because it would become one to many as it crosses the NAT boundary.
It is much more likely that his VOIP provider thinks he uses an ASA on which security levels for egress are not the same as security levels for ingress and they are blaming that.
I just finished fixing this or a similar issue for a small company A few months ago. They had a very similar problem which at first looked quite complex. In the end the issue turned out to be that the routers were limiting the volume of traffic. The firewalls had some form of protection against SYN Flooding and a couple of other things. Everything would be working fine then suddenly it was hit and miss as to whether the phones just went dead. When I told the ISP about it they realised their servers were also limiting the packets. In effect their servers were of the belief our network was dos'ing them. The solution was that we lifted our flood detection and they lifted theirs. everything went fine then.
