Koozali.org: home of the SME Server

Firewall blocking IP phone access to provider

Offline ber

  • ****
  • 239
  • +0/-0
Firewall blocking IP phone access to provider
« on: May 30, 2019, 01:33:20 AM »
We have recently installed new IP phones for a client but the phones are not able to register to the url as defined by the provider.

Server is in gateway mode and has no special filtering software.


Ive done numerous searches on the SME forums and cannot find the relevant information regarding how best to configure the firewall.
Enabling or disabling the proxy service doesn't help.

Phone details and port requirements plus the provider url.
Yealink IP Phone
HTTP / HTTPS
yealink.broadcloud.com.au
199.59.64.145
TCP
80
443

When the IP phones are connected directly to the router and bypassing the server its able to register itself with the provider server on the internet.

Here are some relevant information on the IP Phone documentation.

Customer firewall and router
• Customer firewall must allow HTTP (TCP port 80) and HTTPS (TCP port 443) traffic for SIP devices to communicate with external configuration servers
• Customer firewall must allow SIP and RTP to allow SIP devices to place and receive calls
• Customer router must set Network Address Translation (NAT) bind timer at a value greater than or equal to 30 seconds
• Customer router/firewall must not manipulate the SIP or RTP packets at the application layer. If any CPE devices can function as a SIP Access Layer Gateway (ALG), the ALG functionality should be disabled
• Customer router should support Differentiated Service Code Point (DSCP) and ensure that higher priority packets take precedence over lower priority packets for all outbound packets
• Customer router should be configured to mark all SIP and RTP packets from the Cloud Phone call control platforms as high priority to ensure these packets take priority over lower priority packets for all inbound packets. The Cloud Phone call control platforms can be uniquely identified by a set of specific IP addresses. SIP and RTP packets can be.

Any help appreciated.
Kind regards

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Firewall blocking IP phone access to provider
« Reply #1 on: May 30, 2019, 02:48:14 AM »
You are going to have to do an awful lot of reading, beyond just SME forums. The biggest problem with SIP is if you get it wrong, the bills can be big.....

SIP phones are not as simple as people like to make out. SIP, RTP & NAT are not the best of bed fellows.

So, you need to go and read about SIP and RTP ports for starters, in general terms. There is mountains of stuff out there.

Code: [Select]
Customer firewall must allow SIP and RTP to allow SIP devices to place and receive calls
You may want to look at one or more of the following:

    TCPPorts=5061
    UDPPorts=5060,5061,5160,5161,4569,10000:20000

SIP is usually UDP 5060 and RTP on UDP 10000-20000 but YMMV...

SME should let those ports out as far as I am aware though.

So...

Quote
When the IP phones are connected directly to the router and bypassing the server its able to register itself with the provider server on the internet.

Hmmmm.

It sounds like the ISPs router is blocking the required ports so it can handle them itself (at a guess)??

So how is your SME configured with the router/broadband? Can you be a bit explicit here - diagrams if necessary !!

You say it is in gateway mode, but how does that work with the router? Do you normally use some form of modem with SME, or a ethernet connection? Or is SME in gateway mode behind the router?

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ber

  • ****
  • 239
  • +0/-0
Re: Firewall blocking IP phone access to provider
« Reply #2 on: May 30, 2019, 04:09:16 AM »
Hi ReetP,
in reply to your question.

So how is your SME configured with the router/broadband? Can you be a bit explicit here - diagrams if necessary !!

You say it is in gateway mode, but how does that work with the router? Do you normally use some form of modem with SME, or a ethernet connection? Or is SME in gateway mode behind the router?
My SME is in gateway mode, sits behind the router/modem and in front of the network, issuing DHCP addresses etc.

Connecting the IP phone directly to the modem/router it is able to register with the VoIP service provider url. Behind the server its not able to.

Also, I'm uncertain as how to check that ports are open on the server? Is there any documentation with detailed info on the server ports?
Kind Regards

Offline ber

  • ****
  • 239
  • +0/-0
Re: Firewall blocking IP phone access to provider
« Reply #3 on: May 30, 2019, 10:03:47 AM »
Update...

I have the same setup at another site. Plugged in phone and it registered ok with the service provider

Only configuration to the site was when I installed and then uninstalled dansguardian.

Is there any way to reset the firewall config back to standard?

Regards

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Firewall blocking IP phone access to provider
« Reply #4 on: May 30, 2019, 11:45:54 AM »
ber

It is not sufficient just to uninstall Dansguardian.
From the Dansguardian wiki article did you reverse the settings after uninstall ?

To return Transparent Proxy port to default value and to disable portblocking and to enable the Transparent proxy (which is the sme default)

config setprop squid TransparentPort 3128
config setprop squid Transparent yes
config delprop dansguardian portblocking
signal-event post-upgrade; signal-event reboot
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Firewall blocking IP phone access to provider
« Reply #5 on: May 30, 2019, 12:50:14 PM »
Hi ReetP,
in reply to your question.My SME is in gateway mode, sits behind the router/modem and in front of the network, issuing DHCP addresses etc.

It doesn't really answer the question.

Does the WAN interface of SME have a Public IP with completely unfettered internet access or does it get a private one IP from the router with the router actually doing some NAT?

Code: [Select]
config show ExternalInterface
What sort of router is it?

Note their comments about :

Quote
the ALG functionality should be disabled

That is because some routers, despite claiming they give totally unfettered access actually lie, and don't.

Quote
Connecting the IP phone directly to the modem/router it is able to register with the VoIP service provider url. Behind the server its not able to.

The question is whether it is your server blocking stuff or your router. We need some more details as above.

Quote
Also, I'm uncertain as how to check that ports are open on the server? Is there any documentation with detailed info on the server ports?

You shouldn’t need to open any ports on SME - they would be for inbound connections only as outgoing is allowed - but we'll cross that bridge if we come to it.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,744
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Firewall blocking IP phone access to provider
« Reply #6 on: May 31, 2019, 03:56:12 AM »
Transparent proxy might be an issue, but it should only be with http, not with sip.

I have sme with sip phones and dansguardian without issue.


What Reetp is pointing out is that the way you describe it, it seems you have a double nat occurring with your router creating a lan on which sme connects ok one side believing it is the internet and not a lan, and on the other side creating another lan.

This could be ok if you know what you do, but this has   The potential to break lot of things. More things than you can imagine. 

So either plug sme as a server only to your router or use this  modem router as a modem only to have sme to use it while it is a gateway server unless you really know what it is to handle 2 firewall and what is addressing issues in subnetworks

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Firewall blocking IP phone access to provider
« Reply #7 on: May 31, 2019, 10:05:46 AM »
Indeed.. exactly what I was driving at.

Two issues.

First

SIP + NAT = Pain (better these days)

SIP + NAT + NAT = All your worst nightmares.

Second

NAT'd behind your router where your router does SIP happily but SME not means almost certainly the router is doing some funny business with your SIP packets.

Some routers have a proper pass through mode so your SME WAN IP = your internet IP. Draytek ones like 2830 do, or use one of their dumb modems v120 or v130?

In the meamtime lets have a look at your config and see what is happening.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline calisun

  • *
  • 601
  • +0/-0
Re: Firewall blocking IP phone access to provider
« Reply #8 on: June 01, 2019, 07:17:22 PM »
Not sure what service you are using, and if they allow you to change modem setting, but you most likely you will need to set your modem to Bridge Mode.
I have older modem which does not allow me to change settings, so I called provider and they switched it for me remotely from their side. If you have newer modem, most likely you can change it yourself.
Here are instructions from Comcast on how to do it.

https://www.xfinity.com/support/articles/wireless-gateway-enable-disable-bridge-mode
SME user and community member since 2005.
Want to install Wordpress in iBay of SME Server?
See my step-by-step How-To wiki here:
http://wiki.contribs.org/Wordpress_Multisite

Offline ber

  • ****
  • 239
  • +0/-0
Re: Firewall blocking IP phone access to provider
« Reply #9 on: June 12, 2019, 05:50:43 AM »
Hi guys, heres the update.

The main problem is that IP Phone is not getting an local IP address. Connectivity via the firewall maybe a secondary issue, i think its unrelated.
The phone is not getting an IP from the Linux SME DHCP server.
I've checked and the DHCP is running. Lots of spare addresses. Its issuing new addresses etc...

Im unsure why the phone cannot get a IP address. The phone is a yealink T42S. Ive spoken to our VoIP provider and he cant make sense of it either.
Ive connected the phone on another Linux SME site and its able to receive a IP address and register with the VoIP server.
Connected the phone directly to the Modem and its able to receive a IP address and also registers (dial tone etc)
The Server is connected in a server/gateway mode.
I dont think its a NAT issue.- Checked the server logs and when reconnecting the phone to the network and there is no conflict issues with the phone thats logged??
Its like the Server doesnt see the device at all. The phone error advises that there is "no network", yet the PC "piggy backs" of its internal switch and is able to connect to the network/internet.

Regards John
« Last Edit: June 12, 2019, 06:08:46 AM by ber »

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Firewall blocking IP phone access to provider
« Reply #10 on: June 12, 2019, 05:15:41 PM »
The main problem is that IP Phone is not getting an local IP address. Connectivity via the firewall maybe a secondary issue, i think its unrelated.
The phone is not getting an IP from the Linux SME DHCP server.
I've checked and the DHCP is running. Lots of spare addresses. Its issuing new addresses etc...

So that's the bit you need to focus on.

Quote
Ive connected the phone on another Linux SME site and its able to receive a IP address and register with the VoIP server.

So what is different? Clearly SOMETHING is - it isn't actually SME per se - you know SME works. It is just THIS box that is intransigent.

How about showing us:

Code: [Select]
config show dhcpd

Quote
Its like the Server doesnt see the device at all. The phone error advises that there is "no network", yet the PC "piggy backs" of its internal switch and is able to connect to the network/internet.

Hmmm - like the phone can't see the server at all.... No network means it can't pick up any networking information itself.

Piggy back - yes it will work if you are putting your PC through it because I think it Bridges the PC connection - just literally passes packets through. Just like a dumb switch. It doesn't need an IP address to do that. Just working cables and internals. So we know the network cable/internal switch works at least.

I presume that your PCs connect to a switch that then connect to the Server? (Just trying to picture your layout)

What does your server tell you as the phone boots ? Nothing in /var/log/messages or /var/log/dhcpd/current like this?

Code: [Select]
DHCPACK on 10.0.0.68 to 00:0b:82:b1:7a:c7 (sip-9001) via eth0
Have you tried setting a Static IP on the phone?

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ber

  • ****
  • 239
  • +0/-0
Re: Firewall blocking IP phone access to provider
« Reply #11 on: June 12, 2019, 09:51:13 PM »
Hi ive tried static IP on the phone, it connects to the VoIP registrar but has issues registering itself on the external VoIP server.
 Im told setting static IP on the phones causes issues, whatever the LAN environment.

Our local network has 2* 24 port switches thats linked. One is managed (Cisco) and the other not (Netgear).
Ive tried connecting the phone through either switch- no difference.
Yes it connects to the SME in server/gateway mode.

Here's some info:

****************************************************
[root@server ~]# config show dhcpd
dhcpd=service
    Bootp=deny
    check=enabled
    dnscustom=disabled
    end=192.168.1.250
    gatewaycustom=disabled
    leasetime=86400
    start=192.168.1.50
    status=enabled
    winscustom=disabled
[root@server ~]#

Ive checked the dhcpd logs and server logs, no data or reference to connectivity to the VoIP phone at all- checked via the phone MAC address- nothing; just doesn't see it?? :-?
Regards John  8-)

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Firewall blocking IP phone access to provider
« Reply #12 on: June 12, 2019, 10:17:29 PM »
Quote
Im told setting static IP on the phones causes issues, whatever the LAN environment.

Sounds like a crock of sh1t to me. I've set plenty of IP phones statically for testing.....

Sounds like advice you give someone you don't trust.

So. Set a static IP outside your DHCPD range and test that please.

(Trying to isolate DHCP issues ftom general networking here)

Does the phone have some basic network test functionality eg ping/traceroute?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Re: Firewall blocking IP phone access to provider
« Reply #13 on: June 28, 2019, 08:34:56 AM »
So. Set a static IP outside your DHCPD range and test that please.

(Trying to isolate DHCP issues ftom general networking here)
I would add that if the voip phone has some sort of web admin, you should try reading its log to check what it thinks is going on. Even better, if it supports a full debug log, enable it and check things out.

You could paste some snippets of the debug log here, for evaluation.