Hi,
i want to set up a free wireless hotspot network for my VoIP customers to make a VoIP call.
but i want to allow only those customers who are using my SIP servers. and they can only use VoIP only. all other traffics like http, http, skype,… will be blocked.
any suggestion about firewall rules?
/ip firewall filter add chain=forward action=accept dst-address=your-sip-server dst-port=5060 proto=udp src-address=your-client-addresses
/ip firewall filter add chain=forward action=drop
Not that hard really… ??
SIP client uses 5060 to talk to the SIP servers. and it will use other ports to talk with other SIP client after connection established. if other ports are blocked, SIP won work.
so you need working SIP helper =)
Detail please!!
If the SIP account gets verified
Then add the IP address of the user to a an address list and set the firewall rules to accept traffic destined to those devices when the session is established.
You can do that from your firewall rules.
Sotiris
you can use l7 and drop the protocol sip
Max
If the SIP account gets verified
Then add the IP address of the user to a an address list and set the firewall rules to accept traffic destined to those devices when the session is established.You can do that from your firewall rules.
please post the sample configuration!
you can use l7 and drop the protocol sip
so far, L7 and connection-type=SIP do not work well. i mean it can not detect SIP traffic.
however, if it does, how do we do that ? since i want to allow only my customers who use my SIP service to use my wireless hotspot for free. Other connection will be blocked.
First of all how do you identify your clients???
Can anyone reach your SIP servers or only specific clients???
Do you authenticate before you give out IP’s or you use DHCP to give an IP to anyone???
Sotiris
Everyone can connect to the wireless. There won have any key or login page.
BUT customers can only use SIP service that provide by us.
Other services like http, smtp,skype,… will be blocked.
Next
You need a PC with wireshark (packet sniffer) unless you know what is the confirm packet of that the SIP server send back after the user gets authenticated…
From there you can set a Firewall rule to add the users on a Authenticated user list
i.e.
Lets say your SIP server replies with “Authentication 202” packet when the user gets authenticated.
so your filter rule will be
ip firewall filter > add chain=input content=“Authentication 202” src-address=“your server IP” action=add-dst-to-address-list address-list=AllowedUsers
So the above command will add all your authenticated users by your SIP server into an address list.
Then you need to configure your filters to allow traffic from and to this address lists
Local to Outside World Traffic
ip firewall filter> add chain=output src-address-list=AlowedUsers action=passthrough
ip firewall filter> add chain=input dst-address-list=AloowedUsers action=passthrough
ip firewall filter> add chain=output src-address-list=!AlowedUsers action=drop
ip firewall filter> add chain=input src-address-list=AloowedUsers action=drop
From here onwards you need to add filter rules so you don’t allow authenticated users to browse the web. If the users go through your sip proxy before escaping to the outside world ypou should create a rule to allow communication only to the sip proxy. If your users don’t go through your sip proxy then you should mark new connections for SIP and lock down all known ports (except DNS) so you don’t allow any other traffic than SIP.
Hopefully this makes sense
Sotiris
Thanks, that is closer to the solution.
The plan is allowed only SIP traffic. Even though, users is using my SIP service, he can only use SIP traffic to outside. All others protocol will be blocked.
So there you go that is your anwser. Block the rest and job done.
No, it is not done yet. I don’t want to provide SIP proxy to the client. Client will connect to the server only for initial connection. After the connection established, client will talk directly to peer by other ports beside 5060 as you know.
then mark the connection to the client and add it to the list. You can do the same thing. But for the remote IP. Even better if you block the known ports and add the IP address of your clients to the allow list. Then any traffic flowing from them or to them will pass through the filters.
It is ALL in the list. Everything from here onwards depends on the rules you add to that list. No proxy is needed.
Then mark the affiliation to the applicant and add it to the list. You can do the aforementioned thing. But for the limited IP. Even bigger if you block the accepted ports and add the IP abode of your audience to the acquiesce list. Again any cartage abounding from them or to them will canyon through the filters.
\