Admittedly I don’t understand what I’m doing beyond the basics. Everything seems to work fine except that there are issues using the IP Phones. From their documentation, it seems the issue is a block of utp on port 69. However, I’ve disabled that rule and still no luck.
Considering the importance of phones (actually, this is a problem with internal calls, external work ok) I’m faced with switching to use the Comcast Business modem/router for this one reason. I really don’t want to admit defeat and do that, but they need their phones.
The phone documentation says…
Routers and Switches
Power over Ethernet (PoE) switches are highly recommended, as they eliminate the need for individual power adapters for each phone and also allow for centralized power redundancy. Additional benefits include extending phones into hard to reach areas (without surge protector and extension cord) and virtually separating voice and data traffic.
All on-premise hardware are network devices that require at least a commercial router to function properly. The router selected should have the following capabilities:
DHCP. Devices should receive an internal IP address assignment via Dynamic Host Configuration Protocol (DHCP). Each endpoint will consume an IP address.
NAT. All Network Address Translation (NAT) connections must be left open for at least 60 seconds.
QoS. In a converged network, Quality of Service (QoS) must be applied to prioritize voice traffic over all other traffic types.
Additional configuration recommendations include:
Avoid Double-Nating. Ideally, you will need to have only one device performing routing functions.
Disable SPI. SPI allows the router to approve or deny any information packets that flow through it for security reasons. However, it often incorrectly identifies VoIP traffic as a security risk. If you are experiencing connectivity issues, consider disabling SPI.
Disable SIP ALG. These are other security features that sometimes prevent traffic from flowing properly. If you are experiencing connectivity issues, consider disabling SIP ALG.
Firewalls
Firewalls should allow end points to access HTTP, HTTPS, and UDP traffic on the network. End points must be allowed to both send and receive TCP and UDP packets on arbitrary ports and to arbitrary IP addresses. Some network ports may need to be opened manually.
Firewalls should be configured with the following settings for optimal functionality:
System Access. Please ensure open inbound/outbound access to the following IP addresses:
64.255.74.187, ports 5060 to 5090 and port 69
64.255.74.188, ports 5060 to 5090 and port 69
64.255.76.67, ports 80, 443
64.54.192.26, ports 80, 443
64.255.64.30, ports 80, 443
174.129.241.97 ports 80, 443
50.19.91.154 ports, 80, 443
Persistent NAT Connections. NAT keep-alive requests must be allowed every 30 seconds.
HTTP. HTTP over port 80 must be enabled.
SIP. Multiple UDP connections must be allowed on ports
5060 through 5090 and port 69.
RTP. Internally-initiated UDP requests must be allowed on ports 49152 through 65535 for audio.
NTP. UDP traffic must be allowed on port 143 for
Network Time Protocol (NTP).
I admit my firewall rules might suck, but here’s what I got…
# mar/20/2015 21:58:56 by RouterOS 6.24
# software id = UR4X-GLKD
#
/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections" \
connection-state=invalid
add chain=input comment="Allow Established connections" connection-state=\
established
add chain=input comment="Allow ICMP" protocol=icmp
add chain=input in-interface=!ether1 src-address=192.168.4.0/24
add action=drop chain=input comment="Drop everything else"
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid protocol=tcp
add chain=forward comment="allow already established connections" \
connection-state=established
add chain=forward comment="allow related connections" connection-state=\
related
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward comment="Int range - class D and E multicasts" \
src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="deny TFTP" disabled=yes dst-port=69 \
protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 \
protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 \
protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 \
protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=\
tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny TFTP" disabled=yes dst-port=69 \
protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 \
protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 \
protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=\
udp
add chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add chain=icmp comment="host unreachable fragmentation required" \
icmp-options=3:4 protocol=icmp
add chain=icmp comment="allow source quench" icmp-options=4:0 protocol=icmp
add chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
Note I have the port 69 rules disabled (though technically I don’t need the tcp on 69 disabled).
So any thoughts as to why the VOIP might be having issues? (or if you see any flaws with my rules there).
Thanks,
-Jeff