This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

FritzBox vor UTM - SIP Problem

Hallo,

Netzwerk:

WAN (Telekom) -> Fritzbox (192.168.1.1, DECT, Entertain) -> UTM 9(exposed Host, DHCP 192.168.2.0/24) -> DoorBird (Video-Türstation, 192.168.2.78)

Was soll funktionieren?

DoorBird (SIP Client) -> FritzBox (SIP Server) -> DECT -> Mobil C4/C5

oder einfacher: Klingelt jemand sollen neben den WLAN Clients auch die Fritz-Mobilgeräte Klingeln und ein Bild übertragen.

Situation:
UTM ->Network Protection -> VOIP -> SIP
SIP Server: 192.168.1.0/24 [FritzBox (WAN)]
SIP Client: 192.168.2.78 [DoorBird]

Firewall: Port 80,123,443,5060,5353 freigegeben für 192.168.1.0/24 [FritzBox (WAN)]

Problem:
Klingelt jemand am Tor klingeln die FritzBox Mobilteile C4/C5 nicht und es wird kein Bild angezeigt.
FullNAT funktioniert nicht, da FritzBox WAN bereits in einer Masqueradinge Rule verwendet wird.

2018:12:20-00:02:29 hheim ulogd[27677]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" 
name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x1bd" app="445" srcmac="xxxxxxx" 
dstmac="yyyyyyyyyy" srcip="192.168.2.78" dstip="192.168.1.1" proto="17" length="546" tos="0x00" prec="0x00" ttl="64" srcport="5060" dstport="5060"

Lösung?

Grüsse

This thread was automatically locked due to age.

Parents

0 BAlfson over 6 years ago

Hallo Georg,

Erstmal herzlich willkommen hier in der Community !

(Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

srcip="192.168.2.78" dstip="192.168.1.1"

Please show pictures of the Edits of the firewall rule that should have allowed this as well as pictures of the Edits of the objects used in the firewall rule.

MfG - Bob (Bitte auf Deutsch weiterhin.)
Cancel
Vote Up 0 Vote Down

Cancel
0 Georg E over 6 years ago in reply to BAlfson

Hallo Bob,

danke für die Antwort - attached the firewall configuration as asked...

Srcip = 192.168.2.78

Dstip = 192.168.1.1

Grüße
Cancel
Vote Up 0 Vote Down

Cancel
0 Georg E over 6 years ago in reply to Georg E

vergessen...

... restlichen Ports analog.

Grüße
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 6 years ago in reply to Georg E

That was what I suspected, Georg. I bet you will see traffic blocked in the firewall log. See #3 in Rulz.

MfG - Bob (Bitte auf Deutsch weiterhin.)
Cancel
Vote Up 0 Vote Down

Cancel
0 Georg E over 6 years ago in reply to BAlfson

hello again,

that's exactly my problem - see link to firewall log in my first post.
so i have to use ANY as destination network?
sorry - don't get it :-D

regards
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 6 years ago in reply to Georg E

The problem is not the firewall rule, Georg, it's the fact that the "FritzBox 7490" Host definition is bound to a specific interface. That causes WebAdmin to create code that doesn't apply to traffic in the FORWARD chain.

WebAdmin manages databases of objects and settings. The configuration daemon creates the code that actually makes the UTM work based on the content of those data bases.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 6 years ago in reply to Georg E

The problem is not the firewall rule, Georg, it's the fact that the "FritzBox 7490" Host definition is bound to a specific interface. That causes WebAdmin to create code that doesn't apply to traffic in the FORWARD chain.

WebAdmin manages databases of objects and settings. The configuration daemon creates the code that actually makes the UTM work based on the content of those data bases.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Georg E over 6 years ago in reply to BAlfson

Merry christmas - Bob,

sorry to say that - but i tried everything - first the reasonable things, then - well everything, after utterly desperation took hook of me.

Binding the Host to a specific interface is not correct - but that's what you do when you get desperate.
You guess? ... - ... does not work without the binding eigher.

Regards and cheers

solution:
i give it up, oder a zyxel modem and put the FritzBox bhind the UTM - hope it works.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 6 years ago in reply to Georg E

Hopefully, that will give you a better result, Georg.

Fröhliche Weihnachten ! - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 Georg E over 6 years ago in reply to BAlfson

Frohes Neues Jahr!

So ... - ... nun sitzt die Fritzbox hinter der UTM mit Zyxel Modem. SIP und VOIP funktionieren ohne
Probleme. Nur T-Entertain will jetzt nicht mehr ...

Grüße
Cancel
Vote Up 0 Vote Down

Cancel
0 ThomasBachmaier over 6 years ago in reply to Georg E

Hi,

es gab vor einiger Zeit mal einen Thread zu Entertain über die UTM https://community.sophos.com/products/unified-threat-management/f/german-forum/58737/t-home-entertain-iptv#pi2353=15

Aber Achtung wenn Du Änderungen an den Pakteten der UTM vornimmst ist der Support weg.

Entertain läuft bei der Telekom über VLAN 8, wenn deine Vermittlungsstelle schon auf BNG umgestellt wurde über VLAN 7

Grüße Thomas
Cancel
Vote Up 0 Vote Down

Cancel
0 Georg E over 6 years ago in reply to ThomasBachmaier

Danke für den Tip - hatte ich schon umgesetzt und es läuft bei mir nicht wirklich stabil.

Daher habe ich derzeit Folgendes umgesetzt:

FritzBox1 (DECT) -> UTM -> FritzBox2 (SIP-Videosprechanlage)

|

T-Entertain

Nachteil: ich habe 2 Fritztelephone die nue für die Videotürsprechanlage
verwendet werden können.

Lieber wäre mir:

FritzBox1 -> UTM -> FritzBox2 (SIP-Videosprechanlage, DECT )

|

T-Entertain

Nur leider bekomme ich die Fritzbox2 nicht dazu sich auf den Telekom

VOIP Server zu verbinden. Kann am Doppel-NAT liegen - glaube ich aber

nicht.

Grüße
Cancel
Vote Up 0 Vote Down

Cancel