Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 30 subscribers
  • Views 1943 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG firewall won't allow outgoing VoIP RTP Traffic

KMD_Comp

Hello, let me start off by saying that our VoIP system is working fine with a different firewall, so I know everything is good there.

I don’t think this should make a difference to the problem I’m seeing, but I’m using a VLAN interface on our LAN port to reach the phone VLAN.  The phone system connects to the same network switch on an untagged port.  After setting up the DNAT and firewall rules that matched the other firewall for our NEC VoIP system, I can place a call and see the expected SIP traffic in wireshark, but I only get voice coming in from the outside, no voice is going out.

I set up a mirrored port for the phone system and confirmed with wireshark that the phone system is trying to send RTP packets to the correct external IP.  When I run TCPdump on the XG, I can see the expected incoming RTP packets, but as far as I can tell, the RTP traffic from the phone system isn’t even hitting XG port. 

09:05:20.116070 Port1.86, OUT: IP 66.xxx.xxx.xxx.48814 > 192.168.86.6.10208: UDP, length 172

09:05:20.136050 Port2, IN: IP 66.xxx.xxx.xxx.48814 > 216.xxx.xxx.xxx.10208: UDP, length 172

09:05:20.136064 Port1.86, OUT: IP 66.xxx.xxx.xxx.48814 > 192.168.86.6.10208: UDP, length 172

09:05:20.156049 Port2, IN: IP 66.xxx.xxx.xxx.48814 > 216.xxx.xxx.xxx.10208: UDP, length 172

09:05:20.156063 Port1.86, OUT: IP 66.xxx.xxx.xxx.48814 > 192.168.86.6.10208: UDP, length 172

09:05:20.176045 Port2, IN: IP 66.xxx.xxx.xxx.48814 > 216.xxx.xxx.xxx.10208: UDP, length 172

09:05:20.176069 Port1.86, OUT: IP 66.xxx.xxx.xxx.48814 > 192.168.86.6.10208: UDP, length 172

 

I’ve unloaded the SIP module on the XG. 

 

I think I must be missing something obvious here.  About the only thing I haven’t tried yet is setting up another physical port on the XG for the phone system instead of using a VLAN interface, but I don’t see any reason that should work vs. what I’m already trying.    



Edited TAGs
[edited by: Erick Jan at 5:48 AM (GMT -8) on 15 Nov 2022]
Parents
  • 0

    Personally, I need to have the SIP module ON for our VoIP to work. What version of SFOS are you using? I'm not a VLAN expert, but I hear you saying "phone VLAN" and "untagged port", which seems contradictory, but maybe I'm just not familiar enough with the lingo.

    Have you checked all logs (Firewall Rules, App Filter, etc, etc) to make sure there's no documentation of the traffic being dropped? And have you tried drop-packet-capture in the Console (option 4, under the Advanced Shell it has a different name).

    Also, what is the VLAN number for Port1.86? Hopefully not VLAN 1.

  • 0 in reply to Wayne Folta

    I'm running version 19.0.0.

    VLANs can get confusing, but my terminology is probably off because I've been dealing with Aruba/HP switches vs. Cisco for the last few years.  In this case, an untagged port just means that the switchport is stripping off the VLAN tag before sending out the frame and any return traffic has the tag added back on.  That being said, now you have me wondering if the return traffic is missing because the phone system is sending out tagged traffic after all.  Something to check...        

    Everything I can see in the firewall logs through the GUI shows me the same thing I see from TCPdump.  I can see the RTP traffic coming in from our ISP and getting forwarded to the phone system's IP, but nothing about the RTP traffic from the phone system is showing up on the Sophos.  I can see the SIP traffic in both directions though, and that uses nearly identical DNAT and firewall rules as I'm using for the voice communication.  The only differences are the ports in use and the IP's involved.     

    I didn't think of the App Filter, I'll take a look at that when I next get a chance.    

  • 0 in reply to KMD_Comp

    Hi KMD_Comp

    Please post service host that you have created working for voice server under System-->Hosts and Services -->Services and applied on DNAT firewall rule and on NAT rule as we have to make sure all the ports related to the voice server are forwarded on firewall rule as well as on NAT rule.

    Thanks and Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0 in reply to KMD_Comp

    Hi KMD_Comp

    Please post service host that you have created working for voice server under System-->Hosts and Services -->Services and applied on DNAT firewall rule and on NAT rule as we have to make sure all the ports related to the voice server are forwarded on firewall rule as well as on NAT rule.

    Thanks and Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

Children
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML