Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Subscribers 28 subscribers
  • Views 14571 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WebRTC / Google Hangouts Blocked

Marc Herndon

Does anyone know if there's a way to get WebRTC traffic (used by Google Hangouts) to work through an XG firewall?

I just purchased two IP intercom units from www.nucleuslife.com, got them set up on my network, and confirmed that have Internet/WAN connectivity (I can ask Alexa to do things and get responses).  The problem is they cannot see each other on my LAN.  Each knows the other exists through my Nucleus account, but they show the other as "offline", thus cannot place calls.  I've gone through all my firewall, IPS, etc. logs and show no signs of any traffic being blocked or dropped.  I temporarily created new firewall rules allowing 'any' hosts and services from LAN to LAN, LAN to WAN and even WAN to LAN but it still didn't work.

I contacted Nucleus support and they said something in my network is blocking the WebRTC protocol.  Two direct quotes from them below:

  • "They should be able to contact each other without using the Internet. Are you able to use Google Hangouts on your network? We use the same protocol. Both TCP and UDP ports need to be available, but not any specific ones."
  • "As neither device is seen by the mobile app, it sounds like WebRTC is being blocked by some configuration."

With that information I decided to try placing a hangouts call from my PC on the LAN to my wife's cell phone.  It sat there saying "connecting..." but her phone never rang, nothing came through, and again, no blocked traffic in the various logs.  Googling for Sophos and Hangouts led me to these two links:

The second link is not helpful, other than to suggest that XG blocking Google Hangouts is a known issue?  The first link is specific to UTM, but suggests an external MTU-related solution.  I will look into that deeper this evening after work, but I don't suspect that will be my answer.  My devices are trying to talk LAN-to-LAN and per the support tech they should not need to go out to the WAN to connect.  As such, I don't think a WAN MTU setting could be the culprit?

Does anyone have any thoughts or suggestions?  Can anyone confirm that Google Hangouts is or is not working through their XG Firewall?

Thanks,
Marc



This thread was automatically locked due to age.
Parents
  • 0

    Just a quick followup regarding additional troubleshooting last night and this morning.  I wanted to narrow down whether my switch or router (Sophos) was causing the blockage.  As such, I took a spare port on my XG (port 3) and added it to the LAN zone, and created a DHCP server for it.  I then connected a dumb unmanaged switch to that port, and the two intercom units to that switch.  The idea was to remove my current managed switch from the equation, removing VLANs and other complexities as well, dumbing down to just a basic physical network with nothing on it but the two intercoms.

    On the Sophos, I have the following two rules at the top of my firewall:

    In this configuration the two intercoms got an IP and had Internet/Alexa access, but still cannot see or call each other.  According to the manufacturer's comments above, this is due to the WebRTC protocol being blocked.  The only place it can be being blocked in this simple configuration is the XG software, but I still can't see where. 

    There is no IPS, WAF, etc. policy being applied by my firewall rules, and the rules are full-open for any host and service on the LAN.  There is still nothing in any logs indicating dropped communication.  All DoS prevention under IPS is turned off, and my ATP protection is enabled but set to "log only".

    One last test that only further confuses the issue is that in this configuration with the intercoms not seeing each other, I *was* able to make a hangouts call from my desktop PC (on VLAN 1) to my cell-phone on WiFi (VLAN 40).  Voice and video from the phone were received by the PC, and the PC has no mic or camera so I couldn't tell if voice and video could make it back, but I have to assume it would have.  So if Google Hangouts works and the intercoms do not I might be chasing a wild goose...?  I will contact the intercom company again today and see if they have any additional suggestions.  And of course, suggestions from the forums here are most appreciated as well.

  • 0 in reply to Marc Herndon

    For completeness, I wanted to mention that I've actually tested 4 different switches now, connected to the XG firewall.  The original managed switch was a TP-LINK TL-SG2424P.  I've since tried three unmanaged switches, a Dell PowerConnect 2608, a DLink DGS-2208, and a TrendNet TE100-S5.  The latter one was a junk 10/100 switch I had lying around, just seeing if it made any difference vs. the other three being Gigabit.

    So I feel comfortable saying at this point that the switches are not blocking communication.  Later today when I can bring the network down I plan to swap out the XG firewall for an off the shelf Netgear router to see if that allows the intercoms to communicate.  That should conclusively show whether the problem lies in the XG or not.  And hopefully by then I'll have more feedback from Nucleus as well.

Reply
  • 0 in reply to Marc Herndon

    For completeness, I wanted to mention that I've actually tested 4 different switches now, connected to the XG firewall.  The original managed switch was a TP-LINK TL-SG2424P.  I've since tried three unmanaged switches, a Dell PowerConnect 2608, a DLink DGS-2208, and a TrendNet TE100-S5.  The latter one was a junk 10/100 switch I had lying around, just seeing if it made any difference vs. the other three being Gigabit.

    So I feel comfortable saying at this point that the switches are not blocking communication.  Later today when I can bring the network down I plan to swap out the XG firewall for an off the shelf Netgear router to see if that allows the intercoms to communicate.  That should conclusively show whether the problem lies in the XG or not.  And hopefully by then I'll have more feedback from Nucleus as well.

Children
No Data