UCM6202 only receives inbound call after an outbound call was made


#1

We can not receive inbound phone calls, except shortly after an outbound phone call is made, then inbound works but only for a short amount of time.

We are using Twilio for trunking, it shows that the system is unreachable during this time.

What would cause this?
Port forwarding is setup on our Nighthawk X6 R8000 router to the assigned ip address of the UCM6202.

UDP/TCP 5060-5080
UDP/TCP 10000-20000
UDP/TCP 6670
UDP/TCP 8089-8090

Thank you.


#2

While you indicate you have port forwarding engaged, it still sounds like a NAT issue.

When you make a call, the system is sending packets thru the firewall and in return the firewall keeps those ports open in anticipation of a possible response. If no traffic is seen, the ports will close after a period and then no further traffic will be allowed in until such time as outbound packets open the ports back up.

In addition to the router, there are various areas in the UCM where NAT is addressed. While not mentioned and possibly not a concern regarding your issue, you should also insure that SIP ALG is disabled in the router.

I am assuming that the UCM is set to switch mode.-
In the trunk settings, disable NAT.
In the PBX Settings, SIP Settings, NAT:

  1. Insure that your public IP or FQDN is inserted in the external host field
  2. The SDP box below should be checked.
  3. Your internal LAN subnet should be entered in the section below.
    4, In the same area, you will note the external UDP port. I am assuming it reads 5060 and the same 5060 will likely be present in the general settings of the SIP Settings. If so, then you should change the router setting to forward port 5060 UDP to the UCM. Unless you are using TCP as a transport, then only use the 5060UDP and eliminate the UDP/TCP 5060-5080. There is no point in opening up ports that are not used.
    IN the RTP settings in the UCM, lower the upper end and make it 10000-10250. Make the same change in the router. The UCM comes with 10000 ports by default, but will use no more than 100, 250 is the lowest.
  4. I do not know why 6670 is open and it should be closed.
    6.Port 8089 is TCP only and used for remote web access in a forward. I encourage you to rethink this as it will show on a port scan that hackers use to identify potential targets. They will see the port during a scan, and then try and attack it and once they get the webpage, they will know that it is a phone system and you are only asking for trouble.

As an aside, the Nighthawks are a decent residential router, but it’s just that - designed for the home and more so for WiFi. It lacks a firewall that is robust enough to protect the UCM. By this I mean that it does not have the capability to be told to allow this IP to come on in, but block this one and/or this one or all others in your forwarding rule. While it does have some rudimentary QoS settings, it lacks true bandwidth shaping capability. I mention this as again hackers will discover the open ports and then start to attack the UCM to see if they can get a phone to connect, to log in or possibly launch a DOS attack. It may not happen for a while and perhaps never, but the odds are against you.


#3

Can you give me a recommendation for a better router for business use?


#4

There are plenty, much of which depends on how savvy you are and what the pocket book allows.

MikroTik, great low cost, does about everything, but learning curve may be a bit steep and reliance on WIKI may or may not provide satisfying. Folks who use them, love them as they are the best bang for the buck.

Draytek, somewhat hard to find in the US outside of distribution channels. A more traditional style of set-up and for me, my go to as it is pretty straight forward which allows me to talk clients through changes if needed and I can’t remote in at the time.

Ubiquiti, is reported to be good as well. Somewhat in the same vein as MikroTik, but not a flexible, but easier to work with to a point. It has a CLI that can be accessed to truly get into the meat that the GUI may not allow.

The following are also good, but likely too pricey and many have a subscription model to keep things up to date.
SonicWall
Barracuda
Sophos

There are others and more will probably chime in with their picks. Regardless of make/model, you need to look at the NAT throughput specs. Object oriented firewall, Bandwidth management, QoS, VPN capabilities and the features you need for the other.


#5

I made all of the changes you suggested and so far everything seems to be working properly.

Thank you for all of your help. I will update this thread if things change, and I will look into the routers that you suggested.