Using GWN7000 in bridge mode with an UCM 6300A

#1

I have installed an UCM 6300A IPBX behind a Cisco RV series router (I tried two models: RV 160 and RV 340) but experiment some SIP connection loses.

The UCM works perfectly if connected directly to the internet connection but I think it is safer to use a separate firewall and not only the ucm security features.

Do you know if I can buy and use a Grandstream GWN7000 in bridge mode (without any address translation) and how to configure this bridge mode?

Have you tried using this configuration with an Grandstream IPBX?

Thank you very much for your advices and sorry if I made English spelling errors (I’m French native speaker)

#2

I only use Draytek router, it supports SIP protocol correctly, has integrated firewall and very importantly has integrated QoS.

#3

The RV series should work without issue and certainly without the need for the GWN.

Have you:
Configured port forwarding?
Disabled any SIP ALG that may be present in both the RV and the ISP modem?
Configured the NAT settings in the UCM?

If not then do the above and check. Once you have established a reliable connection that can accommodate both in and out calling, then establish your firewall rules to filter IPs so that only the ones you want will access the UCM while keeping all else out. Enable Fail2Ban and whitelist any desired IPs.

#4

I think I have configured port forwarding correctly: all data from the IP address of our SIP provider to the private address of the IPBX and reciprocally

The SIP ALG box is not checked on the RV routers. I have not access to all the configurations of the ISP modems (one fiber and one IDSN) but it works correctly without the routers.

Considering the NAT settings on the UCM, I checked the NAT box in VoIP Trunk Configuration (without that I had no connection at all with the trunk), but maybe I forgot another configuration needed.

I certainly use Fail2Ban.

The problem is that the IPBX works normally for a few hours, then we have Timeout messages on the phones for some calls to mobile phones (often during the first ring). A few minutes later, the connection to the SIP trunk is completely off for a few minutes and one time, all the internet traffic through this connection was blocked.

I think that maybe NAT translation by the routers need delays and maybe one security on the router blocks the traffic.

That’s why I tried to set the routers to bridge mode because I think after reading testimonies on this forum that I have no need of address translation if the IPBX and the phones are alone on the internet connection (we use separate links with VPN for classic internet traffic).

Unfortunately, when I tried to configure one of the cisco routers yesterday, I broke the reset button (the router was quite old) and I already had issues with this router if I logged using a computer not configured with English keyboard.

That’s why I want to buy another router which works in bridge mode and the French internet reseller where I bought the UCM can sell the GWN700O at not expensive cost (actually a lot of other routers needs delay to be sold in Europe).

Thank you for your help.

#5

Which model of Draytek router do you recommend which is simple to use (web configuration), can easily work without address translation (only assuming firewall functions) and works fast enough?

I have no need for wireless possibility.

Thank you

#6

If you are sitting behind a firewall, which you are, the NAT box in trunk settings is not needed, uncheck it.

The NAT settings that you need are in PBX Settings, SIP Settings and NAT. Input your public IP or FQDN, check the SDP box and then enter your local lan segment in at the bottom.

#7

Draytek Vigor2865 series on up

#8

Reading the UCM documentation, I thought the NAT checkbox in the trunk section was needed, and it seemed to work.

I will try next week your solution, one day with not a lot of business calls.

For security purpose, I have no remote access to the ucm web configuration but according to the documentation mentions I need to complete:

  • the public fixed IP address of my internet connection : no problem

  • the external UDP port: my trunk provider classically use 5060 for SIP and 10000-60000 for TRP. I assume I only need to mention 5060

  • the external TCP and TLS ports; I’m not sure if it is used

  • the local network addresses: I’m not very familiar with abbreviated subnet mask but I think 192.168.2.0/24 is correct

Thank you again

#9

You could nly need ports 10000_10250 And set same in router forwarding

#10

Hello everyone

I use both of your advices and :

  • I have configured the UCM in switch mode with NAT settings in the SIP settings (the only little problem is that I will need to make changes if I use the backup internet connection with another public IP address),

  • I also bought a Draytek Vigor 2865 router because my old cisco router doesn’t work anymore

Now it seems to work normally

Thank you very much to all of you.

According to the router logs, I have some little problems with the firewall configuration because some udp connection from the IP address of the trunk provider seems to be blocked counter to the rules.

Also, the automatic mail sending from the UCM doesn’t work when the firewall is on.

I think I will create another subject in the IPBX section because it’s not a Grandstream router issue.

#11

The UDP ports, did you set the same in the UCM as what you have in the router? If not, they need to be. Also, use open ports instead of port redirection. This provides for 1:1 NAT. So, if using 5060 for SIP and 10000-10250 for RTP and 4000-4999 for fax (t.38) you merely use UDP for all and then set the range to 5060-5060 and 10000-10250 and 4000-4999. The source IP should be any.

Then in the firewall rules create a Block rule for SIP using source ports from 1-65535 to 5060-5060 destination ports with source IP of any and destination IP of the PBX and then set to block unless further match.

Then the second rule should read All for SIP using source UDP ports of 5060 to 5060 with destination of 5060, from the IP of the provider to the destination IP of the UCM and with Pass immediately.

You can setup objects to define the IP and services and then group same if need be. This can be handy in the setup so that if you have more than one provider or remote devices, you can group them and then specify the group in the rules rather than having to create more rules.

You will note that the RTP ports are not in my firewall rules. There is no need as they are in the open ports and as the provider may use numerous media servers with varying IP and they may change, you likely do not know them and might inadvertently block them. As the UCM is a purpose built device, there really is no security risk as the port on becomes active when a call is made and the binding to the port is accomplished. It will not respond to any scan.

#12

Thank you again.

I didn’t expect such a detailed response on Sunday.

I don’t use exactly the same logic but the results should be the same.

Since this connection only carry VoIp and occasionally the notebook I use for configuration (and I have no remote phones), I choose Block as default rule.

Then, the two first filter rules are :

  • To allow all traffic (pass immediately) from the internal IP of the UCM to the public address of the SIP trunk.

  • To allow all traffic (pass immediately) from the public address of the SIP trunk to any internal IP address.

I tried both writing this public address literally or using an object (which I finally use).

For the first rule, it works normally according to the firewall logs.

But I don’t understand why the firewall block this traffic (for an example):

<134>Jun 9 18:02:59 DrayTek: [FILTER][Block][WAN->LAN/RT/VPN, 79:55:19 ][@S:R=13:1, 94.XXX.XXX.XXX:14506->192.168.XXX.XXX:17762][UDP][HLen=20, TLen=200]

<134>Jun 9 18:02:59 DrayTek: [FILTER][Block][WAN->LAN/RT/VPN, 79:55:19 ][@S:R=13:1, 94.XXX.XXX.XXX:14506->192.168.XXX.XXX:17762][UDP][HLen=20, TLen=200]

<134>Jun 9 18:02:59 DrayTek: [FILTER][Block][WAN->LAN/RT/VPN, 79:55:19 ][@S:R=13:1, 94.XXX.XXX.XXX:14506->192.168.XXX.XXX:17762][UDP][HLen=20, TLen=200]

<134>Jun 9 18:02:59 DrayTek: [FILTER][Block][WAN->LAN/RT/VPN, 79:55:19 ][@S:R=13:1, 94.XXX.XXX.XXX:14506->192.168.XXX.XXX:17762][UDP][HLen=20, TLen=200]

<134>Jun 9 18:02:59 DrayTek: [FILTER][Block][WAN->LAN/RT/VPN, 79:55:19 ][@S:R=13:1, 94.XXX.XXX.XXX:14506->192.168.XXX.XXX:17762][UDP][HLen=20, TLen=200]

I assume the IP addresses are not secret but configuring a firewall seem to push to paranoia and I prefer to hide them with XXX, but it’s really the ones I allow in the second filter rules.

Maybe my problem is in the NAT section.

I read in the manual that the “Open ports” keeps the ports opened forever, which seems dangerous for me, especially because the SIP trunk provider instructions are to open 5060 port and all ports from 10000-60000 with UDP(RTP) protocol, but only from its address.

With “Open ports” option, are ports used open for everyone or for one unique IP address?

Then I use:

  • port redirection for 5060 UDP from the SIP provider address to the internal address of the UCM,

  • port triggering for 10000 to 60.000 ports (both internal and external) from the SIP provider address, but these settings don’t allow me to restrict the triggering to a specific private address.

Maybe that’s my mistake but I don’t want to leave ports open to long if it could be for everyone or if a malicious traffic could send packets which seems to come from popular SIP providers.

I already told you I am a bit paranoiac!

These blocked packets came from and to various ports from the SIP provider address to the UCM address, but more often during the day (probably when phone calls are made).

Whatever, the blocked packets don’t seem to make phone failures and it’s my main concern.

Since you seem to master Draytek configuration, I have another little question: The fiber modem for the internet provider try to discover the private network by sending UDP packets to 239.255.255.250:1900

The default rule blocks them and it’s fine for me, but to make firewall logs easier to read, I tried to create a filter rule which block immediately these packets and unchecked the syslog box.

It doesn’t seem to work since these packets are listed as blocked in the log files.

Thank you again for all your support.

Patrice

#13

The open ports sets up 1:1 so that the router is not using Ephemeral ports. We want the SIP messaging to correlate to the physical ports seen. We allow “any” under the assumption that the firewall is the gateway that either allows or denies who can and cannot use the ports established for the UCM.

In the open ports we also stated the ports used for the audio. The UCM default is from 10000-20000, not to 60000 as there is no 60000. The highest port is 56535. As the UCM typically uses symmetric ports (meaning that the inbound and outbound audio uses the same port), there is no need to dedicate 10001 ports, but instead you can cut this down to the minimum 250 ports as this will support 250 calls or if not symmetric 125 calls; so so any range using 250 as the interval is plenty.

Because the provider is unlikely to use the same IP for its media server as it does for the SIP server, and you may not know what those IPs may be, this is why I use “any” for the open ports and then use the firewall to allow the desired SIP IPs as I do not care about the RTP ports. It is SIP that sets up and breaks down the calls and in doing indicates what ports and IP will be used. The RTP ports are useless until such time as a call is made/taken and the ports negotiated and then bound to the call. They will not respond to a scan or other as there is no underlying binding to a service until an active call is in progress. You do not want to block RTP.

The IP 239.255.255.250 is used for uPNP. You should be able to disable this in any/all devices. You will find the setting in the Draytek under applications.

#14

Thank you again for all the time you dedicated to my questions.

If the firewall can block the packets from bad IP, I will try to open some ports as you recommend and then read the logs to know if there are still connections blocked.

I think the SIP provider wants exaggerate simplicity but it is really written 10.000 to 60.000 !

As for uPNP, it’s not the router which use it, it’s the internet provider modem which I cannot configurate.

But I don’t know why they appear in the logs since I create a firewall date filter rule to block them and unchecked the syslog box.