Description:
In some scenarios, a SIP PBX is operated in a local network behind a LANCOM router and the necessary ports are forwarded by the router to the SIP PBX. If problems arise in this scenario, the manufacturer of the PBX often initiates a firewall check via the Internet. This is the case with the manufacturer 3CX, for example.
If this firewall check always uses the same source port, the router's firewall only allows the first session. All further sessions are discarded because the return route is ambiguous. A firewall trace then produces the message conflicting rules for UDP sessions - packet dropped. The firewall check will then fail.
For the firewall check to succeed, you need to create a separate firewall rule on the LANCOM router to allow the data traffic for the firewall check.
During normal operation the source port will almost never be the same, since it is usually selected at random.
Requirements:
- LCOS as of version 10.20 (download latest version)
- LANtools from version 10.20 (download latest version)
- Installed and functional port forwarding to the local SIP PBX
Procedure:
1) In LANconfig, open the configuration dialog for the router and switch to the menu item Firewall/QoS → IPv4 Rules → Rules.
2) Create a new firewall rule, give it a descriptive name and set the Priority to the highest value 9999, so that it takes precedence over all other rules. If another rule already has the priority 9999, this must be adjusted downwards so that the rule for the firewall check takes effect ahead of it.
3) Switch to the Actions tab, delete the action REJECT and add the action ACCEPT instead.
4) Go to the Stations tab, under Connection source select the option Connections from the following stations and click Add → Add custom station.
5) Use the option An IP address or range of addresses and fill out the fields From IP address and To IP address with the IP address of the server on the Internet from which the firewall check is initiated (in this example 81.81.81.1).
Please ask the respective manufacturer of the PBX used for the IP address. Alternatively, you can also find out the IP address using a firewall trace on the router.
6) Under Connection destination, set the radio button to connections to the following stations and click Add → Add custom station.
7) Use the option An IP address or range of addresses and fill out the fields From IP address and To IP address with the IP address of the PBX on the local network (in this example 192.168.1.100).
8) Go to the Services tab, under Protocols/target services select the option the following protocols/target services and click Add.
9) Select the protocol UDP.
10) This concludes the configuration of the firewall rule. Write the configuration back to the router.
After a successful firewall check, the rule must be deactivated again. To do this, remove the tick mark next to This rule is active for the firewall.
