So frustratingly, I haven’t posted in waay too long here, but been busy with work ‘n stuff!
This year (in January) I was lucky enough to upgrade my traditional DSL @ 30Mbps to FTTH (Fiber to the Home) @ 300Mbps, and it’s crazy fast! I love it (I cannot say this enough! I love it to bits!!) It makes working at home such a pleasure. However one frustrating thing about the solution is that they migrate away from your traditional copper telephone line, to a SIP trunk across the fiber.
Now, I don’t play well with provider supplied modems, and the Huawei modem supplied, while it would work, doesn’t give me any control over content available at my house (i.e. protect my kids online activities, keeping their eyes away from things they should never see at their ages!)
I played with the idea of dragging an old Cisco ATA out of storage and loading the SIP image to it and fudging it until it worked (Cisco ATA’s were a b*tch to configure even back in the day when i was working with VoIP), so i had a brain fart – why not put the supplied Huawei modem behind my own firewall of choice – Sophos XG.
While this kindof worked – for the first few minutes all was well, until i discovered that inbound calls started failing – it seems the SIP registration was going stale, and inbound SIP calls disappeared into the ether. They wouldn’t work until you kicked an outgoing call off to re-register, open whatever ports on the firewall etc, until they closed again, and nobody would ring you!
This is where things got desperate – eir in all their wisdom, don’t use standard SIP ports, so unfortunately Sophos XG’s SIP awareness was kicked into blindness. And it’s SIP awareness is not configurable. D’oh, why oh why eir, why oh why!
OK, so after some digging, (there’s not much out there in googleland, other than a few helpful pointers on Reddit and boards.ie) and some tcpdumps to see what was going on on my firewall, it seems that i needed to create some inbound NAT translations to the external IP (the WAN address) of my supplied Huawei router. Here’s what i did.
- Give the WAN address a static IP, maintaining the eir DNS servers (otherwise nothing works!) – also remember to disable the VLAN ID, as this is only required when connected directly to the FTTH box installed at your home.
- DNS Servers for eir are: 159.134.0.1 and 159.134.0.2
- Configure gateway etc as you require at your house.
- In Sophos XG, create a new firewall ‘business application rule’ using the template ‘DNAT/Full Nat/Load Balancing’
- Name it to your demanding standard naming convention – i chose ‘Allow SIP from eir to Internal’ – imaginative i know! Create this rule at the top of your ruleset.
- Source: WAN; Allowed Client Networks: Any
- Destination host/network: Select your Wan Port; Services: Eir_Sip (Detail below – create your own custom service)
- Forward To Protected Server(s): Create a host entry with your Huawei Wan address (you configured a static IP for this earlier in step 1); Protected Zone: LAN
- Leave all else as default, you can choose to enable logging for this rule if required. Save!!.
Services Custom Definition:
I created a custom definition for the service, it’s created as follows:
Name: Eir_SIP
Type: TCP/UDP
Protocol Source Port Destination Port
TCP 1:65535 6050
UDP 1:65535 6050
TCP 1:65535 10000:10100
UDP 1:65535 1000:10100
Credit for this goes to boards.ie user cnocbui at this post:
https://www.boards.ie/vbulletin/showpost.php?p=110875525&postcount=9622
So far, so good. It’ s been reliable for the last 24 hours and anyone can ring me now 🙂 Though they probably won’t, they have my mobile number anyway !!
Hope this post helps anyone out there, let me know if it has!
Liam.
Hi.
I tried to post this the other day but it didn’t seem to work.
I have been trying to do something similar to what you have done. I have a Netgear D7000 nighthawk router setup and working perfectly in place of the old F2000. I am on the standard eir broadband connection not the FTTH that you are using. The main reason I went down this road is that after I introduced a couple of new wifi relay switches into the house the wifi on the F2000 became very erratic, disconnecting regularly and taking ages to reconnect sometimes.
The whole wan and lan side of the setup is working perfectly after a few tweeks but I have no phone now because it is a voip line from eir. I tried to get around this by connecting the original F2000 to one of the lan ports on the nighthawk and just like you I have the problem that the phone does work to ring out from and you can call it back for a short while after that but then nothing.
I have the F2000 on a static port and I was trying to figure out what exactly that you did to send the ports (5060 and 10000 – 10100) on to the F2000. I don’t have a firewall setting in the nighthawk so after some searching I opted to port forward the above ports to the F2000 but this hasn’t been successful.
I don’t know if you have used the netgear router that I am talking about but any pointers in the right direction would be much appreciated.
Thanks, Pat.
Hi Pat, sorry for the late reply!.
Not sure if you got this sorted, but unfortunately I’ve had no experience in the nighthawk routers, but did come across two posts which may (or may not) help:
https://kb.netgear.com/8219/How-to-setup-Inbound-Outbound-firewall-rules-on-NETGEAR-Modem-router-gateways
https://community.netgear.com/t5/Nighthawk-WiFi-Routers/Firewall-settings/td-p/510090
The second goes through an option to install a 3rd party firmware like DD-WRT, if your router supports it.
Hope you’re well!
Liam
hello
Anybody know how to do this with Vodafone gigabox??
Hi Liam,
Nice post, with most of the info needed (which really should be on the eir website !!). Thanks for posting.
I am now at the FTTH stage and am shortly to have it installed. I too, will use my own router, but it does not have an ATA port. I have a Cisco phone with SIP image, and would use it if possible (behind a firewall they can be configured to periodically maintain the connection). Would even consider using a Cisco ATA (after dusting it off).
For SIP, I’m wondering if eir are using some generic credentials or customer specific credentials and whether those are made available to you at installation, or can you find them in the provided CPE somewhere ?
(Finally, you might have not intended the range 1000:10100 in the UDP line of your policy above. The original poster on boards, mentioned just 10000 and 10100.)
Kind regards,
Joe