Wifi calling setup in PFSense
-
@jt40 said in Wifi calling setup in PFSense:
I have an iPhone and I need to enable the ports 500 and 4500 with UDP
Is this for a VOIP system run over a VPN?
Those ports aren't needed for carrier calling over WiFi -
@jt40 said in Wifi calling setup in PFSense:
I need to disconnect the iPhone from WiFi to see the changes applied to those rules,
If there are open states those need to be terminated.
https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#check-the-state-tableDefine "enable the ports"?
You don't need any inbound NAT or firewall rules for the phone to connect out.
There have been past threads about Wi-Fi calling problems but I have never had to do anything special.
What cellular company do you have?
-
@jknott said in Wifi calling setup in PFSense:
I use WiFi calling and it works fine. I didn't have to do anything to enable it.
Very strange, you need to allow the inbound, I just tested it.
Inbound communications are blocked by default, it would be VERY STRANGE if it wasn't like that, especially for traffic coming from WAN.
Anyway, my WAN is nothing else than another LAN, but the router above doesn't block anything :D .@rcoleman-netgate said in Wifi calling setup in PFSense:
@jt40 said in Wifi calling setup in PFSense:
I have an iPhone and I need to enable the ports 500 and 4500 with UDP
Is this for a VOIP system run over a VPN?
Those ports aren't needed for carrier calling over WiFiIt's for WiFi calling, no VOIP, probably the protocol is the same, but it's called WiFi calling and it requires ports 500 and/or 4500 with UDP, I just tested it.
@steveits said in Wifi calling setup in PFSense:
@jt40 said in Wifi calling setup in PFSense:
I need to disconnect the iPhone from WiFi to see the changes applied to those rules,
If there are open states those need to be terminated.
https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#check-the-state-tableDefine "enable the ports"?
You don't need any inbound NAT or firewall rules for the phone to connect out.
There have been past threads about Wi-Fi calling problems but I have never had to do anything special.
What cellular company do you have?
Thanks for that link, I'll verify if it was my case.
I don't need Inbound rules to connect out, but I need both :D , that is:
OUTBOUND AND INBOUND rules for port 500 and 4500 with UDP
My setup is the following:
ISP modem/router
PFSense Router
L2 Switch
APBasically, the PFSense WAN points to another LAN.
Due to my Private VLANs, I need those rules, but by default, my FW always blocked every communication, in inbound and outbound.
In fact, without an ALLOW ALL OUTBOUND I was never able to leave the VLAN, for internal and external communications.
I don't have doubt on the INBOUND because this is always blocked by default, hence, without an INBOUND rule no one can call me.Thanks everyone, we may close this thread, unless someone wants to add something, your answers are suspicious, quite different from my testing, no offense, I'm just trying to fully understand if it was me not explaining the problem well, or having wrong knowledge about firewalls (I'm not an expert), or I made some weird setup initially.
-
@jt40 said in Wifi calling setup in PFSense:
Very strange, you need to allow the inbound, I just tested it.
Normally, the firewall recognizes the inbound as part of the same connection as the outbound.
-
@jknott said in Wifi calling setup in PFSense:
@jt40 said in Wifi calling setup in PFSense:
Very strange, you need to allow the inbound, I just tested it.
Normally, the firewall recognizes the inbound as part of the same connection as the outbound.
I think you're right, I just tested it after having rebooted the router, just to be sure.
I have a question, I understand that point, but is this not in direct contrast with DENY all in INBOUND by default?
Or is it just an automated way to process rules in order to avoid to do it manually? -
@jt40 Denying inbound on WAN handles unsolicited connections. If a device connects out, then it is expected the server response should be allowed. The open "state" of the connection allows this.
Some don't even hold the connection open, for instance the app may subscribe to a "push notification" which despite its name, isn't a direct connection from some random server on the Internet to the device. The notification tells the app to connect out and process the call, for example. (or retrieve an email, etc.)
-
@jknott said in Wifi calling setup in PFSense:
I use WiFi calling and it works fine. I didn't have to do anything to enable it.
Same.
A VPN on the phone might be the problem.
-
@bob-dig said in Wifi calling setup in PFSense:
A VPN on the phone might be the problem.
That's the only logical reason 500 and 4500 would be in play.
-
It depends on where the connection originates. With outgoing connections, incoming is matched to it. With incoming, there is no outgoing to match with and so it's dropped.
-
@rcoleman-netgate said in Wifi calling setup in PFSense:
@bob-dig said in Wifi calling setup in PFSense:
A VPN on the phone might be the problem.
That's the only logical reason 500 and 4500 would be in play.
Auch, I have a VPN, but it's the stupid VPN for filtering the traffic by my AV, which honestly seems doing nothing...
Definitely it doesn't tunnel my traffic, it's called VPN but I think it's just a proxy for traffic monitoring, that can eventually block your traffic if you visit unsafe remote addresses.I noticed that not only with iPhone, but also with Android if I remember well.
In any case, the ports 500 and 4500 are required by Apple, not even my carrier: https://support.apple.com/en-us/HT202944
Switching scenario, I think that the port requirement is the reason why I can't record my calls with iPhone, unless I install some third party applications and give App permissions... Apple doesn't allow you to record calls, you don't even have a way to set permissions...
(The cost of these apps is unbelivable...) -
@jt40 said in Wifi calling setup in PFSense:
In any case, the ports 500 and 4500 are required by Apple, not even my carrier: https://support.apple.com/en-us/HT202944
" IKEv2"
It's for a VPN.
You initiate it locally, it goes out and locks on to the Carrier's system.