Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    RingCentral network testing

    Firewalling
    1
    2
    469
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JVComputers
      last edited by

      I've got a Netgate 6100 set up at a client and everything normal is working fine - has been for months. We're now trying to see if they'll be able to support VoIP phones and their phone provider is telling us to run testing on several machines using the https://www.ringcentral.com/support/qos.html site. I've downloaded the required BCS service and tried on more than one machine, but it will not load the test.
      Here's what I've done so far:

      • Whitelisted the stated IPs and URLs with the requested ports in the RingCentral documentation
      • Ruled out antivirus as being the issue by:
        • Uninstalling the antivirus and disabling all Windows Defender modules
        • Installing the same antivirus and policies on my own machine connected in a different physical location and running the test, which works fine
      • Turned off pfBlockerNG for now to ensure that's not interfering
      • Cleared all the states in the state table
      • Rebooted the 6100
      • There's nothing showing as blocked logged in the firewall related to the machine I'm using for testing
      • The machine's local Windows firewall is turned off

      I've also run a packet capture on the computers in question and looked through it in Wireshark and compared it to a machine's packet capture that is successful in running the test and I can only see that there's a point in the stream where it seems one TCP conversation ends and another is supposed to begin, but the machine that can't run the test never sends a SYN to start the next part of the conversation, while the machine that is successful does start the next part of the conversation. On the machine that fails to run the test there are no TCP or UDP errors or lack of ACKs from the other side, it just never seems to try to continue the stream with no apparent errors or reason.

      This seems to be something related to pfSense because I also fail to run the test when using a different machine on a different network, but also behind a pfSense installation. This holds true for two other pfSense networks which are independent of the client in question.

      Since there's nothing showing as being blocked in the firewall logs, I looked further and the only thing I can see that shows up when I try to run the test are two entries in the DNS Resolver log:
      filterdns 17834 failed to resolve host cloudfront.net will retry later again.
      filterdns 17834 failed to resolve host mvp.ringcentral.com will retry later again.

      Both of these domains (cloudfront.net, mvp.ringcentral.com, and others required by the documentation) are whitelisted for port 443 and any other port numbers and protocols the documentation lists, but they can't be resolved every time a test runs. I also can't resolve these domains on any other system, but it doesn't seem to matter so long as they're not behind a pfSense box.

      Does anyone have any RingCentral experience or can anyone point me in a direction to continue troubleshooting this?

      J 1 Reply Last reply Reply Quote 0
      • J
        JVComputers @JVComputers
        last edited by JVComputers

        Resolved

        Found the problem - it was DNS. The software "server" they run for part of the test creates a localhost link to bcs.visualworks.com, requiring it to resolve to 127.0.0.1. However, if pfSense is involved, it tries to resolve it outside, can't, and so fails. I found if I input DNS servers in the workstation IPv4 configuration that point outside the router, it worked, but obviously not the best solution, so I put a Host Override in pfSense for that domain to point to 127.0.0.1 and it works on all the workstations now.

        1 Reply Last reply Reply Quote 1
        • First post
          Last post