T-Mobile WIFI Calling
-
Hello all,
Long time PFSense user and I am having issues with Tmobile WIFI calling after some recent changes.
I was running 2.2.1 on an old Watchguard device and everything worked fine. I built a new firewall running on VMWare running 2.2.2 and copied the settings over from the old firewall (some through XML, some by hand). Since using the new firewall my Samsung S5 (Android) will not connect to Tmobile's WIFI calling service. I can go to other WIFI networks (like the one at work) and it connects straight away. It looks as if Tmobile create an IPSEC tunnel on UDP/4500, I see the session on pfsense but the phone is showing errors still.
Other Tmobile phones (my wife has a WinMo phone) just create a SIP session on 5061 and that seems to work just fine.
I have attached a screenshot of the session I see in the states page. I have tried disabling the IPSEC service as I know this sometimes uses 4500 as well, but this did not help.
Can anyone suggest how I might further debug this issue before I pull the rest of my hair out?
Thank you kindly.
M
-
That looks like it's trying to establish an IPSec session, but we don't see the IKE on UDP 500 to go with it. Sorry, I don't have any other observation other than that.
Have you checked your firewall logs to see if anything is getting denied from T-Mobile, or from your phone?
What rules do you have on your LAN interface? -
Here is all states to/from TMOBILE (including the port 500 session) and the drops from TMOBILE on a bunch of random ports
My LAN rules are basically just allow everything to everywhere. I don't block anything outbound.
I notice the static port rule for port 500 on the outbound NAT…could it be related to this? - I removed the STATIC port for 500 and it didn't help.
I'm not sure if its something with PFSense 2.2.2 or VMWARE
-
I have an AT&T micro cell on a customer network that does the same sort of thing. It establishes a IKE/IPSec connection back to the Death Star and offers 3G cell service.
I didn't mess with any of the NAT settings to get that thing to work. Are you set to Automatic outbound NAT rule generation
(IPsec passthrough included)Maybe if you were to post a picture of your Outbound NAT screen in the webConfigurator someone can help.
-
Ah yes - the old microcells.
Here is out outbound NAT rules. They are unchanged from the default way that they come out of the box.
-
System–>Advanced>Firewall/NAT
This was ticked "Disables the PF scrubbing option which can sometimes interfere with NFS and PPTP traffic. " - I had to untick it and everything now works
I've wasted about 8 hours on this, and 2 cases of corona!...hopefully this helps someone else!
Wish I remember why I had that on in the first place.
-
Cool. Glad you found it. I would have never guessed that would be the answer.
-
me either. It doesn't sound like it has anything to do with it.
I built a new firewall and it worked. Then I loaded my config file sections one by one until it broke. Then did a file compare on the good config and the bad config and then toggled the options one-by-one….
phewwww
-
I recently had to debug getting pfSense working with both t-mobile wifi calling and an at&t microcell.
In addition to making sure all the right IPSEC ports are allowed on the way in on the WAN (500,4500), I also had to make sure bogon networks are not blocked on the WAN interface.
My understanding of this is that both AT&T and t-mobile break standards and use bogon IPs on their networks, which the firewall drops. -
I recently had to debug getting pfSense working with both t-mobile wifi calling and an at&t microcell.
In addition to making sure all the right IPSEC ports are allowed on the way in on the WAN (500,4500), I also had to make sure bogon networks are not blocked on the WAN interface.
My understanding of this is that both AT&T and t-mobile break standards and use bogon IPs on their networks, which the firewall drops.Only within the IPsec connection, not outside of it. Which is fine. Something other than disabling block bogon fixed that, because both of those are strictly outbound traffic, no remotely-initiated traffic that could even match the block bogon. They also wouldn't be able to route bogon source IPs across the Internet in any useful manner. I'm guessing you probably made some NAT changes to fix it, but didn't clear states afterwards, and the states timed out or the device reconnected in the mean time which is what made it start working.
-
Good points. I do have settings to do static outbount NAT on the at&t and t-mobile devices. I will try to re-enable bogon blocking on the WAN and see what happens. Thanks!
-
This was on T-Mobile WIFI Calling but this Fixed my AT&T issue also.
Thanks Guys
-
T-Mobile's incarnation of wifi calling is based on the GAN/UMA standard. IPsec is used to secure the connection. More info in the following links for reference:
https://en.wikipedia.org/wiki/Generic_Access_Network
and
https://www.cisco.com/cdc_content_elements/flash/mobile_sols/partners_site/pdfs/partners/kineto/GAN_UMA_TDM.pdf
and
https://support.onsip.com/hc/en-us/articles/204029430-PFSense-Firewall-Settings-for-VoIP
-
Locking this thread, it's over 4 years old!
If you have new information on a subject please start a new thread.
Steve
