[solved] R42872 (04/10/20) - SPI firewall vs. SIP STUN

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Author Message
Zyxx
DD-WRT User


Joined: 28 Dec 2018
Posts: 219

PostPosted: Tue Apr 14, 2020 10:13    Post subject: [solved] R42872 (04/10/20) - SPI firewall vs. SIP STUN Reply with quote
SOLVED - the used STUN Server is malfunctioning.

Have to disable SPI Firewall in Homeoffice with R42872 (04/10/20) due to problems with STUN, was working fine in r42681 std (03/13/20)

I'm currently working from home, connected via OpenVPN Client to corporate network without a problem. Can connect to samba shares, access files, use several odbc connections everthing fine.
But the SIP connection cannot be established after first call of the day is done (we are using 3cx Windows client).
Error given:
Sending STUN request - STUN check failed - STUN check failed - STUN check failed - STUN check failed - STUN check failed.

My network:

Huawei LTE Router in "Bridge mode" (it DHCP broadcasts public IP on LAN side (46.114.x.x), private IP is 192.168.8.1) -- WAN port of WRT1900acs v2 (Automatic Configuration - DHCP, also added private WAN IP 192.168.8.2 (see below additional firewall commands)) itw own LAN IP 192.168.1.3 -- my PC IP 192.168.1.87, MASK 255.255.255.0, GW 192.168.1.3, DNS 192.168.1.1 (OpenVPN IP 10.24.35.1 - OpenVPN Server IP 10.24.35.2 MASK 255.255.255.252)

I'm still able to nslookup our SIP Server, also can PING name and ip of our SIP and also of STUN in charge: stun.3cx.com.
Got in contact with our admins, they looked up the service --> everything fine, other colleagues are working without issues.
My IP is not blocked at all.
Restarted OpenVPN connection --> still error, no connection possible
Restarted PC, restarted OpenVPN --> still error, no connection possible
Restarted LTE and WRT router, reconnected OpenVPN --> one SIP call possible, after this "STUN check failed"
Restarted LTE device, DHCP release and renew on WRT1900 --> one SIP call possible, after this above mentioned problem
Restarted WRT --> one SIP call possible
disabled SPI Firewall in WRT --> no problems at all, can connect to several SIP calls, everything fine since a few hours.
enabled SPI again --> one call, after this "STUN check failed" Sad

My current WAN IP: 46.114.edit.edit

A Traceroute from Homeoffice to VPN at work:
Code:

tracert vpn2.edited.info [87.128.edit.edit]
max 30 Hops:

  1    <1 ms    <1 ms    <1 ms  192.168.1.3
  2    <1 ms    <1 ms    <1 ms  192.168.8.1
  3     *        *        *     Request Timeout.
  4    53 ms    27 ms    28 ms  10.81.7.21
  5    57 ms    46 ms    42 ms  10.81.85.22
  6    57 ms    27 ms    29 ms  195.71.188.130
  7    58 ms    38 ms    56 ms  ae1-0.0003.prrx.02.dus.de.net.telefonica.de [62.53.9.54]
  8    55 ms    64 ms    50 ms  ae4.gradusix2.net.telefonicaglobalsolutions.com [213.140.51.60]
  9    63 ms    38 ms    40 ms  80.156.161.73
 10    64 ms    48 ms    46 ms  b-ea11-i.B.DE.NET.DTAG.DE [62.154.46.2]
 11    62 ms    47 ms    45 ms  b-ea11-i.B.DE.NET.DTAG.DE [62.154.46.2]
 12    88 ms    49 ms    57 ms  62.156.247.145
 13    75 ms    78 ms    77 ms  edited.dip0.t-ipconnect.de [87.128.edit.edit]


Firewall commands executed at startup:
Code:

ifconfig `nvram get wan_ifname`:0 192.168.8.2 netmask 255.255.255.0
iptables -I INPUT -p udp --dport 68 -j ACCEPT
iptables -t nat -I POSTROUTING -o `nvram get wan_ifname` -j MASQUERADE

Screenshot of SPI Firewall settings appended.

Enabled log management, Log Level High, Dropped, Rejected and Accepted "Enable" but Incoming Log and Outgoing Log did not show anything.
Instead Syslog started showing hundreds and hundreds Kernel warnings and load average increased to ~1, screenshot of one page also appended.

Currently I'm at a loss, no idea how to further debug/proceed this.
Also -according to log- some shady people start bruteforcing my WRT SSH password -.-, I'd like to enable the SPI again.

I can rollback to the old version when my shift is over, also am willing to track this down, but need guidance :/


Last edited by Zyxx on Tue Apr 14, 2020 13:49; edited 2 times in total
Sponsor
Zyxx
DD-WRT User


Joined: 28 Dec 2018
Posts: 219

PostPosted: Tue Apr 14, 2020 13:47    Post subject: Reply with quote
Flashed the "old" release a few minutes ago and struggled again. Since this release was working two weeks ago I was curious.

Took my time and tried to capture wireshark traces...
as it looks to me "stun.3cx.com" is malfunctioning.
(google also indicates problems on this server, see: https://www.3cx.com/community/threads/stun-resolution-not-working.71615/)

Changed STUN server and everything is fine again.
Can enable and disable SPI, SIP clients always connect.

--> SOLVED, no issue of firmware
Smile
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum