Joined: 28 Dec 2018
|Posted: Tue Apr 14, 2020 10:13 Post subject: [solved] R42872 (04/10/20) - SPI firewall vs. SIP STUN
|SOLVED - the used STUN Server is malfunctioning.
Have to disable SPI Firewall in Homeoffice with R42872 (04/10/20) due to problems with STUN, was working fine in r42681 std (03/13/20)
I'm currently working from home, connected via OpenVPN Client to corporate network without a problem. Can connect to samba shares, access files, use several odbc connections everthing fine.
But the SIP connection cannot be established after first call of the day is done (we are using 3cx Windows client).
Sending STUN request - STUN check failed - STUN check failed - STUN check failed - STUN check failed - STUN check failed.
Huawei LTE Router in "Bridge mode" (it DHCP broadcasts public IP on LAN side (46.114.x.x), private IP is 192.168.8.1) -- WAN port of WRT1900acs v2 (Automatic Configuration - DHCP, also added private WAN IP 192.168.8.2 (see below additional firewall commands)) itw own LAN IP 192.168.1.3 -- my PC IP 192.168.1.87, MASK 255.255.255.0, GW 192.168.1.3, DNS 192.168.1.1 (OpenVPN IP 10.24.35.1 - OpenVPN Server IP 10.24.35.2 MASK 255.255.255.252)
I'm still able to nslookup our SIP Server, also can PING name and ip of our SIP and also of STUN in charge: stun.3cx.com.
Got in contact with our admins, they looked up the service --> everything fine, other colleagues are working without issues.
My IP is not blocked at all.
Restarted OpenVPN connection --> still error, no connection possible
Restarted PC, restarted OpenVPN --> still error, no connection possible
Restarted LTE and WRT router, reconnected OpenVPN --> one SIP call possible, after this "STUN check failed"
Restarted LTE device, DHCP release and renew on WRT1900 --> one SIP call possible, after this above mentioned problem
Restarted WRT --> one SIP call possible
disabled SPI Firewall in WRT --> no problems at all, can connect to several SIP calls, everything fine since a few hours.
enabled SPI again --> one call, after this "STUN check failed"
My current WAN IP: 46.114.edit.edit
A Traceroute from Homeoffice to VPN at work:
tracert vpn2.edited.info [87.128.edit.edit]
max 30 Hops:
1 <1 ms <1 ms <1 ms 192.168.1.3
2 <1 ms <1 ms <1 ms 192.168.8.1
3 * * * Request Timeout.
4 53 ms 27 ms 28 ms 10.81.7.21
5 57 ms 46 ms 42 ms 10.81.85.22
6 57 ms 27 ms 29 ms 18.104.22.168
7 58 ms 38 ms 56 ms ae1-0.0003.prrx.02.dus.de.net.telefonica.de [22.214.171.124]
8 55 ms 64 ms 50 ms ae4.gradusix2.net.telefonicaglobalsolutions.com [126.96.36.199]
9 63 ms 38 ms 40 ms 188.8.131.52
10 64 ms 48 ms 46 ms b-ea11-i.B.DE.NET.DTAG.DE [184.108.40.206]
11 62 ms 47 ms 45 ms b-ea11-i.B.DE.NET.DTAG.DE [220.127.116.11]
12 88 ms 49 ms 57 ms 18.104.22.168
13 75 ms 78 ms 77 ms edited.dip0.t-ipconnect.de [87.128.edit.edit]
Firewall commands executed at startup:
ifconfig `nvram get wan_ifname`:0 192.168.8.2 netmask 255.255.255.0
iptables -I INPUT -p udp --dport 68 -j ACCEPT
iptables -t nat -I POSTROUTING -o `nvram get wan_ifname` -j MASQUERADE
Screenshot of SPI Firewall settings appended.
Enabled log management, Log Level High, Dropped, Rejected and Accepted "Enable" but Incoming Log and Outgoing Log did not show anything.
Instead Syslog started showing hundreds and hundreds Kernel warnings and load average increased to ~1, screenshot of one page also appended.
Currently I'm at a loss, no idea how to further debug/proceed this.
Also -according to log- some shady people start bruteforcing my WRT SSH password -.-, I'd like to enable the SPI again.
I can rollback to the old version when my shift is over, also am willing to track this down, but need guidance :/
Last edited by Zyxx on Tue Apr 14, 2020 13:49; edited 2 times in total
Joined: 28 Dec 2018
|Posted: Tue Apr 14, 2020 13:47 Post subject:
|Flashed the "old" release a few minutes ago and struggled again. Since this release was working two weeks ago I was curious.
Took my time and tried to capture wireshark traces...
as it looks to me "stun.3cx.com" is malfunctioning.
(google also indicates problems on this server, see: https://www.3cx.com/community/threads/stun-resolution-not-working.71615/)
Changed STUN server and everything is fine again.
Can enable and disable SPI, SIP clients always connect.
--> SOLVED, no issue of firmware