NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
SRX5308 UDP Rule WAN-LAN Fail
System Name: SRX5308
Firmware Version: 4.3.0-19
Im trying to open up UDP port 5060 on the firewall but it just doesnt seem to open. Ive already set up various rules for TCP ports (80, 81, 443, 8080) which access three different servers across 2 VLANs, so I think Im going about this process properly (in terms of adding the custom service, and then adding the firewall rule).
However, no matter what I do I *cannot* get port UDP/5060 forwarded to an until VOIP phone. Ive even run a test UDP server on another machine so that I know the UDP process will respond. If I nmap the port from inside the firewall:
[root@nyprod1 tftpboot]# nmap -sU -p 5060 -v -O 192.168.2.4
Starting Nmap 6.25 ( http://nmap.org ) at 2013-10-10 15:51 EDT
Initiating ARP Ping Scan at 15:51
Scanning 192.168.2.4 [1 port]
Completed ARP Ping Scan at 15:51, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:51
Completed Parallel DNS resolution of 1 host. at 15:51, 0.00s elapsed
Initiating UDP Scan at 15:51
Scanning 192.168.2.4 [1 port]
Discovered open port 5060/udp on 192.168.2.4
Completed UDP Scan at 15:51, 0.02s elapsed (1 total ports)
and my test program prints out the UDP access:
INFO - UDPServer - RECEIVED:
If I now run the same thing against the firewall:
root@nyprod1 tftpboot]# nmap -sU -p 5060 -v -O XXXXXX.com
Starting Nmap 6.25 ( http://nmap.org ) at 2013-10-10 15:51 EDT
Initiating Ping Scan at 15:51
Scanning XXXXXX.com (XXXXXX) [4 ports]
Completed Ping Scan at 15:51, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:51
Completed Parallel DNS resolution of 1 host. at 15:51, 0.00s elapsed
Initiating UDP Scan at 15:51
Scanning XXXXXX.com (XXXXXX) [1 port]
Completed UDP Scan at 15:51, 0.22s elapsed (1 total ports)
Initiating OS detection (try #1) against XXXXXX.com (XXXXXX)
Retrying OS detection (try #2) against XXXXXX.com (XXXXXX)
Nmap scan report for XXXXXX.com (XXXXXX)
Host is up (0.00073s latency).
rDNS record for XXXXXX: XXXXXX.dyn.optonline.net
PORT STATE SERVICE
5060/udp open|filtered sip
Ive tried setting up firewall rules with the provide SIP-UDP service as well as making my own. My own service was set to:
Inbound LAN/WAN UDP, 5060-5060
and the firewall rule in both cases was:
Allow Always, SIP-UDP (or SIP-UDP-Test), Single IP: 192.168.2.4
Ive got SIP ALG off, and UDP flood attack is turned off.
There's nothing else between the router and the test machine.
Am I missing something, or is this functionality not working for UDP?
4 Replies
- Dropping back to firmware 3.0.8-12 (I tried all intermediate firmwares from the latest back) allowed the UDP/5060 to be forwarded. Ive no idea what it breaks though - Im sure something will be unfixed by rolling back to such an old firmware.
Awesome job there Netgear - a firmware from eons ago works better than your latest incarnation! - I am in a similar situation
we have three sites
A headquarters - Firmware UTM50 3.5.2-14
headquarters B - firmware 4.3.0-19 SRX5308
headquarters C - 3.1.1-08 FVX538 Firmware
the three locations connected by vpn ipsec
at A we have a VoIP PBX system.
Between headquarters phones of A and C are connected perfectly (sip utp 5060)
from the seat BI have visibility of the PBX voip (80,22 etc ...) but fails to connect SIP-UTP.
B and C Have the same rules tailored to Their IP.
May SRX5308 not Correctly handle SIP? - The old firmware version seems to be working fine for us.
- It thinks it is SRX5308 firmware issues. Same problems encountered for SIP over ipsec vpn. However, if you can use IAX connection, sometimes it may work.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
