firewalls and OBI, Callcentric, GV and dd-wrt w/SPI

[winterescape]

I have my OBI110 plugged into my WRT54GL running dd-wrt Firmware: DD-WRT v24-sp2 (10/10/09) mini

An issue we had recently resulted in this response from CallCentric tech support:

"As far as the issue is concerned, as mentioned for a few of your calls from your calling history, we are showing that several of your calls were dropping improperly, specifically we are showing that your calls are dropping with the cause code "No response to BYE". This basically means is that while a BYE packet was sent to your Obi110 (a BYE packet essentially signals your Obi110 to drop the call) we did not receive any sort of acknowledgement from your Obi110 stating that it received it (which it should). This can be caused by a number of reason, specifically a networking issue, as in while a BYE packet was sent to your Obi110, somewhere along the network flow, it is being dropped/ filtered; and we believe this is causing your calls to get "stuck".

You've mentioned that you have a router running DD-WRT; if you would, please try disabling Stateful Packet Inspection (SPI), within your router's firewall/ security configurations; as this setting has been known to have a negative effect on SIP/VoIP communications in general."

I am very concerned about disabling my firewall, should I just place the OBI in the "DMZ"  or do you have specific router settings that are recommended for the OBI?

Thanks in advance for any suggestions or advise...

[RonR]

I recently noticed a problem with BYE's not terminating SIP sessions properly and reported the problem along with a supporting Syslog to Obihai on 11/2.  In my case, all participants were on the same LAN, so no firewalls or other filtering was in the path.  On 11/3, I received a reply saying they were looking into this, but I haven't heard anything since.  I'd hold off making any changes to your router as this may very well be the result of a bug in the OBi firmware.

[winterescape]

Thanks for that Info, that is very interesting ...

Any good reference for general firewall/router configurations for optimal performance? Do most people place the OBI in the "DMZ"?

[RonR]

In most cases, there is no need to make any changes.  Sometimes, forwarding SIP and RTP ports might be needed, but it's not always the case.  If you're not having calling problems, I would be concerned.

[winterescape]

Any idea when this firmware update to address this issue will be available?

[Stewart]

Any idea when this firmware update to address this issue will be available?

IMHO, there is not yet enough evidence to show that you are being bitten by the same bug as RonR.  In particular, when the remote party hangs up first, if a short (less than one minute) call disconnects correctly, but a long call (e.g. 15 minutes) does not, I would first suspect a timeout in the router.

The definitive test is to capture traffic at the OBi and confirm that it indeed receiving the BYE from Callcentric, but it is not responding properly.

[winterescape]

Hmmm well O.K.  I had interpreted Ron's response as "Known issue" and had been looking for the update.     I think I am back to where I started then assuming it is the router and not wanting to disable my firewall.

So how best to configure my router to keep Obi happy and keep my network computers properly protected? 

DMZ or set up port forwarding for specific ports?

Thanks...

[Stewart]

For SP1 or SP2 (whichever you are using with Callcentric), change X_UserAgentPort from 5060 to 5070 or from 5061 to 5071.  Then, in DD-WRT, forward UDP port 5070 or 5071 to the private IP address of the OBi (which should be constant, either by assigning it statically in the OBi, or by using a DHCP Static Lease in DD-WRT).  Reboot everything and test.

[Felix]

I think I am back to where I started then assuming it is the router and not wanting to disable my firewall.

So how best to configure my router to keep Obi happy and keep my network computers properly protected? 

Note that Callcentric doesn't recommend that you disable your firewall. They only recommend that you disable SPI on your firewall... big difference!  Some people argue that SPI doesn't belong in the firewall in the first place; the bottom line - if you disable SPI, all your firewall protection will remain in place.

[obi-support2]

On the contrary, I believe that OBiHAI support team has replied to RonR's
"suspected bug report" promptly via email and has suggested that the problem is likely to
be caused by STUN being enabled on his unit.
However we did not get any further confirmation from RonR
whether turning off STUN fixes the issue. We do not believe there is a bug in
RonR's case which we are not able to reproduce.

RonR might have a very unique setup that may not apply to other users.

[RonR]

On the contrary, I believe that OBiHAI support team has replied to RonR's
"suspected bug report" promptly via email and has suggested that the problem is likely to
be caused by STUN being enabled on his unit.
However we did not get any further confirmation from RonR
whether turning off STUN fixes the issue. We do not believe there is a bug in
RonR's case which we are not able to reproduce.

RonR might have a very unique setup that may not apply to other users.

Disabling the STUN server had no effect on the problem.

In my case, things appear to get tangled up in the OBi when a BYE is received from a SIP provider for a call that is connected to a phone via SIP on a PAP2.  The PAP2 session terminates properly, but the SIP provider apparently never gets an OK response from the OBi and keeps resending BYE's until it retries out.  Both SIP sessions are going through SP2/ITSP B and it appears the OBi doesn't keep the two sessions separated and loses track of things.

I've attached a Syslog showing repeated BYE's from tollfree.future-nine.com with no response from the OBi.

I'm of the opinion that it's a firmware problem as it did not occur prior to upgrading to v1.3 and my setup hasn't changed in the meantime.

[winterescape]

I think I am back to where I started then assuming it is the router and not wanting to disable my firewall.

So how best to configure my router to keep Obi happy and keep my network computers properly protected?  

Note that Callcentric doesn't recommend that you disable your firewall. They only recommend that you disable SPI on your firewall... big difference!   Some people argue that SPI doesn't belong in the firewall in the first place; the bottom line - if you disable SPI, all your firewall protection will remain in place.

Actually I tried disabling SPI and tested before and after on "shieldsup".  With SPI   I was fully protected, no holes in the firewall, without several vulnerabilities were listed. Needless to say I have chosen to leave it on.

My workaround has been to rout outgoing calls via GV and incoming via callcentric.  The call times on the callcentric web site continue to show a cpl of minutes longer than the OBI call logs so I assume this is still an unresolved issue.

Just to reiterate, callcentric claims they do not receive a "BYE" from the OBI at the end of a call and this started with firmware ver 1.3

[nmssystems1]

I would say try a different router. easy check to see if it is some thing in your dd-wrt or if it is the obi..or calcentric..

also why are you using the min version of that dd-wrt why not the standard generic image..

The other thing to try if you do not have another rotuer handy is to do the 30-30-30 reset of the dd-wrt router.

thanks

good luck.