News:

On Tuesday September 6th the forum will be down for maintenance from 9:30 PM to 11:59 PM PDT

Main Menu

Router firewall reporting blocked outgoing ICMP packets from Obi ip

Started by Rick441, November 14, 2017, 10:54:57 PM

Previous topic - Next topic

Rick441

Maybe I should have posted this in the "new to using Obi" section as I have had my Obi200 for less than a month.  I am connecting the Obi200 to my router with OBiWiFi5G Wireless USB instead of a direct ethernet connection.  The Obi200 is about 15 feet from the router, with no obstructions.  I am using the Obi with Google Voice.

I have been looking at my router firewall logs, and see entries that say "Blocked outgoing ICMP packet (ICMP type 3) from [the static ip I assigned to Obi] to [internet ip address]."  These occur throughout the day (including when I am not using the phone), and can vary in frequency from once every few hours to, say, ten times an hour.  While I have not looked up every one of the many destination addresses, one that seems to reappear pretty often is 195.154.161.182.

I also noticed tonight that I receive that same router firewall log message as soon as I end any call -- outgoing or incoming, but in this case the intended destination is always 74.125.39.50, which seems to relate to Google.  The message always repeats five times in succession.  At least that is what happened with each of six or seven experimental calls I made tonight (outbound to a landline, and inbound from my cellphone).

Any idea what this represents?  And in particular, could it relate to the occasional dropped calls I experience?  Or to the latency I've noticed when testing (seems to be at least half a second, though most conversation seems fine)?   I'm more concerned with the dropped calls; and since I usually end up with silence instead of a dial tone, maybe "dropped" isn't the correct term.

Thanks.

GPz1100

Hard to say.  The 195.154.161.182 comes back to a French ip.

I have our obi's set up with just the outbound ports needed for gv and callcentric.  Everything else is blocked.

I set up a rule to allow the obi full outbound access to any port it wants.  Will let it run for a few hours then review the logs.  Other than initial GV configuration, everything else is done through the local obi webui.  Functions like firmware update, live update, obitalk, and something else I can't recall are all turned off.  It *should* only be contacting the above 2 services.

Edit: Nothing unusual in the firewall logs for the last 30 minutes.  Will check later tonight.

Rick441

Thanks, GPz1100.  Will be interested in hearing how things look when you check tonight.

Fyi, in the last three hours the logs show ICMP packets blocked to the following ip's (listed in order of occurrence).  They seem to be overseas, especially Europe, except for a few California.  Note that 163.172, 134.119 and 195.154 (mentioned in my original post) recur.

195.154.161.182
163.172.118.112
46.17.46.8
51.15.147.86
195.154.161.182
163.172.229.94
145.239.30.225
134.119.179.53
89.248.167.131
195.154.62.94
5.196.83.178
134.119.186.75
54.36.122.44

I have excluded 74.125.39.50 -- apparently Google-related -- which,as I explained, always produces six consecutive blocked ICMP-packets messages after I end any call.  There is only one message per occurrence for the others.

GPz1100

Looking through the full log for today, of your IP's listed, I see the following:

11:57:53 Country blocked UDP 145.239.30.225:5060 →  {WAN IP:5060}
09:32:20 Country blocked UDP 195.154.62.94:   8515 →  {WAN IP:5060}
05:20:11 Country blocked UDP 5.196.83.178:5080 →  {WAN IP:5060}
11:18:18 Country blocked UDP 5.196.83.178:5080 →  {WAN IP:5060}

Another one for 54.36.122.44, all using sip trying to access my sip server. In fact I see hundreds of inbound attempts from all over for ports 5060..5080.

Are you sure you're reading the log correctly as outbound attempts rather than inbound?  My firewall is set not to respond to any external ping (ICMP) requests.  Internal pings to the outside get through, as do pings on the local network.

Here's a screen shot of obi traffic.  The obi200 is at 10.10.3.102.  Rule 24 is my general outbound voip rule for gv and callcentric.  Rule #1 is a free for all.  I added that after the post earlier this morning.  All of these IP's come back to either callcentric or google.







Rick441

Quote from: GPz1100 on November 15, 2017, 01:16:46 PM
Are you sure you're reading the log correctly as outbound attempts rather than inbound?

Yes, all outbound.  But after I made router settings change all those firewall messages about blocked outgoing ICMP packets have stopped, with the exception of those citing that Google ip, and now a Callcentric ip (just added incoming & E911 service tonight), as well as one entry that seemed to have an Amazon ip.

The settings change corrected a dumb error I made, namely applying port *forwarding* to the ports Obihai says to allow *outgoing* (https://www.obitalk.com/info/faq/Troubleshooting-sec/ports-to-keep-open-on-my-router)... not that my basic router has a way to open a port, anyway. 

After I canceled those forwards the messages about blocked outgoing ICMP packets stopped, with the exception of those I was seeing for Google (still after a call ends) and now Callcentric (which I added tonight for inbound and E911), plus one that appears to be an Amazon ip.

Based on your response, I also checked and saw that, like you,  I have several entries of Inbound UDP blocking for port 5060.  A few are from the same foreign ip's that were generating outbound ICMP attempts before I removed the port forwarding.

BTW, do you feel there is really any advantage (e.g., re dropped calls) to allowing incoming on UDP Port 10000 as Obihai suggests?  Things I've read seem to suggest that there really isn't any need to do this.


GPz1100

Rick,

I made a mistake in setting up the logging. It appears pings were being intercepted before reaching the firewall rules so nothing got recorded.  I figured out the mistake and am now actively seeing any pings on the obi vlan (using a pc on the same subnet).

I'll let this run over night and see what it records in the am.  My apologies for the wrong results above.

PS.  I started using sophos utm for my firewall/router about 3 months ago.  I'm still figuring out all its little nuances.

Edit:  I think port 10000 is for obitalk.  I don't use it, so no need to let the obi access to it.

Edit2:  Results above were not 'wrong' per say, just inconclusive as any pings out were permitted but not logged.


GPz1100

See attached.  Sheet one sorted by destination IP, sheet 2 by time.  Sample size isn't the largest.  I think i'll leave the log run for a week, see what else pops up.

No pings but several unique ip's.  Ports 5222, 5060..5080, and 443 relate to gv/xmpp and call centric.  The occasional port 19xxx is an actual phone call's RTP port. 10.10.3.102 and .103 are the two obi's. One has 2 SPx's configured, the other 3.

108.177.120.125
172.217.1.45
172.217.8.173
204.11.192.161
204.11.192.171
204.11.192.37
74.125.202.125
74.125.39.50

These all come back to google or callcentric.


Rick441

I'm still getting frequent blocked incoming TCP and UDP packets to port 5060 from various ip's.  Mostly, but not entirely foreign ip's.  Many are the same or similar to those I mentioned in my original post, i.e., non-Google/Callcentric ip's listed in the blocked-outgoing-ICMP-messages I was getting before I disabled the port forwarding I never should have set.  I don't know if this is anything new, or whether it was occurring even before I got the Obi, as I wasn't looking at the logs before then, and I don't have history going back further.

GPz1100

Looks like more of the same.  No icmp (protocol 1) entries.

Now, with respect to inbound attempts on ports 5060..5080, there's hundreds of those.  Just external traffic trying to find an open sip server.  Those are all blocked.  In fact, for inbound, anything not us based is blocked by a global rule. I wouldn't worry too much about it.

Rick441

Yup, guess it's nothing to worry about.  Thanks much for the testing and feedback.