asking for feedback on existing setup with NAT outbound

[mw88]

Hi everyone, I have a working existing setup, which I would like to get your feedback on, in terms of security and "best-practice".

In my home network, I am running a FritzBox (German router) in IP-Client mode behind my opnsense in VLAN30.
This way, the FB becomes just a regular network device, with the function of being the SIP gateway of my network.

Code: [Select]

[ opnsense ]====VLAN Trunk:30====[ managed L2 switch ]----UNTAGGED:30----[ SIP client ]
10.0.30.1/24                                                            10.0.30.2/32 (dhcp, static)

In order for ringing and voice communication to commence, I had (found by trial and error and a lot of snippets here and there) to create two NAT outbound rules:

Code: [Select]

Interface: VLAN30
TCP/IP Version: IPv4
Source address: Server_VOIP   (alias for 10.0.30.2)
Source port: any
Destination address: any
Destination port: any
Translation/target: Interface address
Static Port: yes
A second rule is in place for IPv6.

So far, this setup is working, but I do not understand it very well.

In particular, my questions are:

• Is NAT Outbound the right thing to do here?
  I'm asking, because in other places, I do NAT outbound when routing between different VLANs and their subnets, because some stupid service requires the clients to live in the same /24 network, and I require the clients live in a different network from the service. So why (if at all) is it necessary that my SIP provider perceives all the connections coming from one common client with the interface address?
• I feel this is not the ideal solution, and instead, port forwarding should be used. Is my feeling correct? And if so, why?

Any other comments and suggestions are also welcome.

[Saarbremer]

Hi,

I don't get why you need IPv6 NAT outbound. Do you mean NPT and is it because your ISP just gives you a /64 IPv6 prefix? IPv6 should make your fritz.box' IP adress routable in public. No NAT needed (and no, this is not less secure, it is vice versa)

The outbound NAT for IPv4 is needed to preserve the port numbers during NAT (static port = yes). That is known for IPv4 NAT SIP/RTP setups. Does your VoIP provider support IPv6? If yes, why still using IPv4. It just keeps complexity of your setup high. And renders any kind of port forwarding more than worthless.

SIP is one great example of why NAT sucks.

[mw88]

That's quite something for me to digest. I'll try that in pieces.

I don't get why you need IPv6 NAT outbound. Do you mean NPT [...]

No. I just added the almost same NAT outbound rule with the only change being the

Code: [Select]

TCP/IP: IPv6 field.

and is it because your ISP just gives you a /64 IPv6 prefix?

No, I get a /59 IPv6 prefix (vodafone, previously unitymedia).

IPv6 should make your fritz.box' IP adress routable in public. No NAT needed (and no, this is not less secure, it is vice versa)

I understand. And rechecked, that indeed, if I temporarily add an "Allo All" FW rule from WAN, I can ping the fritzbox IPv6 GUA from work.

The outbound NAT for IPv4 is needed to preserve the port numbers during NAT (static port = yes). That is known for IPv4 NAT SIP/RTP setups.

Okay, so as I understand, in theory the setup is "best practice for IPv4 networks", right? And the SIP server should use NAT and not port-forwarding.

Does your VoIP provider support IPv6? If yes, why still using IPv4. It just keeps complexity of your setup high.

Good point. How do I find out, though? For my credentials, I only have the server's name (probably some load-balancing from my provider) and 

Code: [Select]

nslookup <name> just timed out. How is the FritzBox even talking to the SIP registrar then?
I'm very inclined to switch to IPv6 for VoiP only, if that means I get rid of the NAT outbound rules.

I'll try things out once my family won't frame me for breaking the phone again.

[mimugmail]

You need to set manual route because static-port is not default and you need this for VoIP.
Most SIP provider demand that you arrive with the same source port as the phone (of TK system) initiiated with.
Without static port this would be replaced with random high port.

[mw88]

You need to set manual route because static-port is not default and you need this for VoIP.

Just to be sure, this is the explanation for the existing IPv4 setup, right?

I'll try things out once my family won't frame me for breaking the phone again.

So I tried to set it up as pure IPv6 the other night, but it didn't work.
If I understand correctly, I would just need to switch my SIP communication to "use IPv6 only" on the FritzBox, statically assign a GUA to the Fritzbox, say e.g. ::20:2, and create two firewall rules like this:

for incoming traffic:

Code: [Select]

Interface: WAN
TCP/IP Version: IPv6
Protocal: any
Destination: Server_VOIP_v6 (alias for ::30:2)

for outgoing traffic only to the internet:

Code: [Select]

Interface: VLAN30
TCP/IP Version: IPv4+IPv6
Protocol: any
Source: VLAN30 net
Destination Invert: yes
Destination: PrivateNetworks (custom alias of all my private networks, e.g. __network_vlan10)

However, it does not work:

• My FritzBox receives a GUA
• GUA is pingable from devices in my private networks
• but GUA is not pingable from the internet, e.g. using https://tools.keycdn.com/ipv6-ping

I am most certainly missing a firewall rule, but I can't figure out which.

[Saarbremer]

Hi,

going for IPv6 is the only reasonable thing here. Make sure that

* No outbound NAT present for IPv6
* Gateway configured, up and running (pinger is "green")
* Allow outgoing traffic (for the network setup or the box). If your fritzbox just acts as VoIP client it might be a good idea to allow traffic towards the IPv6 of your provider. Once your fritzbox can talk to the outside world we come to

* Allow incoming traffic on the respective UDP ports for fritzbox and please enable IPv6 Protocol IPV6-ICMP for it, too. ICMP (e.g. Ping) is quite essential for IPv6 to work (properly). Without ICMP on WAN, no ping from the outside.

Remember: Everything you open on WAN for IPv6 will be accessible from the outside world. So allowing everything might not be the right choice. In my case, UDP is allowed for the fritzbox on any port on WAN. Without that I could call someone but after connection established, I didn't hear a word - and neither did the other party.

[mw88]

going for IPv6 is the only reasonable thing here.

Good. I like to do things the right way.

* No outbound NAT present for IPv6
* Gateway configured, up and running (pinger is "green")
* Allow outgoing traffic (for the network setup or the box). If your fritzbox just acts as VoIP client it might be a good idea to allow traffic towards the IPv6 of your provider.

I had this almost set up correctly, but I have questions:
* Where do I find this "green" pinger? I mean, it works, I can ping my FritzBox from online servives, but I'd just like to know.
* Outgoing traffic is already allowed, FritzBox is in DMZ for me.
* I have one NAT rule for IPv4 in place, which is needed to allow the mobile clients with the FritzFon App to access the phonebook (FritzBox requires the clients to be on the same network as the box). At first, no incoming calls/telephony was possible, until I disabled the IPv4 NAT rule. After I ensured calls were working, I reenabled the NAT rule and the calls still work (so far),

* Allow incoming traffic on the respective UDP ports for fritzbox and please enable IPv6 Protocol IPV6-ICMP for it, too. ICMP (e.g. Ping) is quite essential for IPv6 to work (properly). Without ICMP on WAN, no ping from the outside.

So, a single rule to allow UDP traffic and IPV6-ICMP to ::20:2 is the most secure way, I guess? I do not have documentation about the exact ports; If I had, I could restrict access even further.

So far, everything is working, thank you for your help.

Update:
Situation has changed a bit:
* IPv6 connection from FritzBox to SIP provider still works, I can tell by using the DECT clients and making calls.
* FritzApp Softphones are not able to ring, and if starting a call from the softphone, no audio is heard. I give the following additional part of my configuration, in hope you possibly have a solution to that:

Code: [Select]

[ opnsense ]====VLAN Trunk:20,60====[ managed L2 switch ]----UNTAGGED:20----[ SIP client ]
10.0.20.1/24                                 |                           ::20:2(dhcpv6, static)
10.0.60.1/24                                 |                           10.0.20.2(dhcp, static)
                                        UNTAGGED:60
                                             |
                                   [mobile with FritzFon App]
                                    e.g. 10.0.60.100 (dhcp)
                                           ::60:0100 (dhcpv6)

This particular softphone app needs to be in the same IPv4 network as the FritzBox to access the phonebook and other functionality not part of SIP, therefore I have the following NAT Outbound rule:

Code: [Select]

Interface: VLAN20
TCP/IP version: IPv4
SourceAddress: PrivateNetworks
DestinationAddress: Server_VOIP (alias for 10.0.20.2)
Translation/Target: VLAN20 address
Static Port: yes/no (I am unsure about that, it worked in the previous setting without static port)

The regular firewall rules are as such:
* allow IPV6-ICM from WAN to Server_VOIP6 (::20:2)
* allow UDP traffic from WAN to Server_VOIP6
* allow all traffic from VLAN60 to Server_VOIP (10.0.20.2)
* allow all traffic from VLAN60 to Server_VOIP6 (::20:2)

I must still be mssing something.

[Saarbremer]

Hi,

the dpinger status is the status of the gateway. System -> Gateways
Can also be a widget on the dashboard. The status of the service dpinger corresponds to the gateway status. If your internet access works fine, the dpinger will show green.

Regarding your issues with FritzBox <-> FritzFon App I cannot really help as I have no idea how it works behind the curtain.

[mw88]

the dpinger status is the status of the gateway. System -> Gateways
Can also be a widget on the dashboard. The status of the service dpinger corresponds to the gateway status. If your internet access works fine, the dpinger will show green.

Although I have no service called "dpinger", I was able to find it under System -> Gateways and on the Gateways dashboard box.

Regarding your issues with FritzBox <-> FritzFon App I cannot really help as I have no idea how it works behind the curtain.

Thank you anyway for your continued patience. I will try out more things, in particular I will try out switching to a different phone system.