News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  Firewall/NAT
linktree Topic: Argh - Inbound traffic blocked?!
Pages: [1]
Topic: Argh - Inbound traffic blocked?!  (Read 1700 times)
« on: October 15, 2008, 23:57:37 »
miltimj *
Posts: 4
I'm trying to troubleshoot why my VoIP ATA (an old Sunrocket "Gizmo") is getting traffic blocked.  I set up NAT (and let it auto-create the firewall rule) for port 68, 5060, and 16384-16403.  This has worked before on other monowall boxes, and I looked at old config files for those to verify I'm setting it the same.

The problem is, I'm getting blocks in the firewall log stating that inbound UDP port 67 (attempting to go to LAN side VoIP ATA on port 68).  There are many of these occuring.. one every 5-10 seconds.  I've tried rebooting the router, and the ATA several times with the same result every time.

I have no filter rules to block any traffic except the basic Block Private Networks one.

Any ideas?
« Reply #1 on: October 16, 2008, 02:25:44 »
Fred Grayson *****
Posts: 994
You don't provide complete rule description, so it's not possible to help you much.

UDP related to ports 67 and 68 might be DHCP server/client activity.
--
Google is your friend and Bob's your uncle.
« Reply #2 on: October 16, 2008, 05:03:34 »
miltimj *
Posts: 4
Thanks for the reply - the traffic is from an external IP, so it's not DHCP related.  Here is a list of my settings from a config dump:

Code:
<nat>
<rule>
<protocol>tcp/udp</protocol>
<external-port>68</external-port>
<target>10.1.2.3</target>
<local-port>68</local-port>
<interface>wan</interface>
<descr>VoIP ATA (1)</descr>
</rule>
<rule>
<protocol>tcp/udp</protocol>
<external-port>5060</external-port>
<target>10.1.2.3</target>
<local-port>5060</local-port>
<interface>wan</interface>
<descr>VoIP ATA (2)</descr>
</rule>
<rule>
<protocol>tcp/udp</protocol>
<external-port>16384-16403</external-port>
<target>10.1.2.3</target>
<local-port>16384</local-port>
<interface>wan</interface>
<descr>VoIP ATA (3)</descr>
</rule>
</nat>
<filter>
<rule>
<type>pass</type>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
<port>443</port>
</source>
<destination>
<any/>
<port>443</port>
</destination>
<descr>Allow remote administration</descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp/udp</protocol>
<source>
<any/>
</source>
<destination>
<address>10.1.2.3</address>
<port>68</port>
</destination>
<descr>NAT VoIP ATA (1)</descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp/udp</protocol>
<source>
<any/>
</source>
<destination>
<address>10.1.2.3</address>
<port>5060</port>
</destination>
<descr>NAT VoIP ATA (2)</descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp/udp</protocol>
<source>
<any/>
</source>
<destination>
<address>10.1.2.3</address>
<port>16384-16403</port>
</destination>
<descr>NAT VoIP ATA (3)</descr>
</rule>
<rule>
<type>pass</type>
<descr>Default LAN -&gt; any</descr>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
</rule>
</filter>

The 10.1.2.3 is the LAN side destination address of the VoIP ATA (it's not the real one, but close enough).

Let me know if any other info would be of use... Thanks!
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines