Firewall/NAT

AS an iPhone subscriber I am unfortunately bound to a lacking at&t wireless service.

Recently they had released a femtocell device much  like that of other carriers (sprint/airrave or verizon/network extender).

This device basically extends your wireless network coverage using a voip technology over your internet connection.

-- on to my problem --

With the microcell device there are a few ways to set it up.

a. behind the firewall
b. between the firewall and the modem. This is called "priority mode" according to at&t.

The device has no user end configuration meaning I cannot change or set the ip address / enable disable settings.. etc.
There is simply no means to access any configuration (yet) so I cannot even see what is going on inside the mysterious white box.

I prefer not have the device in front of m0n0wall for a few reasons

- it hands m0n0wall a 192.168 address / i prefer to bridge and get the real address for my dyndns address.
- since i cannot see the configuration I do not know how it is handling traffic or if it will even allow me to use exposed services I have forwarded through.

This thing seems as though it should be an endpoint device however it will only work in priority mode. It seems that in its process it needs to access some at&t services in order to function. I have asked at&t support about this and they (of course) haven't a clue.

From this I would like your suggestions:

 - DMZ / I have considered setting this up but since I cannot code the address on the microcell I would like suggestions here.
- NAT & port forwarding / I have tried to dertermine what the device needs but no matter what I forwarded it never seemed to work. using nmap reveals the device has ssh/telnet open, using tcpdump reveals a slew of misc ports. Suggestions here are appreciated as well.


Thanks !

any luck with this?

I've been trying to configure my m0n0wall for use with the microcell device for days now... still can't get this to work.

DMZ / I have considered setting this up but since I cannot code the address on the microcell I would like suggestions here.

why not adding NIC as DMZ on you m0n0wall Box.
you can log all traffic coming and going to the little white box, and you might figure out what it needs.

voip devices works with no specific configuration, only DHCP server and an allowed IP Address if using Captive portal.

maybe it checks for UPNP, and there is no UPNP in m0n0wall.

regards.

i added rules to allow all traffic to and from the device, but under the 'firewall' logs it still shows that some traffic is being blocked.

see attached screenshot.

any ideas?

thanks!

The Internet Group Management Protocol (IGMP) is a communications protocol used to manage the membership of Internet Protocol multicast groups. IGMP is used by IP hosts and adjacent multicast routers to establish multicast group memberships.

do you have captive portal running on your LAN interface?

did you check the box in logs>settings>Log packets blocked by the default rule?
or how do you see packets being blocked.

please attach your m0n0wall setup.

or try to add an interface for the device, as DMZ and log all traffic going in and out.

regards

did you see this topic i guess we are missing something.

http://forum.m0n0.ch/index.php/topic,2199.15.html

regards

from the manual http://www.wireless.att.com/support_static_files/KB/svc/documents/1263477627291.UserManual_011310.pdf

Firewall Specications
System Administrators (Business Customers): Installing the 3G MicroCell behind a rewall, or behind a router with rewall
capabilities, requires the following ports be opened to prevent the rewall from blocking communication with the network.
This type of installation is typically found in corporate environments.
123/UDP: NTP timing (NTP trac)
443/TCP: Https over TLS/SSL for provisioning and management trac
4500/UDP: IPSec NAT Traversal (for all signaling, data, voice trac)
500/UDP: IPSec Phase 1 prior to NAT detection (after NAT detection, 4500/UDP is used)
4500/UDP: After NAT detection, 4500/UDP is used

for some reason port 4500/UDP is listed twice in the manual... in any case, i opened up all the ports mentioned, but still no luck, the microcell just won't reach out to the internet. has anyone ever gotten this to work?

Try using Advanced Outbound NAT.  Once you enable it, you'll need to create two rules.  One for your LAN subnet, and another one for the IP address of the microcell.  On the rule for the microcell, be sure to enable the 'No Portmap' option.

This is the configuration I used to get an Xbox to think there was no NAT, so it may work for the microcell as well.

Example:
Interface     Source     Destination     Target     Description
WAN    192.168.2.0/24    *    *    LAN
WAN    192.168.2.20/32    *    *(no portmap)    Xbox