This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DMZ Only Works When Allowed to/from Any

Hi,

We're having phone issues and the phone-co suggested putting one on a DMZ just to make sure it's not an issue with our UTM blocking something (I'm 99.99% sure it isn't .. nothing being blocked from our phone LAN in the logs, but I need to humor them). Anyway, I set up an interface and network with these rules:

DROP ANY "DMZ LAN" --> "data LAN","voice LAN","VPNs"

ALLOW ANY "DMZ LAN" --> Internet

ALLOW ANY Internet --> "DMZ LAN"

The phone got an IP address but not a connection to the VOIP servers (which are out on the internet).

So, I changed the second two rules to:

DROP ANY "DMZ LAN" --> "data LAN","voice LAN","VPNs"

ALLOW ANY "DMZ LAN" --> ANY

ALLOW ANY ANY --> "DMZ LAN"

(Since the DROP ANY rule is first, I assume it's keeping my networks safe from the DMZ)

Now it works.

But I don't know what it needs to talk to besides the internet to access something on the internet. At first I thought maybe it needed to have explicit access to the UTM, but it must've seen it, since it did get an IP address with the first configuration. Can anyone explain why rules to/from the internet weren't enough?

Thanks,

Jeff



This thread was automatically locked due to age.
Parents
  • Hello .

    Well - could you describe what your "phone issues" are? 

    Regarding your rules: I prefer not to use ANY as targets. So my advice would be

    ALLOW ANY "DMZ" --> InternetIPv4/InternetIPv6 (or a group for those two).

    But I think we should first understand your problem regarding "phone issues" in detail.


    Sophos Gold Partner
    4TISO GmbH, Germany
    If a post solves your question click the 'Verify Answer' link.
  • Hi,

    Phones are Mitel 6768i. Intermittently, one person on the call cannot hear the other. Usually after a few seconds or maybe a couple minutes. Call is clear and fine until then. The problem doesn't clear up until they disconnect and call back then it's usually fine. No phone IPs' traffic is being dropped. Phone servers are not being dropped. At least, they're not showing in the firewall log if they are. I've look at everything from my switches (Netgear GS752TPv2 ... worked fine with our old phone system) to the handsets themselves (tried switching them out the until issue happened to me while I was on speakerphone). Happens with internal and external calls, sometimes the caller's voice goes dead, sometimes the receiver's.  Sometimes a couple people per day have it happen, sometimes none. Very sporadic. If you/anyone have a fix for THAT I'd obviously also be grateful.

    Doesn't the "internet" object already include everything on the internet regardless if it's v4 or v6?

    Thanks!

    Jeff

  • Hi Jeff.

    One more question: with your new DMZ configuration, the problem with hearing each other disappered?

    With voice call problems we normally look at:

    1. Are UDP conntrack timeouts properly set if used by SIP

    2. Is somehow DoS or IDS involved

    3. Is ALG-Helper

    And more.

    But if the problem is completly gone with the DMZ configuration we should find out, what is the difference in configuration between the networks.

    Regarding the "Internet" object - I don't know this. But there is a difference between the "ANY" object and "Internet IPv4". If your "Internet" object is a group containing those standard objects "Internet IPv4" and "Internet IPv6" I would use this for rules from DMZ to Internet instead of "ANY".


    Sophos Gold Partner
    4TISO GmbH, Germany
    If a post solves your question click the 'Verify Answer' link.
  • Only time will tell if the problem goes away. It's very intermittent, Most people have not had the issue, and those who have, have had it multiple times. But, it's only once or twice per day total (among several people), Not enough info to know for sure if the problem is with THOSE phones or if it's just happenstance that some people have avoided the problem so far.

    I've never done anything with UDP Conntrack timeouts (or even know where to see/set them in a UTM).

    I have all the phone company's IP addresses added as DoS/intrusion-Protection exceptions.

    Not sure what ALG-Helper is, but I have SIP enabled (not H.323).

    Thanks for the info on IPv4 and IPv6. Still don't understand why, but enabling those explicitly insteasd of just "internet" worked, so ANY is no longer used.

    Thanks so much!

    Jeff

  • With ALG-Helper is SIP-Helper so SIP in Sophos.

    Some phone applications do not work well with Sophos SIP in UTM. To use SIP-phones with SIP-Helper in Sophos.

    According to your description it looks like you have a cloud pbx. So you could need the following information from you pbx provider:

    1. IPs and Port for SIP-Protocol. This is the needed outging 

    2. RTP-Ports and IP used by the pbx. RTP is where the communication (sound) is transported. As it is normally a bigger port range you need to allow incomming traffic from the IPs (not any) used by your cloud pbx.

    But this are only some basic points. It really depends on your cloud pbx provider and he should be able to give you the information. 


    Sophos Gold Partner
    4TISO GmbH, Germany
    If a post solves your question click the 'Verify Answer' link.
  • Agreed with ThomW, Jeff - probably an incompatibility with the SIP helper that you could only resolve by disabling the helper and adding firewall rules.  Also, as he said, you should first look in the Intrusion Prevention log to see if there are related Anti UDP Flooding blocks.  This is covered in #1 in Rulz (last updated 2021-02-16).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Agreed with ThomW, Jeff - probably an incompatibility with the SIP helper that you could only resolve by disabling the helper and adding firewall rules.  Also, as he said, you should first look in the Intrusion Prevention log to see if there are related Anti UDP Flooding blocks.  This is covered in #1 in Rulz (last updated 2021-02-16).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data