I am trying to setup up a SIP line via SIP/IP trunk ports on my Nortel BCM50 Rls 6 phone system on my network.
I have forwared port 5060 in the Hiltron to my BCM's IP address and now getting hammered with bogus calls every 30 seconds where nobody is on the line.
I have not even registered/logged in with a SIP provider yet!
Is there some way to allow 5060 but only from a certian server, sipgate.co.uk in this case.
Residential Gateway is enabled
UPnP is enabled
While i am usually pretty good with the nortel systems (well until they discontinued them ), i am not so familiar with the SIP end... i mostly have dealt with a digital PRI into them.
My wonder, is if those are calls at all? or are they something else just testing that port.. but being picked up as calls obviously by the system?
DIfferent modem, or even bridge mode, i dont think will MUCH help in this scenario.. if its something directed at your IP and that port specifically.
Well I get nobody on the line.
Caller ID Name and Number in monitor shows as example:
200 - 200 DNIS: 1197259232
200 - 200 DNIS: 0119725921
Soon as call gets answered by my mailbox (which no msg left, not even a blank one) I see on my display:
Currently trying to figure out wireshark and filtering right now , seems to be loading so many entries.....like 2000 in one minute so its too hard to pinpoint anything.
Well I loaded a softphone on my PC and works fine so I gather no issues with the router.
my 2 cents, just a couple things
With most firewalls you should be able to create firewall policy that will block port activity excluding a certain ip/ip range. Unfortunately I do not believe the Hitrons firewall is that flexible, as you are now getting into the territory of a small business class router (QOS, FIREWALL) or separate firewall (you can find used linux based firewalls for $20-$40 all over the place).
You shouldn't need to port foreword with UPnP (I would recommend the opposite, disabling UPnP and using your manual port forwarding as UPnP is usually exploited by virus activity to open ports).
I think the Hitron has an Awesome Wifi Broadcast (mine usually broadcasts -30db- -40db, which probably comes in at about 1watt but guessing) but when you are getting into the world of firewall exceptions, most would usually say bridge it and use a router with either more software or hardware options).
I am on board with the other posters, where I’m not sure if the firewall exception would resolve the issue. Set-up some logging, find out where the traffic is coming from. Wireshark is VERY OVERWHELMING when you first start with it...I remember making the exact same comment when I started, AMAZINGLY I had someone sit myself down for half an hour and show me the in's and out's....there is a reason it is the standard, don’t' worry about small data capture, use your filters, create custom filters, you can filter by SO MUCH, protocol/port/destination/exclusions.
I'm not saying this is happening but it’s something to be aware of. PBX's can be exploited if responding to port scans, the short of it, malicious activity hammers the port usually looking for your VM, then using maintenance proto's either set up FFW, or grab a line to call out to make long distance calls. Does your SIP use TLS?
....now I’m just rambling, I hope this helps.
"I'm pretty sure someone legally changed my name ...Andrew FIX IT....that’s all i hear all day"
Yes Hitron modems are not flexible.
I might just go Bridged Mode and get a Juniper Router.
I did disable UPnP, ports I had forwarded anyway.
Seems Wireshark is a chore to set it up to monitor another PC/Device on the network.
Does not look like TLS is supported by BCM.
But here is my update:
A SIP Polycom 670 telephone works fine just like the Softphone.
Sipgate finaly got back to me and they dont support PBX's, only single SIP sets.
Nut here is their reply in which I understand ZERO of it....
We see the unusual SIP Contact 44956 in the registration of X-Lite (which is my softphone)
and we see the reserved/restricted port 1024 in the registration data of the BCM gateway.
The port 1024 or multiples of it usually indicate a problematic router SIP ALG or SPI Firewall