Topic: Port forwarding / Check open ports

[Skip555]

I'm having problems in two locations coming in behind  a  Firewall . I have asked the IT guys to set up port forwarding for me .  I cant connect . when I run online port checker tools I get "port closed " .  They tell me the ports are open . 

I'm assuming i wont be able to connect unless the ports are open . Any suggestions on a better way to test ?

here are the  online checkers I'm using :

https://www.portcheckers.com/

https://www.yougetsignal.com/tools/open-ports/

[Skip555]

I just heard back from the IT guy at one of the sites and he says the sonic wall wont show the port as open . He gave me alternate IP address for the phone system to bypass sonic so off to drive 3 hours and try it .

still waitng to hear from other IT guy

[MacGyver]

Hey Skip,

Sorry for the delay.  I just saw this.  It sounds like you have an I.T. idiot who thinks he understands I.T., but doesn't understand that Sonicwall is a different animal.  Port forwarding works very well on Sonicwall, but there is more to it than just setting up the service.  Once it's working, he needs to restrict it to a white listed IP as well.

If it's still not working to your satisfaction, tell him to use the Wizard.  Yes, I know all of us hate wizards, but for setting up this particular thing on a SW, it actually is the best way to do it because there are other moving parts in play.

[Keighlar]

Trace is the only person I trust to properly set up a SW for voice services.   

[MacGyver]

Trace is the only person I trust to properly set up a SW for voice services.   

   Stacey was made to believe that Sonicwalls could not be used for phone systems.  The first time I ever set one up on a system she was programming she was silently waiting to give me a, "See, I knew it..."  I didn't realize that until I had it ready to go, but I secure them down and I hadn't white listed her IP yet.  When she couldn't hit the cabinet she let the first syllable or two slip before I said, "Oh, crap.  I need to give you privileges."  Then she had to swallow those first few syllables back when I proved she could hit the cabinet. 

It almost happened a second time when I set voice to pass to the IP phones, but as we all know, Stacey doesn't like to be wrong so she held back that time.   

[Skip555]

Thanks , Trace .

on one site we are trying to allow someone to come  in remotely to the Maintenance port on a Panasonic TDA 50 and upgrade the software on the Cell stations so they can work with newer Handsets .  IT guy had me change the address on the TDA to the public address , that didnt work (I couldn't see how it was supposed to ).  the programmer suggested a VPN , IT guy has set one up and I've forwarded the info to the program guy so hopefully that will get that one done .

Second site is a NEC1100 Where I'm trying to set up 4 VOIP phones at a remote site . When I try to connect here at the office I get "no SIP server found . I talked to NTAC last week , I sent them my data base and they said it was all OK . I emailed their  IT Guy  wed but haven't heard back  I'm going to give him a call shortly .  Honestly there isn't  that much programming on the NEC side and I've been though it a half dozen or so times .

they aren't using sonic-wall on this one its a "firebox" 

[MacGyver]

Thanks , Trace .

on one site we are trying to allow someone to come  in remotely to the Maintenance port on a Panasonic TDA 50 and upgrade the software on the Cell stations so they can work with newer Handsets .  IT guy had me change the address on the TDA to the public address , that didnt work (I couldn't see how it was supposed to ).  the programmer suggested a VPN , IT guy has set one up and I've forwarded the info to the program guy so hopefully that will get that one done .

Second site is a NEC1100 Where I'm trying to set up 4 VOIP phones at a remote site . When I try to connect here at the office I get "no SIP server found . I talked to NTAC last week , I sent them my data base and they said it was all OK . I emailed their  IT Guy  wed but haven't heard back  I'm going to give him a call shortly .  Honestly there isn't  that much programming on the NEC side and I've been though it a half dozen or so times .

they aren't using sonic-wall on this one its a "firebox"

Hey Skip,

I may have misunderstood what you said.  If so I apologize, but from what I'm hearing, no, I can't see how that would work either unless the IT guy is moving the Panasonic to the front just long enough for the upgrades.  Normally the Panasonic would get the private address, it would be programmed over port xxxx, and the Sonicwall would take any traffic to the public IP address over that port, X.X.X.X:xxxx and forward it to the private address, but you already know all of that.  It sounds like this guy needs to use the wizard.  I think it's called a web server wizard, not port forward.  THEN he wants to either turn off the rule when you're done, or restrict that rule to a white list!

As for the SL1100, I personally don't normally like to run the remote IP phones over the VPN.  It's just one more thing that can break, and it requires encrypting the traffic so it adds to the overhead.  Additionally, I like to make it so that the person can take the IP phone with them and use it at a random location.  VPN prohibits that.  Again though, I do restrict the IPs to a given white list so it's not open for other people to use.  With a SW you can't set up a VPN between two locations unless both are running SW, or you're using a VPN client on a computer.  It's been decades since I used Firebox, so I'd be weak there.  However, I'll add a few things that might be of use in case they apply to the Firebox as well.

On SW the IP phone will work fine when you first set it up and then later it'll lose its registration.  You'll get signal, but no audio.  I go in and expand the UDP Connection Timeout to 120.  On the SW there is also a Global UDP setting under Flood Protection.  I don't change that one as it can cause overhead issues.  That's half the equation.  The other half is to go into the SL under 15-05-47 & 48 and lower the time from 180 to 60.

Also, I know NEC has looked at your DB, but if you're getting signaling, but no audio, make sure that 10-12-07 has the public IP of the location where the cabinet resides, and the private address of the DB is in 10-12-09. 

I hope this helps.

[Skip555]

Trace

I'm not being clear.  On the Panasonic I asked for port 35300 (the port Panasonic uses for programming) be forwarded to the LAN address that was assigned to the system 192.168.1.93 I can connect onsite accross the LAN just not remotely . He kept telling me it was setup but we couldn't connect so he set up the VPN for this one time connect / upgrade .

On the SL1100 I'm setting it up using NAPT per the NEC guide when I try to connect I get "connecting ...connecting ..connecting ..then SIP sever not found . Which tells me phone isn't getting to the SL1100 , So Port
forwarding isn't set up  correctly or the firewall is blocking it  .

[MacGyver]

Hey Skip,

Sorry if I misunderstood.  Yes, if you're connecting to the Panasoonic on the LAN, but not outside then he didn't set up the forwarding correctly.

On the SL, I'm assuming you have the public IP for the SL site programmed in the IP phone.  If so, it's likley knocking on the door, but not getting transferred.  Perhaps they don't have the voice and signal ports forwarded to the cabinet.  As I said before, you'll also see that error, however, if the WAN IP of the Cabinet VOIPDB is not programmed in the cabinet where I mentioned.

Sorry for the short bursts.  I'm trying to check in between appointments. 

[Skip555]

Sounds like the VPN is going to work on the Panasonic.


NEC has a nice video on setting up Remote NAPT IP phones , it walks you through the steps for both the system and the phone  I've gone through it step by step and I have everything programmed correctly . I talked to NTAC last week and sent him a copy of the database and he confirmed the programming was correct
 I'm waiting to here back from the IT guy to confirm port forwarding .
 
I would like to have a way to test the port forwarding other than seeing a a phone works .

[MacGyver]

Does the I.T. guy have UDP 5080-5081 and UDP 10020-10083 forwarded to the SL1100?

[Skip555]

Does the I.T. guy have UDP 5080-5081 and UDP 10020-10083 forwarded to the SL1100?

Trace, thats the question I'm trying to get  answered I've sent him at least three emails over the last couple of weeks  telling him what I need along with a screenshot of the NEC doc page showing it .

here's the email I sent last wed , so far no response

"HI David

The  IP phones are not able to connect remotely. NEC looked at the database and confirmed the programming is correct  We need Port forwarding set on the main office side  not the annex side .
Forwarding  as follows :

Ports 5080- 5081 , UDP  to192.168.1.250
Ports 1020 - 1083 , UDP  to  192.168.1.251

Is the public IP 107.144.94.206 ?

Thanks "

[MacGyver]

Ports 1020 - 1083 , UDP  to  192.168.1.251

Hey Skip,

That was probably just a fat finger, but it's 10020-10083.  That said, if you're getting SIP Server Not Found then that's on the 5080-5081.  Stacey brought up a good question since this IT guy doesn't seem to be the sharpest knife in the drawer.  Are you sure the incoming ISP device is in bridge mode and they're not doulbe NAT'ed?

[Skip555]

IT guy picked up on that Trace .

In my previous email I was asking for clarification on the port numbers that were highlighted. For example you had 10020 in one email and 1020 in another.  Now in the attachment you sent is specifies 10020 – 10083

 

I’ve redone the firewalls again with 10020-10083 UDP open to .251 and 5080-5081 open to .250

 

so he opened the ports but don't then need to be forwarded too?  Or is that another way of saying forwarded ?

Either way I'm getting the same result connecting ...connecting...connecting...SIP Sever  not found ..

I cant ping the Public IP and running the port checker tool gives me port closed on 5080, port closed on 10020

It is  a new VOIP card , I guess I should go by tomorrow and confirm that I can connect with IP phone locally . I would think the card is OK. since I can connect and program  via Ethernet   I was in the area coming home last night so I stopped by and did a reset just to be sure

[MacGyver]

so he opened the ports but don't then need to be forwarded too?  Or is that another way of saying forwarded ?

No, just because a port is open doesn't mean it's forwarded.  Stacey and I actually had that conversation earlier today on this thread.  I wondered if a port was opened if that would be enough since the IP phone is communicating with the cabinet, but neither of us have ever tried it that way.  I don't think it would work because the initial signal from the IP phone on 5080 would have no way to get to the cabinet without that port forward.  It sounds like one step at a time you're getting this guy there.

I would still make sure the he expressly states that the initial internet modem/device is in bridge mode.  Otherwise you're not going to get there without additional programming.

[TexasTechnician]

I'm by no means experienced with Sonic Walls and I considered myself lucky every time I muddled through and got something to work for me on one but I think Trace is correct that the ports must be forwarded before it will work.

It's been a while but I think there were a couple of questions about that very subject when I took the online certification course for the SL2100.

[Skip555]

SL1100 is up and working . IT guy got the programming set , I went in this morning and all four phones came up  I made a few test calls and voice quality is good .

VPN is working on the Panasonic so we should be able to get the cell stations upgraded

Thanks , Trace ,Bobby and Stacy  It's nice to have a place to discuss issues like this .

[MacGyver]

Anytime, Skip.  Glad you got the I.T. guy trained and all is working.  Thanks for the update.