I've been plowing through a lot of videos and manuals to try to get back to a working switch as there's something I clearly don't get.
Everything was working fine for years, then lightning caused the ISP connection to go down and it was not resolved timely so I reconfigured the carrier so that I could go over wifi+hotspot and and get any inbound calls directly on my SIP phone. Once that was resolved I configured the switch back to work as it used to do.
Except, ACL appeared to mess up both inbound and outbound.
ACL has always been simple, for example, deny all IPs by default then allow specific IP. One entry for the providers default deny, and one allow for each specific GW IP/32. Then a rfc1918 default deny, allow my LAN subnet/24.
I had an ACL 'domain' entry as well but reading and watching various sources it seemed it was not needed. Now up to this point I had inbound working but once I removed domain that stopped, so I recreated it which is the same as providers, but still no in or outbound.
I've not been able to find anything from others that shows the content of those three ACL entries, but some said they got it working once they removed the ACL but that feels uncomfortable.
There were plenty hack attempts so I decided to not continue with an open NAT to the switch (using pfSense) so I changed it to only NAT the two specific IPs of my carrier.
Removing the ACLs did not help. I added providers with default allow, but no change. Then rfc1918 and domain.
It should not be the carrier as the SIP call comes in but is rejected in the switch (sngrep).
I made no changes do any gateway, in/outbound routing as the change was done with the carrier to allow my SIP phone to handle the traffic, which did not require changing the switch, making this really odd.
I have three outbounds which has 7, 10 and 11 digit dialing. No doubt it is something simple that I'm overlooking.
I added back providers, rfc1918.
Looking on my phone trying to call out the switch wants a 407 proxy authentication and end up saying 503 unavailable and the phone gives up.
Inbound calls has the phone saying 407 and the call is rejected.
Maybe one issue is with the phone (Yealink T48G) eh? This is where my changes were made, though all I did was add another account.
I can call extension to extension.
What I did on the phone was add another account to talk directly w the carrier and then disabled the account once done.
Now it was accepting inbound until I started altering the ACL so there may be dual issues.
I tried rebooting the switch. And I run reloadacl in the Execute Command window after every change.
I added rfc1918 with default allow and now I can call out! But not receive... Then changed to default deny. OK, here's the exact content of the ACL:
rfc1918 deny, allow <my subnet>/24
domain deny, allow <carrier GW 1>/32, allow <carrier GW 2>/32
providers deny, allow <carrier GW 1>/32, allow <carrier GW 2>/32
I had this config before but did not work in or outbound. Hmm. (And I do run Command reloadacl between each ACL change to be sure.)
The only thing that is different is the sequence that Access Control lists the entries. I now have domain, providers and rfc1918 in that sequence.
What the <bleep> is going on!?
On outbound the log says:
... receiving invite from <carrier>:5060
... Rejected by acl "domains". Falling back to Digest auth.
Then abandons the call.
OK, there it is. I used domain but it should have been domains.
Everything was working fine for years, then lightning caused the ISP connection to go down and it was not resolved timely so I reconfigured the carrier so that I could go over wifi+hotspot and and get any inbound calls directly on my SIP phone. Once that was resolved I configured the switch back to work as it used to do.
Except, ACL appeared to mess up both inbound and outbound.
ACL has always been simple, for example, deny all IPs by default then allow specific IP. One entry for the providers default deny, and one allow for each specific GW IP/32. Then a rfc1918 default deny, allow my LAN subnet/24.
I had an ACL 'domain' entry as well but reading and watching various sources it seemed it was not needed. Now up to this point I had inbound working but once I removed domain that stopped, so I recreated it which is the same as providers, but still no in or outbound.
I've not been able to find anything from others that shows the content of those three ACL entries, but some said they got it working once they removed the ACL but that feels uncomfortable.
There were plenty hack attempts so I decided to not continue with an open NAT to the switch (using pfSense) so I changed it to only NAT the two specific IPs of my carrier.
Removing the ACLs did not help. I added providers with default allow, but no change. Then rfc1918 and domain.
It should not be the carrier as the SIP call comes in but is rejected in the switch (sngrep).
I made no changes do any gateway, in/outbound routing as the change was done with the carrier to allow my SIP phone to handle the traffic, which did not require changing the switch, making this really odd.
I have three outbounds which has 7, 10 and 11 digit dialing. No doubt it is something simple that I'm overlooking.
I added back providers, rfc1918.
Looking on my phone trying to call out the switch wants a 407 proxy authentication and end up saying 503 unavailable and the phone gives up.
Inbound calls has the phone saying 407 and the call is rejected.
Maybe one issue is with the phone (Yealink T48G) eh? This is where my changes were made, though all I did was add another account.
I can call extension to extension.
What I did on the phone was add another account to talk directly w the carrier and then disabled the account once done.
Now it was accepting inbound until I started altering the ACL so there may be dual issues.
I tried rebooting the switch. And I run reloadacl in the Execute Command window after every change.
I added rfc1918 with default allow and now I can call out! But not receive... Then changed to default deny. OK, here's the exact content of the ACL:
rfc1918 deny, allow <my subnet>/24
domain deny, allow <carrier GW 1>/32, allow <carrier GW 2>/32
providers deny, allow <carrier GW 1>/32, allow <carrier GW 2>/32
I had this config before but did not work in or outbound. Hmm. (And I do run Command reloadacl between each ACL change to be sure.)
The only thing that is different is the sequence that Access Control lists the entries. I now have domain, providers and rfc1918 in that sequence.
What the <bleep> is going on!?
On outbound the log says:
... receiving invite from <carrier>:5060
... Rejected by acl "domains". Falling back to Digest auth.
Then abandons the call.
OK, there it is. I used domain but it should have been domains.