nanog mailing list archives

Re: Wifi Calling Firewall Holes to Punch

From: Josh Luthman <josh () imaginenetworksllc com>
Date: Fri, 17 Jul 2020 16:09:42 -0400

I do dozens of VZW WiFi calls a day.  My phone is behind NAT, no problem.

It's probably 50/50 where the call starts on WiFi vs switches to WiFi after
~3 seconds from the poor VZW signal.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373


On Fri, Jul 17, 2020 at 12:59 PM Alex Buie via NANOG <nanog () nanog org>
wrote:

It's been a minute since I've set this up in a corp/campus wifi scenario,
but my notes for Verizon VoWiFi  from the last time I did say that you need
outbound udp/500 and udp/4500 IPSec protocol (IKE and ESP) permitted out
the firewall. Tunnel endpoints live in 141.207.0.0/16, so hopefully that
lets you scope the rule enough to please your ISO.

Devices will also need the ability to make an HTTPS request to
https://spg.vzw.com/SSFGateway/e911Location/changeAddress

As well, DNS queries for the ePDG domain wo.vzwwo.com need to be
permitted.

That _should_ be all you need to get it bootstrapped.

Alex

On Fri, Jul 17, 2020 at 12:39 PM Lyden, John C <lyden () rowan edu> wrote:

Hey gang.



We’re setting up a unified wireless network for the students here, and to
get around the issues with Nintendo and NAT we devoted a large chunk of
public IP space to them.



We’re aware that this is causing issues with wifi calling on Verizon, TMo
etc because it appears they initiate the SIP session inbound.



Does anybody have a handy list of IP blocks and ports? T-Mobile had a
decent page but other providers just said “open up 4500 and 500” and our
ISO guys don’t like that.



Thanks if someone can help.



John C. Lyden

Manager of Network Infrastructure, Infrastructure Services

Division of Information Resources & Technology, Rowan University



--
*Alex Buie*
Associate Network Engineer
Datto, Inc.
475-288-4550 (o)
585-653-8779 (c)
www.datto.com

<http://www.datto.com/support-sig/>

Join the conversation! [image: Facebook]
<http://www.facebook.com/dattoinc>  [image: Twitter]
<https://twitter.com/Datto> [image: LinkedIn]
<https://www.linkedin.com/company/5213385>  [image: Blog RSS]
<http://blog.datto.com/blog> [image: Slideshare]
<http://www.slideshare.net/backupify>  [image: Spiceworks]
<https://community.spiceworks.com/pages/datto>

Current thread:

Wifi Calling Firewall Holes to Punch Lyden, John C (Jul 17)
- Re: Wifi Calling Firewall Holes to Punch Alex Buie via NANOG (Jul 17)
  - Re: Wifi Calling Firewall Holes to Punch Josh Luthman (Jul 17)
    - Re: Wifi Calling Firewall Holes to Punch Mark Tinka (Jul 17)
  - Re: [EXTERNAL] Re: Wifi Calling Firewall Holes to Punch Lyden, John C (Jul 19)
- Re: Wifi Calling Firewall Holes to Punch Jason Alderfer (Jul 17)
  - Re: Wifi Calling Firewall Holes to Punch Rafael Possamai (Jul 19)
  - Re: [EXTERNAL] Re: Wifi Calling Firewall Holes to Punch Lyden, John C (Jul 19)