Wifi Calling Firewall Holes to Punch

Josh Luthman josh at imaginenetworksllc.com
Fri Jul 17 20:09:42 UTC 2020 

I do dozens of VZW WiFi calls a day.  My phone is behind NAT, no problem.

It's probably 50/50 where the call starts on WiFi vs switches to WiFi after
~3 seconds from the poor VZW signal.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373


On Fri, Jul 17, 2020 at 12:59 PM Alex Buie via NANOG <nanog at nanog.org>
wrote:

> It's been a minute since I've set this up in a corp/campus wifi scenario,
> but my notes for Verizon VoWiFi  from the last time I did say that you need
> outbound udp/500 and udp/4500 IPSec protocol (IKE and ESP) permitted out
> the firewall. Tunnel endpoints live in 141.207.0.0/16, so hopefully that
> lets you scope the rule enough to please your ISO.
>
> Devices will also need the ability to make an HTTPS request to
> https://spg.vzw.com/SSFGateway/e911Location/changeAddress
>
> As well, DNS queries for the ePDG domain wo.vzwwo.com need to be
> permitted.
>
> That _should_ be all you need to get it bootstrapped.
>
> Alex
>
> On Fri, Jul 17, 2020 at 12:39 PM Lyden, John C <lyden at rowan.edu> wrote:
>
>> Hey gang.
>>
>>
>>
>> We’re setting up a unified wireless network for the students here, and to
>> get around the issues with Nintendo and NAT we devoted a large chunk of
>> public IP space to them.
>>
>>
>>
>> We’re aware that this is causing issues with wifi calling on Verizon, TMo
>> etc because it appears they initiate the SIP session inbound.
>>
>>
>>
>> Does anybody have a handy list of IP blocks and ports? T-Mobile had a
>> decent page but other providers just said “open up 4500 and 500” and our
>> ISO guys don’t like that.
>>
>>
>>
>> Thanks if someone can help.
>>
>>
>>
>> John C. Lyden
>>
>> Manager of Network Infrastructure, Infrastructure Services
>>
>> Division of Information Resources & Technology, Rowan University
>>
>>
>>
>
>
> --
> *Alex Buie*
> Associate Network Engineer
> Datto, Inc.
> 475-288-4550 (o)
> 585-653-8779 (c)
> www.datto.com
>
> <http://www.datto.com/support-sig/>
>
> Join the conversation! [image: Facebook]
> <http://www.facebook.com/dattoinc>  [image: Twitter]
> <https://twitter.com/Datto> [image: LinkedIn]
> <https://www.linkedin.com/company/5213385>  [image: Blog RSS]
> <http://blog.datto.com/blog> [image: Slideshare]
> <http://www.slideshare.net/backupify>  [image: Spiceworks]
> <https://community.spiceworks.com/pages/datto>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200717/568b5f05/attachment.html>

More information about the NANOG mailing list