[EXTERNAL] Re: Wifi Calling Firewall Holes to Punch

Fri Jul 17 21:37:35 UTC 2020

> It's been a minute since I've set this up in a corp/campus wifi scenario, but my notes for Verizon

> VoWiFi  from the last time I did say that you need outbound udp/500 and udp/4500 IPSec protocol
> (IKE and ESP) permitted out the firewall. Tunnel endpoints live in 141.207.0.0/16<http://141.207.0.0/16>, so hopefully that
> lets you scope the rule enough to please your ISO.

Alex, thanks for the netblock info. ISO's accepted an 'any' scoped to a destination of just this new network; I already land it via GRE on a separate zone from the rest of the campus network. They would, however like me to tighten it up as much as possible so the VZW netblock is a massive help. ?

John C. Lyden

Manager of Network Infrastructure, Infrastructure Services
Division of Information Resources & Technology

Rowan University
201 Mullica Hill Road, Glassboro, NJ 08028
rowan.edu/irt<http://rowan.edu/irt>

________________________________
From: Alex Buie <alexander.buie at datto.com>
Sent: Friday, July 17, 2020 12:59 PM
To: Lyden, John C
Cc: nanog at nanog.org
Subject: [EXTERNAL] Re: Wifi Calling Firewall Holes to Punch

It's been a minute since I've set this up in a corp/campus wifi scenario, but my notes for Verizon VoWiFi  from the last time I did say that you need outbound udp/500 and udp/4500 IPSec protocol (IKE and ESP) permitted out the firewall. Tunnel endpoints live in 141.207.0.0/16<http://141.207.0.0/16>, so hopefully that lets you scope the rule enough to please your ISO.

Devices will also need the ability to make an HTTPS request to https://spg.vzw.com/SSFGateway/e911Location/changeAddress

As well, DNS queries for the ePDG domain wo.vzwwo.com<http://wo.vzwwo.com> need to be permitted.

That _should_ be all you need to get it bootstrapped.

Alex

On Fri, Jul 17, 2020 at 12:39 PM Lyden, John C <lyden at rowan.edu<mailto:lyden at rowan.edu>> wrote:
Hey gang.

We're setting up a unified wireless network for the students here, and to get around the issues with Nintendo and NAT we devoted a large chunk of public IP space to them.

We're aware that this is causing issues with wifi calling on Verizon, TMo etc because it appears they initiate the SIP session inbound.

Does anybody have a handy list of IP blocks and ports? T-Mobile had a decent page but other providers just said "open up 4500 and 500" and our ISO guys don't like that.

Thanks if someone can help.

John C. Lyden
Manager of Network Infrastructure, Infrastructure Services
Division of Information Resources & Technology, Rowan University

--
Alex Buie
Associate Network Engineer
Datto, Inc.
475-288-4550 (o)
585-653-8779 (c)
www.datto.com<http://www.datto.com/>

[https://www.datto.com/img/marketo/ClickLearnDone_EmailSignature.jpg]<http://www.datto.com/support-sig/>

Join the conversation! [Facebook] <http://www.facebook.com/dattoinc>   [Twitter] <https://twitter.com/Datto>  [LinkedIn] <https://www.linkedin.com/company/5213385>   [Blog RSS] <http://blog.datto.com/blog>  [Slideshare] <http://www.slideshare.net/backupify>   [Spiceworks] <https://community.spiceworks.com/pages/datto>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200717/c701e85a/attachment.html>