Hello all,
A little background first before I pose the question/issue. We are currently running a number of different model cable modems using a "catch-all" cm file. The modem models currently deployed on our network are Arris models: DG860, DG2470A, DG3260A, DG3270A, TM3402A, and TG3452A. The modems are set as provisioned mode docsis only as the built in telephony adapter is not utilized on our network yet. We are using a stand alone Cisco/Linksys SPA122 or SPA-2102 which connect to our sip/metaswitch environment.
Now, the task at hand that has come down from above is to create a config which will allow voice only service. I created a basic config file in packet ace using docsdevfilterLLC and docsdevfilterIp mibs to accept/deny traffic. The issue I am running into is that the filter seems to work too well and it is not allowing anything to reach out and resolve via DNS. The ATA just gets the IP and sits there not able to contact our metaswitch comm portal for registration. If I place a device behind the modem/ATA and ping out to an IP that is pingable...it will go fine. If I open a webpage instance using the IP address:80 of the comm portal site, it brings me right to it.
Is anyone able to take a look at this and see if I am just screwing something simple up or am I not even on the right path? The test config I have been using is dumped here as text (with ip info omitted).
//start of test config
NetworkAccess = 1
ManufacturerCVC = hexstr: 30.82.03.9E.30.82.02.86.A0.03.02.01.02.02.10.68.B4.F0.FA.04.0A.58.B7.CB.7D.75.00.5A.10.A1.C7.30.0D.06.09.2A.86.48.86.F7.0D.01.01.05.05.00.30.81.97.31.0B.30.09.06.03.55.04.06.13.02.55.53.31.39.30.37.06.03.55.04.0A.13.30.44.61.74.61.20.4F.76.65.72.20.43.61.62.6C.65.20.53.65.72.76.69.63.65.20.49.6E.74.65.72.66.61.63.65.20.53.70.65.63.69.66.69.63.61.74.69.6F.6E.73.31.15.30.13.06.03.55.04.0B.13.0C.43.61.62.6C.65.20.4D.6F.64.65.6D.73.31.36.30.34.06.03.55.04.03.13.2D.44.4F.43.53.49.53.20.43.61.62.6C.65.20.4D.6F.64.65.6D.20.52.6F.6F.74.20.43.65.72.74.69.66.69.63.61.74.65.20.41.75.74.68.6F.72.69.74.79.30.1E.17.0D.31.33.30.39.32.34.30.30.30.30.30.30.5A.17.0D.32.33.30.39.32.33.32.33.35.39.35.39.5A.30.62.31.0B.30.09.06.03.55.04.06.13.02.55.53.31.1A.30.18.06.03.55.04.0A.13.11.41.52.52.49.53.20.47.72.6F.75.70.2C.20.49.6E.63.2E.31.0F.30.0D.06.03.55.04.0B.13.06.44.4F.43.53.49.53.31.26.30.24.06.03.55.04.03.13.1D.43.6F.64.65.20.56.65.72.69.66.69.63.61.74.69.6F.6E.20.43.65.72.74.69.66.69.63.61.74.65.30.82.01.22.30.0D.06.09.2A.86.48.86.F7.0D.01.01.01.05.00.03.82.01.0F.00.30.82.01.0A.02.82.01.01.00.C2.3A.69.6A.7C.70.35.3C.1D.AA.54.2C.AF.2D.0D.AF.EC.4F.56.CF.5B.1B.C7.F3.9B.19.1E.36.EC.D5.76.52.29.64.69.08.B1.58.97.48.E4.9A.90.6D.9A.B4.67.21.7A.0F.11.DA.6F.13.14.36.DA.A3.57.66.3D.B7.51.0F.B1.D6.42.77.54.F6.28.F8.D1.5B.CB.B4.F5.34.66.19.34.F7.83.FC.07.9C.56.27.C2.6F.AC.C8.A5.CD.A4.6C.36.83.60.C2.70.42.6F.A0.E1.0D.4B.68.75.BE.54.B0.CF.7D.04.EF.13.9F.7B.AD.9C.54.18.49.2E.8E.71.20.81.13.F3.B4.C3.5B.A5.CA.68.94.B9.7B.9C.16.CF.C8.B0.1C.5D.3D.84.47.11.52.57.87.77.0F.3D.DF.ED.59.0A.A2.76.4A.65.BA.90.51.96.D5.4F.1B.64.38.F0.AA.5D.6E.80.30.9B.9E.40.A7.00.4E.84.D0.0D.01.EB.19.D5.6F.A8.3D.BE.9B.C7.E4.53.67.19.91.07.02.66.C4.C3.A4.52.52.20.60.D4.AD.EE.4B.E9.F6.D7.DC.ED.96.52.89.EB.3F.7C.BF.53.56.54.7C.82.40.38.DF.A2.07.E6.40.C5.EB.A3.BE.B0.25.53.FC.9F.2E.2C.79.FC.B5.02.03.01.00.01.A3.1A.30.18.30.16.06.03.55.1D.25.01.01.FF.04.0C.30.0A.06.08.2B.06.01.05.05.07.03.03.30.0D.06.09.2A.86.48.86.F7.0D.01.01.05.05.00.03.82.01.01.00.82.59.07.D3.F6.3A.DA.C1.D2.91.EB.0F.81.21.84.2F.12.1D.15.3D.92.3C.AB.C0.17.F5.BF.DF.7A.B5.F3.FF.19.01.DA.87.00.B9.CD.28.F4.47.D9.30.1B.AF.21.4F.68.84.27.6D.EB.03.E5.DC.A9.34.FB.C1.67.0E.B1.88.41.FE.1C.33.33.94.32.55.8F.82.67.70.54.60.F3.E1.AB.5A.F5.14.A8.E3.1C.64.A2.C8.9F.32.8E.A0.B3.BF.2F.67.E8.A6.D1.D1.C8.4E.52.3D.E9.B5.7C.F1.D5.96.9A.FB.65.23.08.B4.DF.8F.97.08.5E.FF.19.8C.1D.4F.66.9A.3E.D5.3A.63.34.66.AF.E9.8D.4B.A6.D9.EF.AC.D9.BB.48.42.ED.0A.A8.F3.0A.96.60.2E.6C.D7.32.D2.26.C7.5F.98.14.D1.3F.AD.96.22.C2.13.E5.A4.91.C4.02.44.39.50.DB.79.72.AE.35.47.D9.62.3B.18.F4.F2.2D.E1.DB.79.4B.E2.B1.34.B9.D4.48.77.CA.EF.34.43.29.D4.06.33.FD.9B.8E.42.E0.60.7B.DC.42.06.BA.8C.38.0F.DA.D2.6D.A0.E5.21.3E.3C.68.D9.18.0F.9D.EF.E8.EC.20.83.16.54.24.38.DA.DB.56.76.DB.D6.97.55
SnmpMib = docsDevCpeEnroll.0 any
SnmpMib = docsDevCpeIpMax.0 4
MaxCpeAllowed = 4
SnmpMib = docsDevNmAccessCommunity.1 "public"
SnmpMib = docsDevNmAccessControl.1 read
SnmpMib = docsDevNmAccessInterfaces.1 hexstr: C0
SnmpMib = docsDevNmAccessStatus.1 createAndGo
SnmpMib = docsDevNmAccessCommunity.2 "private"
SnmpMib = docsDevNmAccessControl.2 readWrite
SnmpMib = docsDevNmAccessInterfaces.2 hexstr: C0
SnmpMib = docsDevNmAccessStatus.2 createAndGo
SnmpMib = docsDevSwAdminStatus.0 allowProvisioningUpgrade
SnmpMib = docsDevFilterLLCStatus.1 createAndGo
SnmpMib = docsDevFilterLLCIfIndex.1 0
SnmpMib = docsDevFilterLLCProtocolType.1 ethertype
SnmpMib = docsDevFilterLLCProtocol.1 2048
SnmpMib = docsDevFilterLLCStatus.2 createAndGo
SnmpMib = docsDevFilterLLCIfIndex.2 0
SnmpMib = docsDevFilterLLCProtocolType.2 ethertype
SnmpMib = docsDevFilterLLCProtocol.2 2054
SnmpMib = docsDevFilterIpStatus.1 createAndGo
SnmpMib = docsDevFilterIpControl.1 accept
SnmpMib = docsDevFilterIpIfIndex.1 0
SnmpMib = docsDevFilterIpDirection.1 both
SnmpMib = docsDevFilterIpBroadcast.1 false
SnmpMib = docsDevFilterIpSaddr.1 0.0.0.0
SnmpMib = docsDevFilterIpSmask.1 0.0.0.0
SnmpMib = docsDevFilterIpDaddr.1 0.0.0.0
SnmpMib = docsDevFilterIpDmask.1 0.0.0.0
SnmpMib = docsDevFilterIpProtocol.1 1
SnmpMib = docsDevFilterIpContinue.1 true
SnmpMib = docsDevFilterIpStatus.2 createAndGo
SnmpMib = docsDevFilterIpControl.2 accept
SnmpMib = docsDevFilterIpIfIndex.2 0
SnmpMib = docsDevFilterIpDirection.2 outbound
SnmpMib = docsDevFilterIpBroadcast.2 false
SnmpMib = docsDevFilterIpSaddr.2 0.0.0.0
SnmpMib = docsDevFilterIpSmask.2 0.0.0.0
SnmpMib = docsDevFilterIpDaddr.2 0.0.0.0
SnmpMib = docsDevFilterIpDmask.2 0.0.0.0
SnmpMib = docsDevFilterIpProtocol.2 256
SnmpMib = docsDevFilterIpContinue.2 true
SnmpMib = docsDevFilterIpStatus.3 createAndGo
SnmpMib = docsDevFilterIpControl.3 accept
SnmpMib = docsDevFilterIpIfIndex.3 0
SnmpMib = docsDevFilterIpDirection.3 both
SnmpMib = docsDevFilterIpBroadcast.3 false
SnmpMib = docsDevFilterIpSaddr.3 0.0.0.0
SnmpMib = docsDevFilterIpSmask.3 0.0.0.0
SnmpMib = docsDevFilterIpDaddr.3 0.0.0.0
SnmpMib = docsDevFilterIpDmask.3 0.0.0.0
SnmpMib = docsDevFilterIpProtocol.3 17
SnmpMib = docsDevFilterIpSourcePortLow.3 67
SnmpMib = docsDevFilterIpSourcePortHigh.3 68
SnmpMib = docsDevFilterIpContinue.3 true
SnmpMib = docsDevFilterIpStatus.4 createAndGo
SnmpMib = docsDevFilterIpControl.4 accept
SnmpMib = docsDevFilterIpIfIndex.4 0
SnmpMib = docsDevFilterIpDirection.4 both
SnmpMib = docsDevFilterIpBroadcast.4 false
SnmpMib = docsDevFilterIpSaddr.4 0.0.0.0
SnmpMib = docsDevFilterIpSmask.4 0.0.0.0
SnmpMib = docsDevFilterIpDaddr.4 0.0.0.0
SnmpMib = docsDevFilterIpDmask.4 0.0.0.0
SnmpMib = docsDevFilterIpProtocol.4 256
SnmpMib = docsDevFilterIpSourcePortLow.4 53
SnmpMib = docsDevFilterIpSourcePortHigh.4 53
SnmpMib = docsDevFilterIpDestPortLow.4 53
SnmpMib = docsDevFilterIpDestPortHigh.4 53
SnmpMib = docsDevFilterIpContinue.4 true
SnmpMib = docsDevFilterIpStatus.5 createAndGo
SnmpMib = docsDevFilterIpControl.5 accept
SnmpMib = docsDevFilterIpIfIndex.5 0
SnmpMib = docsDevFilterIpDirection.5 both
SnmpMib = docsDevFilterIpBroadcast.5 false
SnmpMib = docsDevFilterIpSaddr.5 0.0.0.0
SnmpMib = docsDevFilterIpSmask.5 0.0.0.0
SnmpMib = docsDevFilterIpDaddr.5 0.0.0.0
SnmpMib = docsDevFilterIpDmask.5 0.0.0.0
SnmpMib = docsDevFilterIpProtocol.5 17
SnmpMib = docsDevFilterIpSourcePortLow.5 123
SnmpMib = docsDevFilterIpSourcePortHigh.5 123
SnmpMib = docsDevFilterIpDestPortLow.5 123
SnmpMib = docsDevFilterIpDestPortHigh.5 123
SnmpMib = docsDevFilterIpContinue.5 true
SnmpMib = docsDevFilterIpStatus.6 createAndGo
SnmpMib = docsDevFilterIpControl.6 accept
SnmpMib = docsDevFilterIpIfIndex.6 0
SnmpMib = docsDevFilterIpDirection.6 both
SnmpMib = docsDevFilterIpBroadcast.6 false
SnmpMib = docsDevFilterIpSaddr.6 0.0.0.0
SnmpMib = docsDevFilterIpSmask.6 0.0.0.0
SnmpMib = docsDevFilterIpDaddr.6 x.x.x.x //this is the ip for sip proxy
SnmpMib = docsDevFilterIpDmask.6 255.255.255.255
SnmpMib = docsDevFilterIpDestPortLow.6 0
SnmpMib = docsDevFilterIpDestPortHigh.6 65535
SnmpMib = docsDevFilterIpProtocol.6 256
SnmpMib = docsDevFilterIpContinue.6 true
SnmpMib = docsDevFilterIpStatus.7 createAndGo
SnmpMib = docsDevFilterIpControl.7 accept
SnmpMib = docsDevFilterIpIfIndex.7 0
SnmpMib = docsDevFilterIpDirection.7 both
SnmpMib = docsDevFilterIpBroadcast.7 false
SnmpMib = docsDevFilterIpSaddr.7 x.x.x.x //this is the ip for sip proxy
SnmpMib = docsDevFilterIpSmask.7 255.255.255.255
SnmpMib = docsDevFilterIpDaddr.7 0.0.0.0
SnmpMib = docsDevFilterIpDmask.7 0.0.0.0
SnmpMib = docsDevFilterIpSourcePortLow.7 0
SnmpMib = docsDevFilterIpSourcePortHigh.7 65535
SnmpMib = docsDevFilterIpProtocol.7 256
SnmpMib = docsDevFilterIpContinue.7 true
SnmpMib = docsDevFilterIpStatus.8 createAndGo
SnmpMib = docsDevFilterIpControl.8 accept
SnmpMib = docsDevFilterIpIfIndex.8 0
SnmpMib = docsDevFilterIpDirection.8 both
SnmpMib = docsDevFilterIpBroadcast.8 false
SnmpMib = docsDevFilterIpSaddr.8 0.0.0.0
SnmpMib = docsDevFilterIpSmask.8 0.0.0.0
SnmpMib = docsDevFilterIpDaddr.8 x.x.x.x //this is the ip for commportal
SnmpMib = docsDevFilterIpDmask.8 255.255.255.255
SnmpMib = docsDevFilterIpDestPortLow.8 0
SnmpMib = docsDevFilterIpDestPortHigh.8 65535
SnmpMib = docsDevFilterIpProtocol.8 256
SnmpMib = docsDevFilterIpContinue.8 true
SnmpMib = docsDevFilterIpStatus.9 createAndGo
SnmpMib = docsDevFilterIpControl.9 accept
SnmpMib = docsDevFilterIpIfIndex.9 0
SnmpMib = docsDevFilterIpDirection.9 both
SnmpMib = docsDevFilterIpBroadcast.9 false
SnmpMib = docsDevFilterIpSaddr.9 x.x.x.x //this is the ip for commportal
SnmpMib = docsDevFilterIpSmask.9 255.255.255.255
SnmpMib = docsDevFilterIpDaddr.9 0.0.0.0
SnmpMib = docsDevFilterIpDmask.9 0.0.0.0
SnmpMib = docsDevFilterIpSourcePortLow.9 0
SnmpMib = docsDevFilterIpSourcePortHigh.9 65535
SnmpMib = docsDevFilterIpProtocol.9 256
SnmpMib = docsDevFilterIpContinue.9 true
SnmpMib = docsDevFilterLLCUnmatchedAction.0 discard
SnmpMib = docsDevFilterIpDefault.0 discard
UpstreamServiceFlow =
SfReference = 10
SfQosSetType = 7
SfMaxTrafficRate = 1000000
SfMaxTrafficBurst = 6100
SfMaxConcatBurst = 6100
SfSchedulingType = 2
DownstreamServiceFlow =
SfReference = 30
SfQosSetType = 7
SfMaxTrafficRate = 10000000
PrivacyEnable = 1
BaselinePrivacy =
AuthorizeWaitTimeout = 10
ReauthorizeWaitTimeout = 10
KekGraceTime = 600
OpWaitTimeout = 10
RekeyWaitTimeout = 10
TekGraceTime = 600
AuthorizeRejectWaitTimeout = 60
SAMapWaitTimeout = 1
SAMapMaxRetries = 4
SnmpMib = arrisMtaDevProvMethodIndicator.0 docsisOnly
SnmpMib = arrisCmDoc30AccessClientSeed.0 hexstr: FE.56.5C.92.F1.F8.9B.40
SnmpMib = arrisCmDoc30AccessHttpWan.0 enable
SnmpMib = arrisRouterWiFiEnableRadio.0 false
SnmpMib = arrisRouterWiFi50EnableRadio.0 false
SnmpMib = clabWIFIRadioEnable.1 false
SnmpMib = clabWIFIRadioEnable.2 false
Thank you for any assistance you can lend this newb.
-Craig D.
This rule is wrong:
SnmpMib = docsDevFilterIpStatus.4 createAndGo
SnmpMib = docsDevFilterIpControl.4 accept
SnmpMib = docsDevFilterIpIfIndex.4 0
SnmpMib = docsDevFilterIpDirection.4 both
SnmpMib = docsDevFilterIpBroadcast.4 false
SnmpMib = docsDevFilterIpSaddr.4 0.0.0.0
SnmpMib = docsDevFilterIpSmask.4 0.0.0.0
SnmpMib = docsDevFilterIpDaddr.4 0.0.0.0
SnmpMib = docsDevFilterIpDmask.4 0.0.0.0
SnmpMib = docsDevFilterIpProtocol.4 256
SnmpMib = docsDevFilterIpSourcePortLow.4 53
SnmpMib = docsDevFilterIpSourcePortHigh.4 53
SnmpMib = docsDevFilterIpDestPortLow.4 53
SnmpMib = docsDevFilterIpDestPortHigh.4 53
SnmpMib = docsDevFilterIpContinue.4 true
--
the MTA will send a DNS lookup :
* src IP = MTA IP
* src port = typically high/random (NOTE: not 53!)
* dst IP = DNS server
* dst port = 53
the DNS server will reply :
* src IP = DNS server IP
* src port = 53
* dst IP = MTA IP
* dst port = to the original high/random (NOTE: not 53!)
So you need 2 x different rules (1 for in and 1 for out)
You can filter on port, but this isn't really trustworthy.
What if a customer sets up a VPN on port 53?? Then pumps internet through the VPN.
Better to filter on IP
Something like
SnmpMib = docsDevFilterIpStatus.x createAndGo
SnmpMib = docsDevFilterIpControl.x.accept
SnmpMib = docsDevFilterIpDirection.x [in]
SnmpMib = docsDevFilterIpDaddr.x [DNS server IP here]
SnmpMib = docsDevFilterIpDmask.x 255.255.255.255
SnmpMib = docsDevFilterIpProtocol.x [UDP]
SnmpMib = docsDevFilterIpDestPortLow.x 53 <=== optional
SnmpMib = docsDevFilterIpDestPortHigh.x 53 <== optional
SnmpMib = docsDevFilterIpContinue.x true
SnmpMib = docsDevFilterIpStatus.y createAndGo
SnmpMib = docsDevFilterIpControl.y.accept
SnmpMib = docsDevFilterIpDirection.y [out]
SnmpMib = docsDevFilterIpSaddr.y [DNS server IP here]
SnmpMib = docsDevFilterIpSmask.y 255.255.255.255
SnmpMib = docsDevFilterIpProtocol.y [UDP]
SnmpMib = docsDevFilterIpSourcePortLow.y 53 <=== optional
SnmpMib = docsDevFilterIpSourcePortHigh.y 53 <== optional
SnmpMib = docsDevFilterIpContinue.y true
NOTE :
Hopefully you can simplify your rules further.
If you have a subnet which contains all your ISP servers (incl voice, dns etc), then just permit access to this subnet.
Dont have to worry about the individual server IPs and ports.
Even if the subnet has other misc servers and infrasrtructure its no biggie.
As long as everything in the subnet is under your control then the voice-only users cant really get up to mischief.