SRX Services Gateway
SRX Services Gateway

VoIP, for Comcast Xfinity, filtering?

[ Edited ]
Wednesday
I have internet service from Xfinity/Comcast. The VoIP service is only hardware compatible with an approved voice modem. This means that the phone plugs are on the modem. I bought a voice modem but it would seem it's not compatible with the srx. I also have a cable modem that has no voice jacks in it. That works properly on the srx. Oddly enough the VoIP traffic seems to pass through properly however I think it is causing a loopbacks issue. My question is this.

Since this VoIP traffic is not designed to go through a gateway(persay), how can I filter the VoIP traffic?
It seems normal enough to use conventional methods to filter the traffic out so it can be looped back.

Anyone got any ideas?

VoIP is special traffic what do I need to filter out VoIP traffic?

What else do I need?

The cable modem with voice must have an external signal which breaks the internet connection. Or it sent the signal back to the cable line without properly telling the srx about its existence.

Any ideas there?

I gave up on the voice cable modem but any comments there are needed. I think it's not doable.

So I'm stuck trying to filter out the traffic because I want to keep the service. I have an Xfinity modem that will do all that but I want the srx to be running.

One idea was creating it in cos and then filtering it. Any other easier ways?
6 REPLIES 6
SRX Services Gateway

Re: VoIP, for Comcast Xfinity, filtering?

Wednesday

Hello,

 

I am not sure I completely undertstand your requirement.

> What do you mean by filter out VoIP traffic? You want the traffic to be blocked/permitted/not-firewalled?

> Could you explain the loopback issue? What needs to be looped?

> What is the topology like? Cable modem ---- SRX ---- Internet

> You mentioned cable modem is working on the SRX and VOIP traffic is passing through as well. Correct?

 

> Do you have the IP address of the modem?

> Session output from the SRX for the source of the modem could provide more insight into the type of traffic?

> SRX would be doing the NAT for the modem traffic as well right? If this is the case you cannot bypass firewalling

 

Regards,

 

Vikas

Regards,

 

Vikas

SRX Services Gateway

Re: VoIP, for Comcast Xfinity, filtering?

Wednesday
I have one cable modem, it is the internet box. After that I have an SRX240b2. The internet provider is sending VoIP as well. This VoIP is not useable in the srx. It will only work on jacks in a voice modem, but since I'm not using a voice modem it seems as though the VoIP traffic is still routable. Hopefully it is still normal enough traffic to be filtered out properly. The reason I want to filter it is because I want to keep the service even though the srx can't use it. Also I have completely different equipment(Xfinity combo modem) that can do the job.

I read about filtering VoIP traffic by using DSCP of value 46 but haven't tried it. Is there another way to filter out VoIP traffic so that this special type of VoIP traffic can be termed and hopefully at that point looped back properly? This idea uses COS. All traffic has loopbacks. So does VoIP. But I don't want VoIP loopbacks. I want it omitted as if it weren't routed as VoIP. Filtering is the proper method.

Term 1
dscp value 46 drop
Term 2
accept

Does any body know how to filter out VoIP traffic. COS is one way but I'm looking for an easier way.

Since it is firewalled traffic do I need to just get rid of the VoIP service? etc, etc...
SRX Services Gateway

Re: VoIP, for Comcast Xfinity, filtering?

[ Edited ]
Wednesday

Hi Eugene,

 

Im afraid that your problem is still unclear to us. Is your topology like the following one?

 

Phones------VOIP_Modem------SRX240----Cable_Modem----Internet

 

If yes,

 

Are you looking to prioritize traffic from the VOIP_Modem to the Internet?

Are you looking to block the traffic from the VOIP_Modem to the Internet?

Are you looking to bypass firewalling for traffic from the VOIP_Modem to the Internet?

Does the SRX has to perform NAT to the traffic from the VOIP_Modem to the Internet?

What do you mean with loopbacks?

 

If you are looking to block phone calls from the Phones to the Internet via the SRX, you could confirm whats the signaling protocol being used and block this traffic via a security-policy or with a frewall filter. For instance, a very common signaling procotol is SIP, which works over TCP and UDP on ports  5060 and 5061. Blocking this type of traffic via a security-policy or a firewall filter should be enough to avoid the calls to be made over the SRX.

 

 

Please mark this comment as the Solution if applicable
SRX Services Gateway

Re: VoIP, for Comcast Xfinity, filtering?

[ Edited ]
Wednesday
I want to make sure that the sip protocol is filtered out. I want it to have 2 terms. One to drop the traffic and the other to accept it. The main term should reject or drop the sip traffic and the second should accept the new second term.

For now I have used "except-sip" in the untrust zone protocols. This excludes the protocol entirely.

I want to filter by protocol such as

Firewall ->
Filter->
Term 1 ->
Sip drop ->
Term 2 ->
Accept

I think that's right.

How do I use the protocol to filter?
SRX Services Gateway
Solution
Accepted by topic author eugene1973
Thursday

Re: VoIP, for Comcast Xfinity, filtering?

Wednesday
Eugene,

Yes you can use a firewall filter to drop the SIP traffic.

On term 1 block destination-ports 5060 and 5061. Those are the ports used by SIP.

Second term you can allow all the rest of the traffic.

# set firewall filter FILTER term BLOCK_SIP from destination-port 5060
# set firewall filter FILTER term BLOCK_SIP from destination-port 5061
# set firewall filter FILTER term BLOCK_SIP then reject
# set firewall filter FILTER term ALLOW_ELSE then accept

#set interface [INTERFACE_FACING_THE_PHONES] family inet filter input FILTER




Please mark this comment as the Solution if applicable
SRX Services Gateway

Re: VoIP, for Comcast Xfinity, filtering?

Wednesday
You could also use a security-policy:

#set security policy from-zone [Trust] to-zone [Untrust] policy BLOCK_SIP match source-address any destination-address any application junos-sip

#set security policy from-zone [Trust] to-zone [Untrust] policy BLOCK_SIP then deny

Make sure to place the policy before other policies that may permit the same traffic.

Please mark this comment as the Solution if applicable