New user to OpenWRT and spent most of the day converting an old TP Link WR841N V12 to OpenWRT so I had better control over incoming filters etc...
Using OpenWRT 18.06.2.
I have a need for customers of mine using SIP to be able to block SIP INVITES from all external IP's apart from the SIP server itself (which resides on a Public Address - 203.x.x.x). I want to be able to stop hackers from being able to make my ATA ring, which sits on Private IP 192.168.1.106.
Ideally i'd like all packets on Port 5060 not coming from 203.x.x.x to be dropped, and packets on Port 5060 from 203.x.x.x to be sent through to the ATA.
I have tried and tried configuring custom traffic rules in the GUI but just can't seem to get it right.
Can anyone assist?
Thanks and kind regards,
scroll down to
New forward rule
Add and edit ...
enter the details
you only need the forward rule for this , by default everything else is blocked
I just factory reset the OpenWRT configuration, rebooted the WR841N and the ATA, and with the factory default configuration, the ATA can still be called without a port forward existing......so OpenWRT doesn't appear to be blocking anything from default.....is there some sort of config readout I can provide to give you an idea?
Power off or disconnect the ATA, then after rebooting your router run a port scanner to test your router on port 5060. It should be closed by default.
A good ATA can keep the port (only to the corresponding SIP server) open by sending regular (e.g. every 30s) pings to the SIP server, keeping the session established and convincing the firewall that incoming UDP packets from this SIP server are part of the established session.