Registering Cisco Phone va MRA on fresh install of OpenWrt

Trying to Register both a Hard Phone and Cisco Jabber.
I have a New install of OpenWrt and both my Cisco Phone (using MRA " Mobile and Remote Access" and i can I'm getting an error on the device. One thought I had was to place the device in a DMZ or using port Forward on the firewall. As this is my first attempt using OpenWRT not sure how to do this. The guilds I have looked at don't seem to apply. The Cisco phone has a static IP I set on the LAN. I can access the service domain via a web browser but the phone is not able to reach this.

Any help on this would be gratefully appreciated.

So everything else (Gateway and DNS Server) configured correctly? Can you use DHCP instead of Static IP?

(edit, I meant to reply to the original poster, but I'm on mobile and I don't think that occurred)

I use both Cisco phone and Jabber (via desktop and mobile clients) from behind my openwrt router/firewall and openwrt access points. So I know it's possible. I don't think I had to do much. All my devices (including ip phone) have mac address reservations for static IPs. I'll double check that last statement, but I'm 95% think it's correct from memory.

So I know it's possible. As the last person stated, take complexity away and see if it works via normal DHCP. Has the phone worked in the past? We once had a cert expire, and when the phones had to establish a new connection it would fail. So as phones lost internet or power, they started dropping, but that would be your phone guys issue most likely (unless your the phone guy, lol).

If needed, I can double check my setup to see if anything special was done. But let's hear back to see what you've tried first. I'll try and watch this thread, but I'm quite busy, so sometimes I go awhile before responding.

1 Like

Yes I had it on DHCP and it was not working.. I only set it to a static as one of the guilds I was reading suggested this if I put this device in the DMZ i would need to have a static IP.. I also have preformed a factory reset and ensured that all the certs and such where clear. This phone and jabber where working before I interduce the OpenWrt.

On the device when looking at the status messages I only see that the MRA Service not found. I have confirmed the MRA settings with my local IT and they are correct. But I was the phone guy in the past but not any more now just management so I don't get to touch that stuff often any more :slight_smile:

When you asked "Gateway and DNS Server" are setup correct are you asking on the device (Phone) or the OpenWrt? The phone uses MRA (Mobile and Remote Access) to get that information, and that is I'm guessing is the issue that it can not reach the MRA service. As Im using the OpenWrt for all traffic.

Thanks for you help in this

As per a suggestion it was suggested that I run the following commands "ubus call system board; uci export dhcp; uci export network; uci export firewall; ip route show default" and post here.

I ran the commands that you asked and here are the results:

I wanted to first state that the only reason I used a static IP was in one of the documents that I read about setting up a DMZ there was a need to have a static for the Firewall/DMZ. This is the only reason, so if this does not need it that is fine by me.

Network topology is as follows:

Network Cable Modem -> OpenWrt on a Raspberry Pi on interface eth1 (Wan) -> eth0 (Lan) -> unmanaged Gig switch -> unmanaged Gig switch -> Cisco 8841 phone if that helps.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2022.07.12 00:37:10 =~=~=~=~=~=~=~=~=~=~=~=
login as: 
root@192.168.1.1's password: 


BusyBox v1.35.0 (2022-01-13 23:46:39 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt SNAPSHOT, r0-0765466
 -----------------------------------------------------
e]0;root@OpenWrt: ~aroot@OpenWrt:~# ubus call system board; uci export dhcp; uci export network; uci

 export firewall; ip route show default
{
	"kernel": "5.10.90",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 3",
	"model": "Raspberry Pi Compute Module 4 Rev 1.0",
	"board_name": "raspberrypi,4-compute-module",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r0-0765466",
		"target": "bcm27xx/bcm2711",
		"description": "OpenWrt SNAPSHOT r0-0765466"
	}
}
package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'
	option quietdhcp '1'
	option filterwin2k '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'SEPxxxxxxxxx4976'
	option ip '192.168.1.214'
	option mac 'xx:xx:xx:xx:49:76'

package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'XXXX:XXXX:1ed3::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'eth1'
	option device 'eth1'
	option proto 'dhcp'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'eth1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

default via x.x.240.1 dev eth1  src x.x.242.69 
x.x.240.0/21 dev eth1 scope link  src x.x.242.69 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
e]0;root@OpenWrt: ~aroot@OpenWrt:~# ubus call system board; uci export dhcp; uci export network; uci

 export firewall; ip route show default

thanks fo the help

Is this official OpenWrt?

If so, I'd advise upgrading to a current version or snapshot under active review/testing.

From my understanding this the version an official OpenWrt Version is "52Pi Version: Based on the latest development version of OpenWRT" I am running this on a 52Pi CM4 Router Board is an expansion board based on the Raspberry Pi Compute Module 4 and using the Raspberry Pi Compute Module 4. The version I'm ruining is " openwrt-bcm2711-rpi-4-ext4-rtl8168-factory.img.gz" found on the following https://github.com/geeekpi/cm4routerboard.

The official site is https://downloads.openwrt.org

I think the newer firmware selector is official also? It's what i use.
https://firmware-selector.openwrt.org/
I know i've looked into the geekpi stuff, but haven't actually purchased anything. When i was following the pi stuff heavily, i remember reading you needed their version for drivers and such, but that might not be needed anymore?

@Orb
I did check, and my network is simple. My network is pretty flat. Phone is not in a DMZ or anything and sits flat on the network with my other devices. These other guys can provide much more techincal info regarding openwrt than i can and are probably better at networking topography. All I can really offer is it works for me connecting to our expressway.
I would start simple and do without the DMZ. Get it working with as simple as possible. Then go from there if you want some stuff in a DMZ. I'm suspecting maybe the issue is in your DMZ setup. You stated Jabber isn't working either? Is this PC or mobile version of Jabber? If you use mobile jabber, i would test that on cellular and then on your wifi as a possible troubleshooting maybe as an easy means to switch networks. I guess you could do the same with a laptop?
It sounds like maybe a DNS resolving issue by the error that MRA isn't accessible. Maybe at least try the dig and nslookup commands from your PC, and then maybe from the router itself? See if you can reach your expressway.
https://netcraftsmen.com/cisco-mobile-remote-access-troubleshooting-basic-connectivity/
Taken from above link

dig srv _collab-edge._tls.company.com
nslookup -type=srv _collab-edge._tls.company.com

To use MRA you obviously first need a proper Gateway and DNS configuration in the phone. MRA can not do magic.

1 Like

thanks for this, Before I installed the OpenWrt and had this phone directly connected to the network with a ATT modem/router all i had to do is enter the service domain (Using the Default DNS and Gateway) and this worked so I don't believe that this is a DNS or Gateway issue as I can reach the domain via Ping on the OpenWrt.

but thanks for your help

Thanks, I will look at this link, I was having issues like you mentioned getting the NIC's to work as where a lot of folks so the solution I found was using the version I mentioned that had the NIC drivers and the OLED divers of this Board. but I will take a look at that link as it was not one I had looked at before and keep you posted.

Reset to defaults, and try without setting up a dmz maybe?

Also, shot in the dark, I I know people say it's a security thing and you should manually Open up your ports. But the default config of OpenWRT does not have UPNP installed. It could be worth a try installing that service and enabling it. It does show you what ports you have open, So you could always disable it and only configure if that's your choice. But a long shot could be, enabling the service, And just see if anything works. I highly doubt this would help, but sometimes I just try anything. I always keep track of what I do though so I can undo or restore later.

Sorry I'm not giving you specific info, but I would like to see you get it working as I'd like to attempt a similar build.

I take it you still have your original router, So you're able to swap back and forth maybe? I would be having some rough days if my IP phone and jabber didn't work, and the problem was on my end.

1 Like

I ended up trying that and it did not work. Still looking for the fix but thanks