2600 Blocking Poly / OBI VoIP VOICE

Currently reading
2600 Blocking Poly / OBI VoIP VOICE

126
17
NAS
DS920+ DS215J,
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
Last edited:
My Google Voice VoIP Adapter which is an OBI 200 had been working with no issues, and then we could no longer send or receive phone calls as of 3 days ago..... Tried everything including troubleshooting with POLY who deemed it a defective out of warranty device. I just replaced it and its the same problem. I find now that the problem is evidently the Threat Prevention from the 2600.

Poly does provide Port Forwarding Rules (which I never needed prior)..... I attempted to use the below, but its not changed anything....

Allow Outgoing:
TCP Ports: 6800, 5222, 5223
UDP Ports: 5060, 5061, 10000 to 11000, 16600 to 16998, 19305
Allow Incoming on UDP Port: 10000

I then went into Threat Prevention add attempted to "Add Policy" of "Do Nothing" to the Threat shown...... The Source IP of the Device does not change, but the Destination IP is changing with each new threat that it identifies as.

When I did a single "Do Nothing", it did allow outgoing call with audio, but calls in ring with NO Audio..... So I'm assuming I'm still getting blocked.

Threat 1.jpg



I'm frankly out of my understanding level here and hope someone has some advice on how to resolve this...

Update!--- I just went into THREAT PREVENTION and DISABLED "Attempted Administrator Privilege Gain"..... The VoIP is now working in both Directions. But have I opened a Vulnerability by Disabling this?

Class Policy.jpg






THX!
 
When I saw this thread in the RSS feed I thought to link to the Other Place's thread on this. Now I see you found that, so not going to link to there :)

Basically, there's no way around this and for me started when the "ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port" was added to the STUN rule. I had changed the original STUN rule to Drop prior to new STUN rules being added, which were added as Drop: not sure if they are Deny as default.

Have a look at my posts on that thread and you'll see that I had to capitulate and set these STUN rules to Do Nothing, it was either this or people not being able to use their telephony apps. They were filling up the TP event log and making to impossible to see anything else that happened: so there's no point in setting to Alert because we know it's happening and the Google an Microsoft IPs are changing. The only other option is to create specific Do Nothing rules for LAN IPs that need them, since you don't have to enter source and/or destination IPs if you don't want to restrict the bespoke rule.

I've set to drop these rule families:
  • Medium / Misc Attack
    • ET TOR Known Tor...
    • ET COMPROMISED...
    • ET CINS Active Threat Intelligence...
    • ET 3CORESec Poor Reputation...
  • Low / Detection of a Network Scan ... all of these.
 
Last edited:
Thank you fredbert for responding.

This problem is so new as you are aware, that many think its a hardware issue as Poly/OBI led me to believe.
I would like to replicate your method in dealing with this as I know it will likely provide the least exposure to related issues. I've been unable to find any step x step instruction in the knowledge base to accomplish this as this is beyond my basic understanding of this area of Security....... and I've been challenged by simple Port Forwarding!

I currently have "Attempted User Privilege Gain" Turned OFF... This appears to have worked, but I know this is opening up a huge hole in security. I'm assuming this can be turned back on once "rule families" are changed.

It would benefit myself and likely many others who are experiencing this if you would provide the basic instructions needed to implement this workaround.

I hope you will consider providing this resource for us....
 
Last edited:
  1. Go to TP -> Self-Defined Policy -> Class/Signature and select all the Event Types you want enabled
    • I have all Event Types enabled except High / Potential Corporate Privacy Violation and Low / Others.
  2. Next select row of Event Type and click Edit.
  3. Search for something (e.g. SCAN when viewing Low / Misc Activity) and you can then use Batch Setting to change the Action (e.g. all to Drop) for the visible rules.
1629038168890.png
Here are the ones I used:

Event TypeSeveritySearch StringBatch Setting Action
Misc activityLowSCANDrop
Misc AttackMediumET TOR Known TorDrop
Misc AttackMediumET COMPROMISEDDrop
Misc AttackMediumET CINS Active Threat IntelligenceDrop
Misc AttackMediumET 3CORESec Poor ReputationDrop

You'll end up with a load of rules in TP -> Self-Defined Policy -> Policy but this will be the bulk of your policy. Then you can add specific rules from the Events page.
 
Of course... questions..

1) For "Next select row of Event Type and click Edit."... I'm assuming its only for "Attempted User Privilege Gain"... or must it be done for each each Event Type?

2) For Event Type of Attempted Admin Privilege Gain> I used the Search box for the 1st item "SCAN"... Then under Batch, APPLY TO ALL> and I believe the Action should be DO NOTHING, as DROP otherwise applies the action. So we are really Turning these signatures OFF.......

3) In Class/Signature> Attempted User Privilege Gain > When Searching, the below are not appearing:
  • ET TOR Known Tor /
  • ET COMPROMISED
  • ET CINS Active Threat Intelligence
  • ET 3CORESec Poor Reputation
SCAN was the only one that was found....

I'm missing something of course...
 
This has nothing to do with the STUN issues... just look for these rules and apply a Do Nothing for <blank> source and destination IP. It sounded that you had this done already.

The instructions above are to block connections that are coming from spurious sources such that you'll be less exposed. It was to respond to this:
I would like to replicate your method in dealing with this as I know it will likely provide the least exposure to related issues.

If you look at the table of five items they match the names of things in Class/Signature page.
1629043821740.png


1629043968378.png
 
Yes... I found those signatures under MISC ATTACK and applied those as you instructed, except SCAN.... which I could not locate. I appreciate your patience and the scope of the capabilities of the software can lead to confusion for novices such as myself. I'm sure I missed something as VoIP failed for me with these changes. The only way I could get OBI ops is if I unticked the "Attempted User Privilege Gain".... But then I remembered... the Threat Prevention> Settings> Device> Filter Packets option. The software had automatically included the new OBI 200 (and it still lists the old 202) ..... I unticked the 200 and saved. Tested and so far the VoIP now works! And that's with User Priv Gain enacted. Would this work if I had not done your 5 signature additions? At this point I am not changing them back.... I really don't believe I was able to properly perform all your steps as explained.... Will I see other issues? Unknown, but I will monitor for Security leaks. But it works at this moment, and I am grateful for your assistance.

Threat Prevention Packets Removal.jpg
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Update to this thread.. All still fine at neighbor's at 1.2.5-10.... (cat6 to Smart TV & Cable Box.. Wifi...
Replies
3
Views
934
I’ve noticed that since loading the Updated, new DS ROUTER APP: CPU & RAM usage reported by 2600 reports s...
Replies
3
Views
2,635
Probably not. I have tested TP over my 1G WAN and was able to get max speeds. This includes the new 6600...
Replies
3
Views
1,356
  • Question
I only get 200, but on 2x 2600’s I get that, with or without TP and I have TP with 160+ User rules
Replies
2
Views
997
  • Question
Now that I think of it 128 users or more per WiFi channel is crazy. I downshifted to 20, but...
Replies
4
Views
1,006
That's a kind offer I will certainly appreciate should things go South..... way south. (y)
Replies
8
Views
1,481
Could be a cached DNS resolution, rebooting would definitely flush out the router's cache. In UK...
Replies
4
Views
2,089

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top