filter rule for sip access

[nitrox]

Hi everybody,

I need to enable sip access just for one net. I have tried to change the default rules on my Epygi 2x firmware 5.1.17 from "Restricted_ip: Any" to "Restricted_ip: 1.2.3.0/24" under internet_uplink->filtering_rules->sip_access but the rule it is not working. That's how it is look like my rule:

State:Enabled
Service:SIP
Action:Allowed
Restricted_ip:"Group: 1.2.3.0/24"
Description:sip enabled net

after the rule it is applied everyone is still able to send sip request to my IP-PBX. I have tried to disable that rule and after that no one is able to send sip request anymore (the medium security feature it is doing is job i mean ). The Epygi's 2x firewall configuration is:

Enable IDS: yes
Enable NAT: yes
Enable Firewall: yes
Medium Security: yes

At the moment to deny sip access i am working with the "blocked ip list" feature but i just want to deny sip access and not all the services for a net.

I have tried with firmware 5.1.19 and the problem is still there. Any of you as discovered the same problem?

thank you for your help.

[nitrox]

after a couple of troubleshooting tests I realized that the sip access feature is working if you set under "restricted ip" just a single ip. But as, I said in the post before, IT IS NOT WORKING neither with a net nor with a couple of net.
Probably David could check the "sip access feature" for us.
WARNING: "I've tried with Epygi 2x with firmware 5.1.17, 5.1.19 and Epygi 4xi with firmware 5.1.18. I have no idea if that feature is working with firmware 5.0.x"

[davrays]

Well, I have tested that..

Everything works OK

But there are two thing you need to check and be aware of:
1. If you make a ssuccessful call to/from some destination, then applied a rule, which should block that destination, this rule may not take effect, because the device caches the IP in the "connection tracking table" and allows subsequent connections. You would need to either reboot the device or wait for a long time for the connection cache to expire.

2. This is the consequence of the point 1. If your device is sending SIP requests (for example registers) on some IP address, you cannot successfully block that. As soon as your device sends the registration message, the access will open. Some time passes, the access is blocked again, then again your device will send a message and access will open. So you will have intermittent results.

I think these two issues affected your testing, thats why you think that "SIP Access" rule have problem. It doesn't, actually