Jump to content

Sprint WIFI Calling port for QOS.


Cataract2
 Share

Recommended Posts

Wouldn't it be easier just to assign the phone a static IP and do QOS priority on its IP?

Normally I would say yes, though I prefer to save static ips for wired devices.  In the case of the phones, I would prefer to QOS the port so that it doesn't matter what device (phone) is used.

  • Like 1
Link to comment
Share on other sites

Use Port 4500. Definitely is 4500. I know by experience because the ASUS routers Sprint sends out slow all other Port 4500 traffic to a standstill in order to give priority to WiFi calling.

Anyway I would most likely start by setting Port 4500 to the Highest QOS Priority you have.

Additional settings beloe:

  • 500,4500,5060,5061,52000:59999 for WiFi Calling.
  • 53,67,68,500,4500 for an Airvanna (if you have on connected to your router as well.

The below details are just a summary of my research. Please let me know if you agree with my conclusions.

  • Port 444 is for emergency 911.
  • WiFi calling Gateway: IP Address: 68.31.26.1 Host of this IP: 68-31-26-1.pools.spcsdns.net

 

From T-Mobile Documentation:

From T-mobile's Instructions but much the same for Sprint WiFi Calling Routers. http://serverfault.com/questions/628379/qos-settings-for-wi-fi-calling-on-pfsense-firewall-gateway

 

s91fj.png

 

There seems to be a consensus of sorts that you may want to also do some of the AIRRAVE QOS ports as well likethe following from T-mobile as well.

Enter the following two rules giving them a meaningful name like "WiFi Calling", enter the MAC for your phone, enter at least 85% of your available bandwidth (e.g 0-42500 if your maximum transfer rate is 50 Meg), the highest priority and:
Rule 1: Destination port "4500" Protocol "UDP"
Rule 2: Destination port "5060, 5061" Protocol "TCP"  lso 52000 to 59999.

 

From Sprint Documentation:

Sprint also details additional ports for the Airvanna and Airrave.

http://support.sprint.com/support/article/Know_if_you_need_to_enable_additional_ports_on_your_router_for_your_AIRAVE_Access_Point/case-wh164052-20100806-134201#!/

If your AIRAVE cannot connect to the Sprint network due to a unique network configuration, you may need to open the following UDP ports on your switch or router that the AIRAVE is connected behind:

  • Airave (Airave 1.0 Samsung) ports are: 53, 500, 4500, and 52428
  • Airave Access Point (Airave 2.0 Airvana) ports are: 53, 67, 68, 500, and 4500
  • Like 3
Link to comment
Share on other sites

Can you handle the airave in one shot by setting its MAC address to highest priority?

 

Sent from my LG-LS980 using Tapatalk

Yes, that should work as well, since it really does not create any unnecessary traffic that you would want to filter out by ports.

  • Like 1
Link to comment
Share on other sites

 

Use Port 4500. Definitely is 4500. I know by experience because the ASUS routers Sprint sends out slow all other Port 4500 traffic to a standstill in order to give priority to WiFi calling.

Anyway I would most likely start by setting Port 4500 to the Highest QOS Priority you have.

Additional settings beloe:

  • 500,4500,5060,5061,52000:59999 for WiFi Calling.
  • 53,67,68,500,4500 for an Airvanna (if you have on connected to your router as well.

The below details are just a summary of my research. Please let me know if you agree with my conclusions.

  • Port 444 is for emergency 911.
  • WiFi calling Gateway: IP Address: 68.31.26.1 Host of this IP: 68-31-26-1.pools.spcsdns.net

 

From T-Mobile Documentation:

From T-mobile's Instructions but much the same for Sprint WiFi Calling Routers. http://serverfault.com/questions/628379/qos-settings-for-wi-fi-calling-on-pfsense-firewall-gateway

 

s91fj.png

 

There seems to be a consensus of sorts that you may want to also do some of the AIRRAVE QOS ports as well likethe following from T-mobile as well.

Enter the following two rules giving them a meaningful name like "WiFi Calling", enter the MAC for your phone, enter at least 85% of your available bandwidth (e.g 0-42500 if your maximum transfer rate is 50 Meg), the highest priority and:

Rule 1: Destination port "4500" Protocol "UDP"

Rule 2: Destination port "5060, 5061" Protocol "TCP"  lso 52000 to 59999.

 

From Sprint Documentation:

Sprint also details additional ports for the Airvanna and Airrave.

http://support.sprint.com/support/article/Know_if_you_need_to_enable_additional_ports_on_your_router_for_your_AIRAVE_Access_Point/case-wh164052-20100806-134201#!/

If your AIRAVE cannot connect to the Sprint network due to a unique network configuration, you may need to open the following UDP ports on your switch or router that the AIRAVE is connected behind:

  • Airave (Airave 1.0 Samsung) ports are: 53, 500, 4500, and 52428
  • Airave Access Point (Airave 2.0 Airvana) ports are: 53, 67, 68, 500, and 4500

 

 

Really nice, informative post, with references. That's awesome. 

Link to comment
Share on other sites

  • 2 years later...

Here's the packet capture.  Once I added 68.31.20.2 with ports 4500 Sprint Wifi Would not work.

 

08:16:41.648117 IP 10.10.176.233.4500 > 68.31.20.2.4500: UDP-encap: ESP(spi=0x4a00603a,seq=0x2cd), length 116
08:16:41.667976 IP 10.10.176.233.4500 > 68.31.20.2.4500: UDP-encap: ESP(spi=0x4a00603a,seq=0x2ce), length 116
08:16:41.688023 IP 10.10.176.233.4500 > 68.31.20.2.4500: UDP-encap: ESP(spi=0x4a00603a,seq=0x2cf), length 116
08:16:41.707756 IP 10.10.176.233.4500 > 68.31.20.2.4500: UDP-encap: ESP(spi=0x4a00603a,seq=0x2d0), length 116
08:16:41.727834 IP 10.10.176.233.4500 > 68.31.20.2.4500: UDP-encap: ESP(spi=0x4a00603a,seq=0x2d1), length 116
08:16:41.747943 IP 10.10.176.233.4500 > 68.31.20.2.4500: UDP-encap: ESP(spi=0x4a00603a,seq=0x2d2), length 116

Edited by fdigiovanni@wmrhsd.org
Link to comment
Share on other sites

I mean until I added  68.31.20.2 with ports 4500 Sprint Wifi Would not work.  So add 68.31.20.2 as well to your firewall rules.
They likely have many IP addresses as endpoints. It might be a whole subnet that you can map.

But I'm not sure why you're manually adding firewall rules with the IP address?

Sent from my Pixel 2 XL using Tapatalk

Link to comment
Share on other sites

Well because we block as many things as we can on our network to prevent _______ fill in the blank.  

You could add the entire subnet 68.31.0.0 but then you may be adding addresses to... who knows.   There are a lot of vpn's that run on port 4500 so we block that to prevent students from skirting around our firewalls and content filters.

All I know is the packet capture showed my phone attempting to connect to that IP over 4500. Allowing 4500 out to that IP instantly connected my phone to Sprint WiFi.   So sprint is not even honest and forthcoming with their information as that address is nowhere on their network firewall instructions.

 

 

Link to comment
Share on other sites

Well because we block as many things as we can on our network to prevent _______ fill in the blank.  

You could add the entire subnet 68.31.0.0 but then you may be adding addresses to... who knows.   There are a lot of vpn's that run on port 4500 so we block that to prevent students from skirting around our firewalls and content filters.

All I know is the packet capture showed my phone attempting to connect to that IP over 4500. Allowing 4500 out to that IP instantly connected my phone to Sprint WiFi.   So sprint is not even honest and forthcoming with their information as that address is nowhere on their network firewall instructions.

 

 

Ahh, you're doing a larger scale network, not a home network.

 

I don't think you'll be able to get an IP list from Sprint. They probably have a domain name that is used, and likely has many A records (or may only return 1 for load balancing reasons, preventing you from getting a list. Amazon Alexa does this for example). You could maybe sniff DNS lookups from an Airave when it's powered on, or when WiFi calling is toggled, to see if that's one way to get all the IPs.

 

I suppose you could allow port 4500 to any IP in Sprint's allocation (should be public somewhere). It's possible that someone might have a routed IP (hotspot plan) and decide to host an ipsec tunnel to bypass your filters, but I'd say the odds are fairly low. Regular plans have non-routable IPs so can't host servers.

 

Sent from my Pixel 2 XL using Tapatalk

 

 

 

Link to comment
Share on other sites

I just did a packet capture on my Airave (which should use the same servers as wifi calling), and it connected to segw06.femto.sprint.net for the ipsec tunnel (ports 500 and 4500). It established two tunnels (one for LTE, and one for CDMA) to IP addresses 68.28.116.127 and 68.31.0.1

 

So you can likely try to explore their DNS records to build an IP list.

 

Sent from my Pixel 2 XL using Tapatalk

 

 

 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...