Configuring AT&T WIFI calling is a pretty straight forward and simple process but there is a caveat. AT&T WIFI uses IMAP and VPN ports which may be blocked to prevent outbound VPN or certain email sessions established from within the business or enterprise. If you are doing deep packet inspection, Untangle NG Firewall may also flag or categorize your AT&T WIFI VoIP traffic as IMAP (mail) traffic which could be marked as low-priority and impact your VoIP quality.
So, how can we properly allow AT&T WIFI calling out of our business or enterprise protected by Untangle NG Firewall 13.x while still maintaining proper outbound security controls around unauthorized VPN traffic? Easy! Mark the destination CIDR blocks with your TCP/UDP ports outbound as AT&T WIFI, bypass this combination in Bypass Rules (so this combination isn’t inspected), and give them priority in your QoS settings.
The AT&T LAN configuration page (https://www.att.com/esupport/article.html#!/wireless/KM1114459) states that the following ports need outbound access:
- UDP 500
- UDP 4500
- TCP 143
Additionally, access to the following FQDNs is required:
The IP/CIDR* blocks for these FQDNs are as follows:
- 126.96.36.199/16 – https://whois.arin.net/rest/net/NET-129-192-0-0-1/pft?s=188.8.131.52
- 184.108.40.206/9 – https://whois.arin.net/rest/net/NET-166-128-0-0-1/pft?s=220.127.116.11
- (Same as 2 above): 18.104.22.168/9
*If you wanted to get granular, you can do an NSLOOKUP of the 3 FQDNs and only allow those IPs through but they may change. Depending on your level of risk you should either allow only those IPs or the entire CIDR block.
- Now for the technical part. Log in to your Untangle NG Firewall and go to “Config” at the top of the page then navigate to “Network“.
- Go to “Bypass Rules” and add three rules: one rule for UDP port 500 to destination addresses 22.214.171.124/16,126.96.36.199/9 or the IPs that the NSLOOKUP resolves, a second rule for UDP port 4500 to destination addresses 188.8.131.52/16,184.108.40.206/9 or the IPs that the NSLOOKUP resolves, and a third rule for TCP port 143 to destination addresses 220.127.116.11/16,18.104.22.168/9 or the IPs that the NSLOOKUP resolves.
- Cheap and easy route: download and append to current rules this JSON rule set: https://www.dropbox.com/s/rzzmlttju3iup81/ATT-WIFI-Untangle-13-Bypass-Rules.json?dl=0
- MD5 HASH: 064e4573f651ce65b6c04796098853dc
- Next, go to “Advanced” tab then “Access Rules“. Ensure that your IKE and NAT-T are enabled for IPv4 and/or IPv6 (depending on your needs).
- Finally go to “QoS‘ tab then “QoS Rules” sub-tab and add your AT&T WIFI rules again. We’ll create two rules: one for destination protocol TCP, port 143, with destination addresses used in section 2 (either CIDR blocks 22.214.171.124/16,126.96.36.199/9 or the IPs from NSLOOKUP) and a second rule for destination protocol UDP, ports 500 and 4500, with destination addresses used in section 2 (either CIDR blocks 188.8.131.52/16,184.108.40.206/9 or the IPs from NSLOOKUP).
- Cheap and easy route: download and append to current rules this JSON rule set: https://www.dropbox.com/s/hgk2u0tlm3p9wo8/ATT-WIFI-Untangle-13-QoS-Rules.json?dl=0
- MD5 HASH: 4bb512d9eda1e968956645e4ddc6c69c
Once cellular is disabled your device will/should switch to AT&T WIFI. Test a call and ensure that the WIFI calling works and check for clarity. Don’t forget to re-enable your cellular!
*NOTE: This architecture has not been security validated (peer reviewed) and has only been tested for functionality. If you validate the security aspects of this please let me know in the comments.