Enabling WLAN Call with IPFire

Hi all,

I have some questions regarding the enabling of WLAN Call in my network, to be able to use my mobile phones (carrier O2) without a working LTE/GSM network.

The IPFire firewall resides behind a FritzBox with a DOCSIS 3.1 connection to Vodafone/KabelDeutschland. The WLAN APs (“blue network”) are connected to the IPFiire firewall. Everything is working fine since years.

But as for now, WLAN Call is not functioning. All I know and all I can find through searching the Internet is “open ports 500 and 4500 UDP on your router”. To me this means opening it on the FritzBox first. But what about the “blue network”? Do I need to forward the FritzBox UDP ports to the blue network as well without knowing the endpoints? I’m confused here.

Also, I read about DNS. I have blocked external DNS servers to make sure, all network clients use PiHole and IPFire as their DNS server. Do I need to use the DNS servers for my internal network as they were assigned to the FritzBox router by the carrier to enable resolving “private” addresses, probably used by Vodafone or O2 for WLAN Calling?

I would be very grateful for any working hints on configuring WLAN Call with IPFire!

Thanks,
datamorgana

Your post arises some questions ( for me ):

  • What do you mean by “WLAN Call”?
  • How is your DNS configured? DNS servers outside, not using ISPs DNS servers?
  • Port forwarding of 500 and 4500 to blue network isn’t possible. Port forwarding only functions to discrete devices ( a server f.e ).

I have a similar constellation as you.
IPS -->> fritz-box -->> ipfire.
For phone calls I use only the fritzbox.
My Android goes via the fritzbox app an the WIFI connection there to the WLAN.
For me this has the advantage of a simpler setup and a second WIFI for telephony.
The blue network on ipfire is only for Internet (with proxy and IPS)

I have it similar too:

IPS -->> FritzBox -->> IPfire

I’m using WLAN call on green without any further configuration, neither on the FritzBox nor on IPfire. This does work with IPfire being the only DNS reachable on green, outbound DNS calls are blocked.

WLAN Call (WLAN-Telefonie in German) is a built-in functionality of Android and iPhone that must be supported by you mobile phone carrier (which is normally the case nowadays).
I don’t have an English smartphone running Android but you can activate WLAN Call in German as follows:
Einstellungen > Netzwerk und Internet > SIM-Karten > (choose a SIM card) > Anruffunktionen “WLAN Call” > toggle “on”.
It allows for initiating an receiving phone calls using your phone number in the case that your location has no 5G/4G/2G coverage. It simply switches to WLAN.

For me that is not feasable. I need to use the Wifi in network “blue” for all mobile phone connectivity hence also for WLAN Calling, that’s the reason it was designed for in the first place.
You said: “The blue network on ipfire is only for Internet (with proxy and IPS)”. But how do you receive WLAN calls then, when you’re at home (in the basement, working from home.) with no signal coverage and connected to your blue network?

My DNS configuration:

IPFire uses its own DNS configuration in “Network > Domain Name System” and not the nameservers provided by the FritzBox (and Vodafone) to avoid DNS intercepting. Also, all DHCP clients in “blue” (like our smartphones) use a PiHole as their nameserver, which, in turn, uses the IPFire as its forwarding nameserver. The FritzBox is not used for DNS resolution by the backend at all – as I do not use any other service on the FritzBox othern than cable routing, due to TR-069 and it being under total control of the ISP.
A fairly common configuration, I think.

DCHP-Client -->> PiHole -->> IPFire -->> External DNS servers

Is the Fritzbox configured as router or modem ( bridge mode, which is enough IMO )?

Both modem and router but the internal network has only one client, the ipfire box.

As stated before I use the WIFI net of the Fritzbox for telephony and for nothing else. On my Android I have the Fritz app to make calls from my Android via WIFI and than the Fritzbox and the “Festnetz” number.
It works fine.
The ipfire is for Internet traffic only.

The Fritzbox can work in one mode only. EIther as router ( WAN IP from the ISP, LAN IP private, LAN gives IPFire its red IP ) or as modem ( WAN traffic is bridged from Cable with its DOCSIS ‘univers’ to one LAN port, IPFire gets it’s IP from the ISP network DHCP server ).
Don’t know whether to must operate in ‘router mode’ to get the WLAN telephony.

In this case, my FritzBox runs in router mode. Traffic from “blue” (mobile phones) to “red” is not limited by IPFire. Still no clue why WLAN Call is not possible.

I have often seen this port 500 and 4500 udp forward for wlan call but this cannot be correct. I use IPSec net to net connections so this ports are used by my IPFire itself, but wlan call is working in my green network (without any extra portforward)
Maybee wlan call have problems with the “double nat” if you ran IPFire behind a router that also do nat.

1 Like

It is also worth turning off IPsec in the FritzBox. The IPsec specification allows both UDP high_ports → UDP 500 and UDP 500 → UDP 500. If something is doing UDP 500 → UDP 500, it is possible that the FritzBox is intercepting the replies thinking they are destined for it.

How do you have your Blue Access setup?

Hi all,
thanks for helping me debugging the WLAN Call issues I have. As for now I can report that

  1. IPsec in the FritzBox router has never been enabled so intercepting is not happening, afaik.
  2. IPFire blue setup is common, i.e. all Wifi devices’ MAC addresses have full access from blue to red. This has never been a problem before.
  3. No firewall rules prevent mobile devices’ traffic to red.

What I have noticed so far is that WLAN Calling is functioning, when I follow these steps:

  1. Connect phone to another WLAN AP outside of my network (not connected to the IPFire box;. in fact, the phone is now connected to a publicly accessible, unprotected “freifunk.net” AP. The freifunk.net AP is connected to the FritzBox router though). Result: phone has internet connectivity.
  2. On the phone. switch airplane mode on and off. Result: WLAN Call is activated, the WLAN Call icon is visible on the Android phone screen.
  3. Initiate a call. Result: call successful.
  4. Connect phone back to the blue WLAN AP. Result: phone is now part of the IPFire protected network.
  5. Wait 5 minutes; initiate a WLAN Call. Result: call successful.
  6. Stay connected to the blue WLAN AP, switch airplane mode on and off. Result: WLAN Call icon is not visible anymore.
  7. Initiate a WLAN Call. Result: call failed.

My interpretation is, that when the phone was part of an unprotected network, it could resolve the necessary server names to connect to the VoWifi services of the mobile carrier. This was probably cached and could be reused after the phone became part of the protected network. After airplane mode on and off, the cache was emptied and a new name resolution failed. So maybe the who problem is a DNS problem.

I will investigate further on this issue.
Thanks!

tldr;
Solution: Let the mobile phones resolve any hostname in pub.3gppnetwork.org; no special network and firewall rule tweeking necessary in the firewall.

Long version:
Previous tests were pointing me to DNS as the suspected cause of the non-functioning WLAN Call.

Finally this website gave me some necessary hints and I started to look for blocked hostnames or subdomains of pub.3gppnetwork.org in my network.

After having configured DHCP on the IPFire host with only the IPFire host itself as the primary DNS for all clients WLAN Call succeeded.
In the next step I searched the PiHole files (on the PiHole host that usually acts as the primary DNS server in my network) for occurrences of pub.3gppnetwork.org and yes, I found this:

sos.epdg.epc.mnc003.mcc262.pub.3gppnetwork.org sos.epdg.epc.mnc007.mcc262.pub.3gppnetwork.org sos.epdg.epc.mnc001.mcc262.pub.3gppnetwork.org aepdg.epc.mnc003.mcc262.pub.3gppnetwork.org! aepdg.epc.mnc007.mcc262.pub.3gppnetwork.org isos.epdg.epc.mnc007.mcc262.pub.3gppnetwork.org isos.epdg.epc.mnc001.mcc262.pub.3gppnetwork.org econfig.rcs.mnc007.mcc262.pub.3gppnetwork.org epdg.epc.mnc001.mcc262.pub.3gppnetwork.org epdg.epc.mnc007.mcc262.pub.3gppnetwork.org epdg.epc.mnc003.mcc262.pub.3gppnetwork.org6 epdg.epc.mnc002.mcc262.pub.3gppnetwork.org config.rcs.mnc007.mcc262.pub.3gppnetwork.orgO isos.epdg.epc.mnc003.mcc262.pub.3gppnetwork.org aepdg.epc.mnc002.mcc262.pub.3gppnetwork.org aepdg.epc.mnc001.mcc262.pub.3gppnetwork.org

I have no clue as to whether this blocking list makes any sense having it in PiHole but my next step was to add the string (\.|^)pub\.3gppnetwork\.org$ to the regex whitelist of PiHole, make PiHole the primary DNS of DHCP again and let the phone reconnect itself to blue and presto! WLAN Call is working now!

Solution: let the mobile phones resolve any hostname in pub.3gppnetwork.org; no special network and firewall rule tweeking necessary in the firewall.

Thank you all for thinking along with me! :slight_smile:

3 Likes