For those of you that may not be familiar with T-Mobile, one of the features that they offer (tout really) is their wi-fi calling. It’s a great feature, especially if you live in an area with crappy reception.
As I live pretty much at the edge of the city, the coverage I have is not great. It works most of the time, but sometimes the signal drops out, or isn’t completely reliable. So Wi-Fi calling is incredibly helpful.
For a long while, I had just allowed the specific device through the firewall, unobstructed. But I really hate that. I like having a list of “holes” that are being used by the services on the network, and restricting it to just that.
So when I was pruning and cleaning up my firewall list, I decided to really dig into this issue. And let me tell you, T-Mobile is shit here. They give some super brief description about the issues. And their guide to fix it? “Disable your firewall”. Might as well tell me to take a hammer to my phone, because that’s how it makes me feel.
One of the nice things about Sophos UTM is the logging. It’s very, very helpful, if you know what you’re looking at.
So, I allowed everything, and then watched as I placed a call to my voicemail.
The main connection uses UDP Port 4500. The same port used in VPNs. Not entirely surprising, as encapsulating the traffic is a good idea (eg secure).
However, allowing traffic on that port out wasn’t enough. After restricting the traffic and allowing that port, I got stuck with a “ER04: DNS Error” warning.
So it definitely looks like they’re using VPN for secure communication. Which is fantastic. Now, if they actually admitted that, rather than giving out wrong information on their customer service site.
Specifically, to get Wi-Fi Calling enabled, I had to allow VPN and IPSec communication out, as well as TCP/UDP (probably just need UDP, but just in case) port 5228. T-Mobile Customer service lists port 5061 (SIP over SSL) as the port being used, but I didn’t see this in use at all.
Worse yet, is that the IP block range the customer service agent listed wasn’t even what was being used. At all.
All in all, T-Mobile needs to fix their information and actually DOCUMENT their error codes. Not just post generic info and hope people don’t stress the fuck out.
But to summarize again.
Add a firewall rule that is:
Internal (Network) > VPN, IPSec, SIP over SSL, TCP/UDP Port 5228 -> Any
Add this rule, enable it, and reboot your phone. And then you should be able to enjoy Wi-Fi calling (though, you may want to add “IPSec” to a QoS rule to ensure priority.