Having a bit of trouble getting a handle on how the Vodafone Suresignal device we’ve got actually works – there’s limited information out there, with various people saying that ports need to be forwarded through firewalls and so on.
I’m not sure that should really be the case, so I decided to do some investigation with Wireshark to see what it actually does when it starts up. The device is on a BT Businesshub at the moment (because it doesn’t seem to want to come up when working through a Juniper SRX210). Here’s what it seems to do:
1. DHCP an IP address
2. Do a DNS lookup for cluster4.vap.vodafone.co.uk
3. Receive three IP addresses for the cluster (184.108.40.206, .178 and .179)
4. IKE outbound (source and destination ports 500) to the .177 address
5. Goes into IKE NAT-T using port 4500 to the .177 address
6. Starts sending ESP (Encapsulating Security Payload) packets to the .177 address – basically establishing an IPSec VPN to Vodafone. Presumably it is through this VPN that it downloads its configuration file, which is XML-based and created when you set your device up on the Vodafone portal.
7. Sends and receives NTPv4 updates to 220.127.116.11 and 18.104.22.168 – this is probably to ensure accurate time sync for the voice traffic that it needs to send.
8. Occasional NAT keepalive packets outbound to 22.214.171.124
9. Occasional traceroutes oubound to the .177 and .179 addresses.
As far as I can see, there should be no reason to forward inbound ports into your network, and I see no evidence of uPnP being used (although I’m no expert there).
When I get a minute, I’ll look to see what happens when it is going through the SRX firewall and see what the difference is.