Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

Blocking/Enabling Wi-Fi calling

Follow
Avatar
Michael Bierman
  • Edited

Maybe this is covered somewhere already, but I thought it might be worth sharing. Some mobile carriers don't require much, if any, configuration on Firewalla to allow Wi-Fi calling to work. If you wish to block Wi-Fi calling, instructions provided. Conversely, if Wi-Fi calling isn't working, check that you don't have these rules in place.

Verizon is an exception. You have to enable IPSEC for Wi-Fi calling to work. 

AT&T

  • Turn on IPSec
  • Ports: 500,4500 (UDP) 
  • Domain(s): 
    - epdg.epc.att.net
    - sentitlement2.mobile.att.net
    - vvm.mobile.att.net
    epdg.epc.att.net sentitlement2.mobile.att.net vvm.mobile.att.net
  • Rules to block
    - epdg.epc.att.net:500,4500 (UDP)
    - sentitlement2.mobile.att.net:500,4500
    - vvm.mobile.att.net:500,4500

T-Mobile

  • Ports: 500,4500 (UDP)
  • Domain(s)/IPs: 208.54.0.0/16
  • Rule to block: 208.54.0.0/16:500,4500 on [Devices you want to make sure can't use wifi calling] 

Verizon

  • Ports: 500,4500 (UDP)
  • Domain(s): wo.vzwwo.com
  • Verizon uses IPSEC so you must enable Network Manager > NAT Settings > NAT Passthrough > IPSEC. Disabling this and/or blocking the ports above will prevent Wi-Fi calling. 

Thanks to Todd Norman and Oliver Davey for helping test. 

6

Comments

12 comments

Sort by Date Votes
  • Avatar
    Shawn H
    • Edited

    FYI on Verizon settings.. you do NOT need to enable IPSEC for Verizon wifi calling to work... it works on Firewalla out of the box... 

    Blocking those ports WILL stop it but you do not need to do anything with IPSEC to make it work or not work... 

    Looks like Verizon WiFi goes to wo.vzwwo.com

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman
    • Edited

    Hi Shawn, 

    I have had multiple users test Verizon and some reported that IPSEC was required others say what you are saying. I don't know how that can be, but it was a repeatable experiment. Not sure what to do with that. 

    I'm assuming you tested in airplane mode with Wi-Fi turned on?

    0
    Comment actions Permalink
  • Avatar
    Shawn H

    Ummm, yes.. 

    It worked on all 6 iPhones in the family. Works on Gold and Purple without doing anything to them... 

    0
    Comment actions Permalink
  • Avatar
    David Rothenberger

    I use AT&T with a Pixel 6, and I have to enable the IPSEC pass-through for Wi-Fi calling to work. Possibly related: I have IPv6 disabled for WAN and all local networks.

    0
    Comment actions Permalink
  • Avatar
    Shawn H

    My ISP doesn't have IPv6 anyways so it is disabled on my side also... 

    0
    Comment actions Permalink
  • Avatar
    David Koppenhofer

    Point of reference: my ISP doesn't have IPv6, and I had to turn on IPSEC passthrough to get WiFi calling to work on T-Mobile with my Android.

    1
    Comment actions Permalink
  • Avatar
    Steven
    • Edited

    Here is the official support documentation for AT&T WiFi Calling "Configure LAN and VPN for AT&T Wi-Fi calling" https://www.att.com/support/article/wireless/KM1114459/

    I do have a few questions;

    1. When creating rules, is there a way group the multiple UDP and or TCP rules with their associated ports for Outbound Only.  I am seeing that I have to create separate rules for each port. Example: Need to create Outbound Rules for port 500 UDP and port 4500 UDP, as well as 143 TCP. 
    2. The article references Set Maximum Transmission Unit (MTU) to 1500. MTU represents the maximum packet size that can be transmitted. Wi-Fi Calling performs best if the MTU is set to 1500. How do I set the MTU?  Is that done on the specific rule or is that a global setting?
    3. In addition to setting rules for ports, I need to allow the following FQDNs: epdg.epc.att.net, sentitlement2.mobile.att.net, vvm.mobile.att.net. Are they able to be grouped or do these need individual rules created?
    4. Enabling IPSec, I noticed that is off by default, any issues turning that on? 

    In short, what is the best way to figure ports and FQDNs as well as MTU for Wi-Fi calling for AT&T based on the article above.

    1
    Comment actions Permalink
  • Avatar
    Firewalla

    The only thing need to be turned on is IPSEC NAT passthrough. (Network->NAT settings->NAT Passthrough->IPSEC)

    Everything else, you shouldn't have an issue; by default, they should work. 

    1
    Comment actions Permalink
  • Avatar
    Steven

    Thank you for the update. In regards to creating rules, grouping rules, because I am sure there is going to be other technologies where I need to create rule sets for a list of ports, FQDNs, etc. Is there any articles and or community posts to help understand best practices.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Most of the time, you shouldn't need to create rule sets for ports. (unless you are working with very specfiic applications that need to access inside of your network from WAN). Firewalla is a stateful firewall, unless you run into 'protocols' like H323 or IPSEC, you need configure them for NAT passthrough, you shouldn't need to worry about open any port. 

    In case you do, port forwarding is documented here https://help.firewalla.com/hc/en-us/articles/360046703673-Firewalla-Feature-Guide-Network-Manager

    Rules https://help.firewalla.com/hc/en-us/articles/360008521833-Manage-Rules

    0
    Comment actions Permalink
  • Avatar
    Steven
    • Edited

    Thank you again for the follow up.  The reason why I raised this three year old post up, and have a bunch of questions is that I have a subset of devices (mobile phones) unable to make calls on Wi-Fi through Firewalla.  If I place those devices into Emergency Access, Wi-Fi calling works or if I drop Wi-Fi and just use cellular, it works (calls in and out).  What is interesting, other devices are working configured the same (operating system, connectivity, etc.) are working without the IPSEC NAT passthrough enabled.

    I have not created any rules, only system generated, 2 rules - Active Protect with Ingress Firewall On.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    If emergency access works, then for sure it is related to rules or DNS services you have configured. Check the chart here https://help.firewalla.com/hc/en-us/articles/16639311975059-What-happens-when-Monitoring-is-off-or-Emergency-Access-is-on

    and look for features that are paused to give you a clue

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post