Hi

I'm a little baffled by this one. I have a 2952 running latest 3.9.8 firmware. I have created two vlans - untagged and tagged (vlan 100) on port 4. Port 4 is then connected to a trunk port on a cisco switch. User PC's are connected to the untagged vlan whilst the cisco auto configures the desk phones to be tagged in to vlan 100 for voice traffic. There is a PBX connect to vlan 100 and the phones can reach the PBX internally.

I have created a "PBX access" IP group within the 2952 which contains a few IP addresses (the VOIP provider and two other IP's for people who work from home). I have then created an open ports entry which allows all WAN interfaces and sources from the PBX access group. The private IP is set to the PBX 192.168.100.2 and port 5070 UDP and ports 10000-13000 UDP are set up to allow SIP and audio traffic.

The PBX initiates a connection out to the VOIP provider but I am seeing lots of attacks on the PBX (being stopped by the PBX fail2ban) but I don't understand how these IP's are making it to the PBX as they are not within the Source IP group of the open ports.

The source IP group is working (ish) because disabling it will prevent my remote desk phone from connecting to the PBX, however disabling it doesn't make any difference to the inbound attacks. I was expecting that with no open ports enabled I would get no traffic to/from the PBX but this isn't the case.

I have tried putting entries in the Default Data Filter to Block all UDP traffic from WAN -> Lan but this doesn't work either and nothing added to the syslog. The only way to put a stop to the attacks seem to be to change the firewall default rule to block. I was expecting that NAT ports would have been enough to filter the traffic.

Any suggestions as to what I've done wrong?

Thanks