What to do in case of a firewall in the company network

In some situations, there may be problems connecting to the Octalarm portal (portal.octalarm.com). This may result in poor/restricted connectivity for the alarm dialler, causing it to continuously send messages to our server. The server gets overloaded as a result. For you, this means that there is a risk that the alarm dialler will not have a stable connection and therefore no VoIP. How can you avoid this?

Usually, a firewall in the company network is the cause.

Note: It is highly recommended to set a fixed IP address.

Outgoing firewall

A firewall in the network can block all outgoing connections by default. Due to the dynamic nature of the Octalarm alarm dialler configuration process, it is difficult to determine in advance which IP address and which UDP/TCP ports are required for a connection.

To give the alarm dialler sufficient access to the Internet for a successful connection, choose one of the following for the firewall configuration:

1. Firewalling based on source IP

Option 1 (source IP only with access to all ports): allow the Octalarm alarm dialler’s source IP to access all of the IPv4 and IPv6 internet.
Option 2 (source IP with specific port/protocol): give the source IP of the Octalarm alarm dialler access to the Internet via:
- TCP port 443;
- TCP/UDP port 53 DNS;
- ICMP echo request;
- UDP all ports.

Tip: possibly combine this with installing the alarm dialler in its own network zone (VLAN). Further connections between the dialler and the company network can then be specifically secured.

Example firewall rules only source IP with access to all ports

In this example, the IPv4 address of the Octalarm alarm dialler is 192.168.1.10.

Source machine	Source port (or protocol)	Target machine	Target port (or protocol)
192.168.1.10/24	all	0.0.0.0/0	all

Example firewall rules source IP and specific port/protocol

In this example, the IPv4 address of the Octalarm alarm dialler is 192.168.1.10.

Source machine	Source port (or protocol)	Target machine	Target port (or protocol)
192.168.1.10/24	all	0.0.0.0/0	TCP port 443
192.168.1.10/24	all	0.0.0.0/0	UDP/TCP port 53
192.168.1.10/24	all	0.0.0.0/0	ICMP echo request
192.168.1.10/24	all	0.0.0.0/0	UDP port all

2. Firewalling based on DNS name

Add the DNS names below in the company network firewall:
- config.octalarm.nl
- config.octalarm.com
- vpn.octalarm.nl
- vpn.octalarm.com
Good to know: the DNS names contain multiple IPv4 addresses (A records) and multiple IPv6 addresses (AAAA records) to which the Octalarm alarm dialler can connect. When the portal.octalarm.com servers are expanded or changed, the IPv4 and IPv6 addresses of the DNS names are updated, if necessary. By using these DNS names, the company network’s firewall automatically processes this change.
Allow the source IP of the Octalarm alarm dialler to communicate with the DNS names.
Set the port below to the named DNS name:
- outgoing TCP port 443 on config.octalarm.co.uk and config.octalarm.com
- outgoing TCP port 443, ICMP echo request and UDP (all ports) on vpn.octalarm.co.uk and vpn.octalarm.com
- outgoing UDP/TCP port 53 to the configured DNS servers

Tip: you can also combine this method with placing the Octalarm alarm dialler in its own network zone (VLAN).

Good to know: using firewalling based on DNS name is preferred because the server IP address is automatically allowed even in case of server-side updates.

Note: when using a different method of firewalling, you must adjust the firewall for each server-side IP update.

Example firewall rules based on DNS name with access to all ports

In this example, the IPv4 address of the Octalarm alarm dialler is 192.168.1.10.

Source machine	Source port (or protocol)	Target machine	Target port (or protocol)
192.168.1.10/24	all	config.octalarm.nl config.octalarm.com vpn.octalarm.nl vpn.octalarm.com	all

Example firewall rules based on DNS name, source IP and specific port/protocol

In this example, the IPv4 address of the Octalarm alarm dialler is 192.168.1.10. The DNS servers in this example are 192.168.1.254 and 8.8.8.8.

Source machine	Source port (or protocol)	Target machine	Target port (or protocol)
192.168.1.10/24	all	config.octalarm.nl config.octalarm.com	TCP port 443
192.168.1.10/24	all	vpn.octalarm.nl vpn.octalarm.com	ICMP echo request
192.168.1.10/24	all	vpn.octalarm.nl vpn.octalarm.com	UDP port all
192.168.1.10/24	all	vpn.octalarm.nl vpn.octalarm.com	TCP port 443
192.168.1.10/24	all	192.168.1.254 8.8.8.8	UDP/TCP port 53

Incoming firewall

In case your network has a firewall that does not allow incoming connections by default, you will need to make adjustments to your firewall when using the web interface:

ensure that the web interface is accessible on TCP port 80 on the IP address of the Octalarm alarm dialler;
For fault-finding and monitoring purposes, also allow ICMP echo request to the IP address of the Octalarm alarm dialler, if necessary.

Example firewall rules based on source IP and destination port/protocol

In this example, the IPv4 address of the Octalarm alarm dialler is 192.168.1.10. The IPv4 addresses of the management PCs are 10.0.0.30 and 172.16.3.40.

Source machine	Source port (or protocol)	Target machine	Target port (or protocol)
10.0.0.30	all	192.168.1.10	TCP port 80
10.0.0.30	all	192.168.1.10	ICMP echo request
172.16.3.40	all	192.168.1.10	TCP port 80
172.16.3.40	all	192.168.1.10	ICMP echo request

Fault-finding

A TCP dump allows you to investigate communication problems of the Octalarm alarm dialler with your network. This dump contains recent network traffic from all the dialler’s network interfaces. This allows you, using programmes such as Wireshark, to see in detail the network traffic as received and sent by the alarm dialler. This allows detection of communication problems between the alarm dialler and the portal (portal.octalarm.com).

See The portal: portal.octalarm.com|Remote setup (global)|Network: download TCP dump for further explanation on how to download a TCP dump.

Manual Octalarm alarm diallers (Touch | Touch Pro | ARA-Pro Next)