A&A VOIP settings for Grandstream ATA

Hi all,

I wonder if anyone can help me with the settings for a Grandstream HT801 being used with Andrews & Arnold VOIP service on a single residential line. I've got it working for incoming and outgoing calls, but I'm not sure all the settings are right (eg call tones), and of more pressing concern every so often the phone rings, there's no incoming number shown and sometimes the handset shows Grandstream on the CLID display, and sometimes SIPVICIOUS, in both cases there's no caller on the line. I'm pretty sure this is something in the Grandstream config, but there's so much that can be meddled with I'd rather lean on somebody who's got a similar setup working. Apologies if this info is posted elsewhere and I've not found it, and thanks for any ideas.

Regards, Andrew

Have you seen this page?

https://support.aa.net.uk/VoIP_Phones_-_Grandstream_...

The linked page for UK settings is no longer active, but is in The Way Back Machine. Here's a suggestion from there:

Navigate to the BASIC SETTINGS page:
Time Zone: GMT (London, Great Britain)
Self-Defined Time Zone: GMT0BST,M3.5.0/1,M10.5.0
Navigate to the ADVANCED SETTINGS page:
System Ring Cadence: c=400/200-400/2000;
Dial Tone: f1=350@-19,f2=440@-22,c=0/0;
Ringback Tone: f1=400@-20,f2=450@-20,c=400/200-400/2000;
Busy Tone: f1=400@-20,c=375/375;
Reorder Tone: f1=400@-20,c=400/350-225/525-0/0;
Confirmation Tone: f1=1400@-10,c=0/0;
Call Waiting Tone: f1=400@-20,c=100/2000;
Prompt Tone: f1=350@-19,f2=440@-22,c=0/0;
Conference Party Hangup Tone: f1=400@-20,c=0/0;
Special Proceed Indication Tone: f1=350@-19, f2=440@-22, c=750/750-0/0;
NTP Server: uk.pool.ntp.org
Navigate to the PROFILE 1/2 (FXS PORT on HT813) page(s):
MWI Tone: Special Proceed Indication Tone
Dial Plan: { 10[015] | 11[129] | 999 | 11[68]xxx | 1[45]7[1-2] | 08001111 | 0845464x | 0[1235789]xxxxxxxxx | 1410[1235789]xxxxxxxxx | 14700[1235789]xxxxxxxxx | 00xxx. | x+ | \+x+ | *x+ | *xx*x+ }
SLIC Setting: UK
Caller ID Scheme: SIN 227 - BT
Hook Flash Timing: Minimum: 60 Maximum: 200
Ring Frequency: 25
Ring Tone 1: c=400/200-400/2000;
Ring Tone 2: c=400/200-400/2000;
Ring Tone 3: c=400/200-400/2000;
Ring Tone 4: c=400/200-400/2000;
Ring Tone 5: c=400/200-400/2000;
Ring Tone 6: c=400/200-400/2000;
Ring Tone 7: c=400/200-400/2000;
Ring Tone 8: c=400/200-400/2000;
Ring Tone 9: c=400/200-400/2000;
Ring Tone 10: c=400/200-400/2000;
Call Waiting Tone 1: f1=400@-20,c=100/2000;
Call Waiting Tone 2: f1=400@-20,c=100/2000;
Call Waiting Tone 3: f1=400@-20,c=100/2000;
Call Waiting Tone 4: f1=400@-20,c=100/2000;
Call Waiting Tone 5: f1=400@-20,c=100/2000;
Call Waiting Tone 6: f1=400@-20,c=100/2000;
Call Waiting Tone 7: f1=400@-20,c=100/2000;
Call Waiting Tone 8: f1=400@-20,c=100/2000;
Call Waiting Tone 9: f1=400@-20,c=100/2000;
Call Waiting Tone 10: f1=400@-20,c=100/2000;
Remember to click on the "Update" and "Apply" buttons located at the bottom of every page to save and activate the changes.

SIPVICIOUS is something to do with hacking software...

Receiving SIPVICIOUS calls would indicate that at least your SIP signalling ports are open to the Internet, which is not advised.

Thank you to ferretuk, Thinker27 and jpm for their responses. I've established that the ghost calling aspect is indeed IP calls or port scanning, and has been resolved by setting (under FXS Port) Check SIP User ID for incoming INVITE to Yes, and setting Allow Incoming SIP Messages from SIP Proxy Only to Yes. These have completely stopped all the ghost calling.

Ferretuk's idea of using the Way Back Machine was smart, and I've used most of the suggested call settings, although as a note that may help others, leave the Dial plan as the Grandstream defaults unless you want to implement detailed control of what's dialled from your landline.

In respect of other settings:

1) When setting up your Grandstream, set a strong admin password as the first thing you do.
2) Leave most settings at Grandstream defaults
3) Set your A&A settings: https://support.aa.net.uk/VoIP_Phones_-_Generic_Client
4) Set UK GMT time zone
5) You can play with IPv6 if you want, works perfectly with IPv4, so I didn't bother
6) If you don't know what a setting does, don't touch it

And a final observation - the Grandstream small ATA units come with stuff all instructions and the interface looks complex - anybody thinking about using this, don't be put off, you only need to change a tiny number of the settings. If it all goes wrong, do a pinhole reset on the Grandstream and start again. In this case, write down each thing you've changed, apply the changes and check incoming and outgoing calls still work before changing anything else.

Regards

Andrew

Chap. All good, but ensure you follow @jpm’s guidance above.

Exposed (internet)ports with SIP are a guaranteed recipe to disaster. Please put your box behind a decent firewall or even just a NAT’d router.

There’s too many [censored] out there that will climb into your SIP box otherwise and the consequences are big bills.

Edited by Pheasant (Mon 23-Jan-23 17:01:42)

I'd also like to thank ferretuk for the list of settings. I originally had these UK settings for the device from the same link and had saved a file from the device to restore them, after I'd set it up. Guess what - the restore simply did NOTHING, and I had to set up everything again. Of course the AA link didn't work either, and I've spent all day trying to set it up for the UK with little success until now. I never thought about the Wayback Machine!

As you can tell by now, I've got one of these Grandstreams, (HT801) also used with AAISP's fabulous VOIP service, and I've got another piece of advice for the OP and anyone else who has got one:

PLEASE change the devices configuration password to a much more secure one, if you are using the default admin one!!

This morning I woke up to an email from A&A telling me that there was a new device using my VOIP account with them. I investigated, logged into A&A's site, and the call log showed they were trying to dial all over the world, and also some UK mobile and landline numbers.

So, it was time to investigate - I tried to log in with the admin/admin and couldn't get in. I know, I should have set a new password! But honestly I had no idea the device could be somehow configured from outside. The only people who live here are me and my Michelle, and she doesn't mess around with my setups at all.

The first thing the intruders had done was to lock me out of my VOIP device. It cost me a small amount in calls, but not so much as international calls were disabled on the A&A site's settings for my account there.

I've a good mind to call that 020 number he rang to see who he rang with my account though!

I wonder how they got the A&A SIP password out of the box to use in their device? Is it in the config settings, they might have downloaded encrypted with some dumb scheme do you think? They should leave that one out of the restore file. Especially as (at least for me) it never worked anyway!! After restore they could put a message on the screen that you need to enter it again.

I've now locked all outgoing calls to the static IP address I have.

Edited by shaunhw (Sun 29-Jan-23 17:39:36)

In reply to a post by shaunhw:

So, it was time to investigate - I tried to log in with the admin/admin and couldn't get in. I know, I should have set a new password! But honestly I had no idea the device could be somehow configured from outside.

Did you put your ATA in a DMZ from your router? If so that is how. AAISP dislike NAT and recommend a full IP with firewalling, but unless you use them as an ISP, this is not possible with most ISPs.

Keeping behind NAT is essential, as long as your router handles STUN transparently it should "just work". My old Cisco 112 ATA worked okay from my Asus router, until I gave up for a mobile app. (which works perfectly, even over 3G/4G/5G which are all NAT'd).

Yes, I'm afraid I did.

I've recently changed ISPs and am now with Aquiss FFTP and 8 ips, and was using the Grandstream on an IP of it's own, as AA seem to want people to do, and it seems the firewall in this new router (a Zyxel EX3301) doesn't seem to be all that good, but I've not had much time to look into it deeply as yet. I guess the protocols are the thing to look at there.

I did have some firewall rules set up in my Draytek 2862 but that was dumped (I still have it) because the thing was too slow when using IPV6 on a 900mb/second connection. It doesn't seem to want to run much past 300Mbs on IPV6!


But why can't any configurable interfaces in these devices just be be optionally block themselves unless they are being accessed via a local IP range? 192.168.x.x or 10.x.x.x etc?

I can put it back on a Nat IP. I'll try it tomorrow. The local IP it was using was translated. But under the DMZ with all ports open as you rightly guessed, and I'm not sure the firewall will apply rules to IPs which are separately translated on this thing.

Nothing however explains how they got the AA SIP password out of the box. Something seems to be _very_ wrong here other than my sheer idiocy! Even if they could get into the thing, mess up all my settings and completely lock me out, they should NOT have been able to retrieve that password.

Edited by shaunhw (Sun 29-Jan-23 18:04:49)

In reply to a post by shaunhw:

But why can't any configurable interfaces in these devices just be be optionally block themselves unless they are being accessed via a local IP range? 192.168.x.x or 10.x.x.x etc?

That's the role of a firewall, not the device. Also it wouldn't work if it couldn't receive SIP signalling and RTSP audio streams from the VoiP provider.

I can put it back on a Nat IP. I'll try it tomorrow. The local IP it was using was translated. But under the DMZ with all ports open as you rightly guessed, and I'm not sure the firewall will apply rules to IPs which are separately translated on this thing.

I'm not familiar with your Zyxel box, but static mapping to a public IP is great, but you ALSO need to use firewalling to block any external access to the ATA from any IP that is not AAISPs. If the Zyxel can't do this, then perhaps you need to upgrade, a NAT would be a workaround.

No internet service should expose anything other than the ports it needs (e.g. HTTP/HTTPS 80 & 443) and to the IP ranges it needs. If the firewall can't let you limit then the firewall is not 'fit for purpose' for the use of 8 static IPs I would say, worth talking to your new ISP. Many home hosted services limit to IP ranges such as UK or Europe, blocking other countries, even before the protocol.

Nothing however explains how they got the AA SIP password out of the box. Something seems to be _very_ wrong here other than my sheer idiocy! Even if they could get into the thing, mess up all my settings and completely lock me out, they should NOT have been able to retrieve that password.

If they could log in using default admin/admin credentials, can the not read the password out?? T