HI All,

Currently I have 1 RVS4000 and one WRVS4400N routers in my business. One of the routers rvs4000 has the following ports forwarded to an IPPBX 5060, 5090 both tcp and udp.

Recentley I noticed increased internet activity on the IPPBX 100% of the time and really laggy phone calls. I have seen this before and its useually caused by sip hacking attempts. Anyway sure enough looking through the logs on the phone server two IP addresses were getting blocked trying to use SIP authentication to my IPPBX.

In an attempt to put a stop to the issue I created the following Deny rules as per the table below on the RVS4000 router which is port forwarding tcp 5060 udp 5060 and 5090 tcp and 5090 udp.

This did not stop the issue after adding the settings and clicking reboot, I can see the settings have saved but still I can still see connection on the destation pc (ippbx server) reciving connection from the IP addresses im atemptikng to block. My question is does the allow ANY, ANY, ANY at the bottom of the table take presidence over the rules at the top and if not should these rules be blocking udp as well as tcp?

Finally my last problem the IPS doesnt seem to do anything for SIP based attackes. EG a remote IP address constantly trying to authenticate. Ideally I would like to modify the port forwarding rules to say port forward 5060 tcp/udp will be forwarded from these public IP addresses only. But this function doesnt seem to exist on the rvs4000. How would one secure there firewall to stop attackes from public ip addresses trying to authenticate with sip. Even though my pbx has smarts built it to block the attack the router still lets them through and my bandwidth usage goes through the roof. 20 GB yesterday.

Any help would be greatley apprciated

Under the ACL under firwall I have the following