Incoming Calls, NOT!

**christcorp** · 02-11-2012 06:27 PM

Putting something in the DMZ does not make it appear to be outside the router. It's simply a way of port forwarding "ALL PORTS". It has nothing to do with the SPI firewall, or getting around it. DMZ is just a way to do port forwarding or port range forwarding when you don't know which ports to forward. Some say that it bypasses the firewall, but it's simply giving permission for the packets to enter. The IP address in the DMZ has to authenticate those inbound packets, or they are useless. But because you are giving permission for all packets to be forwarded, it could be seen as bypassing.

Firewalls do basically one thing. They block unsolicited incoming data. If you ask for it, a firewall is not going to help you. It will allow it in. That's why virus', trojans, malware, etc... are so tricky. If you receive a file in an email attachment, or you go to a website and accept certain conditions, then you have solicited and the SPI Firewall in the router is going to allow it to come in. With a true firewall (Free standing hardware) or a software firewall like zonealarm or black-ice, you can teach it and control it. A basic SPI firewall in a linksys type router is simply ON or OFF. Very few give you any real control. Real firewalls, and most software types also allow you control outbound traffic too. Some people don't think you need to worry about outbound because you wouldn't request to go some place unless you wanted to. Well, in many companies or those with children, you may want to control certain places they can't go to. But this is a secondary use for a firewall, and not what is of concern here.

I've had computers for more than 30 years. I can honestly say that I have been able to protect them, and have NEVER had an unsolicited entry from the outside. And I don't have the SPI firewall turned on in the router. I use the software firewall that comes with the operating system; e.g. windows or linux. I then usually have a secondary that is much more controllable such as Zonealarm or black-ice. Many SPI firewalls in routers, that are basic with little or no control, do in fact cause some problems with server type services like voip, web servers, gaming, etc...

As I mentioned above, a REAL NETWORK would never have such a thing as a router/switch/wireless/firewall/etc... combo device. For the majority of computer users, a combo router that we are talking about works flawlessly. Their computer use is very basic. For those who have a bit more complex network, including voip, intense gaming, servers, etc... they can use the combo type routers, but they need one that will do what they want, and they need to learn a little more about how to use it. For those who truly have a real network, (Not just multiple computers on the internet); but computers sharing with each other; web server; email server; game servers; file serving/sharing; etc... then the all in one combo router isn't the way to go. Actually; the router part is fine, but you would install separate hardware to different parts of your network. E.g. Hardware firewall, switches, static Public IP addresses; etc...

I always tell people to start off their combo router in a very tight mode with SPI on, no port forwarding, etc... You don't fix what isn't broken. When you have inconsistencies with servers; such as voip, the first thing you do is experiment using the DMZ. If that works, then you have a PORT problem. You DON'T LEAVE it in the DMZ. You figure out the ports you need and you forward those ports or range. Then turn off the DMZ. (Again, the DMZ is simply PORT FORWARD ALL PORTS). Nothing more. It's not outside your router. If you still have problems, and it isn't the ports, then you turn off the ALG. Then move on to turning off the SPI. Once you know what fixes the problem, you can address if you need that function for another part of your network. But no, you don't need the SPI firewall on your router if you have a decent software router. The software can actually be much better. But if a person thinks hardware is always better, you can buy a standalone hardware firewall. Turn off the SPI in the combo router so your voip is happy, plug the hardware firewall into one of the combo router's switch lan ports, then feed that to a switch for all your computers. Now you have the best of all worlds. Unless of course in your COMBO Router, you are also using that for your wifi. But that has a different set of protections and we don't have to discuss that here.

**tritch** · 02-11-2012 06:02 PM

Originally Posted by christcorp

So, bottom line. Make your router as basic as possible. No firewall turned on. No ALG turned on. No UPnP turned on. Give your Voip Adapter a static IP address of 192.168.1.x or whatever, so it's the SAME IP address ALL the time. Port forward in the router the ports necessary to that IP address. Then, use LOCAL software firewall, virus protection, etc... on each machine to protect them from outside influences.

I agree with holmes4. I don’t see any need to disable SPI unless your router is having firewall issues. Forwarding ports or DMZ is supposed to open up a clear tunnel through the SPI firewall. If you find port forwarding or DMZ is not working correctly with SPI enabled, then I’d be looking for another router to buy…..

**christcorp** · 02-11-2012 06:36 PM

I agree with holmes4. I don’t see any need to disable SPI unless your router is having firewall issues. Forwarding ports or DMZ is supposed to open up a clear tunnel through the SPI firewall. If you find port forwarding or DMZ is not working correctly with SPI enabled, then I’d be looking for another router to buy…..

DMZ does not stop Statful Packet Inspect (Firewall) from happening. Some are still confusing the difference between NAT and Firewalls (SPI). NAT is for ROUTING. It allows more than one PRIVATE IP Address like 192.168.x.x or 10.x.x.x to SHARE one SINGLE PUBLIC IP address. This has absolutely NOTHING to do with Stateful Packet Inspection. SPI (Firewall) inspects the incoming packets for patterns and such. If you did not make a REQUEST for such traffic, it won't be allowed in. DMZ has absolutely nothing to do with that. DMZ is an easy way of forwarding ALL PORTS. That's part of the ROUTING process. When only 1 item in your network requires certain ports for incoming traffic, then DMZ is fine. But if you have 2 or more things that NEED certain ports; e.g. voip and gaming or IP camera or web server , etc... then you can't use DMZ. Again; DMZ has absolutely nothing to do with your firewall.

Now I will put out one caveat. I have not used every single combo router in the world, so it's possible that a router could have a DMZ that bypasses the firewall. But that doesn't sound possible. Again; when an incoming packet is at the router, it has an address. And that address has a port assigned. If you tell the router that 1 IP address is in the DMZ, then the router says: "Fine; I will send ALL inbound traffic to that IP address, unless an internal IP address specifically requested something". So while it might be possible, it is so improbable. DMZ is part of routing and NAT. SPI Firewall is about inspecting ALL incoming traffic.

Now, will having an IP address in the DMZ allow the incoming traffic to come in? Yes. For Voip, there is the session initiation process. (SIP). For a web server, usually there's some sort of authentication. Basically, if a device or software on your end is expecting certain types of packet and traffic, it will authenticate and accept the traffic. If not, there are other ways to protect. But bottom line: Having an IP address in the DMZ isn't bypassing the firewall. It's simply port forwaring.

**christcorp** · 02-11-2012 07:05 PM

After re-reading my last 2 posts, I feel that it is possible for a lot of confusion on my point. I would like to very briefly clarify something. When an IP is in the DMZ, SPI is still happening, however, you have basically said: "I don't care if the packet was unsolicited or not, send it to me anyway". So in that regard, you could say that you are bypassing the firewall. However, the actual process of inspecting the packets still exists. And that could possibly affect the traffic you are trying to get in. That is why I said that in my opinion, it is best to turn off the SPI firewall all together and use software or hardware firewalls separately. Plus; for those who do gaming or other activities that require certain ports, you most likely will have an issue if you use the DMZ for voip. You can only have 1 device in the DMZ. And if you do that, then port forwarding will get messed up, because DMZ wants to forward ALL ports to that one IP address. Thanks for letting me clarify.

**wingsohot** · 02-11-2012 08:31 PM

All this technical jargon is probably why VoIP will never become the phone service of the masses. The average Joe just wants to be able to make and receive calls without having to have a vast knowledge of computers and routers and port forwarding etc...., and why should they have to do all this technical trouble shooting anyway?

You don't see this with the good old fashioned land line phone service or with cell phone service. 99% of people expect to dial a number and have the phone on the other end ring, afterall, that's what they are paying for.

**christcorp** · 02-11-2012 10:07 PM

That's because the good old fashioned land line phone and cell phone service have an internal network. Coast to coast it's all the same network. Whether it's Centurylink, Verizon (Landline), ATT, etc... they use the same system. They hand off to each other seamlessly. Voip relies on the internet. It relies on many different internet providers; different internet technologies; etc... That isn't voip's fault. Now, ask yourself, why Ma'Bell and cell service costs 5X more than voip? Sorry, but you can't have it both ways. People who come to voip, do so initially to save money. Well, you can't have the quality and reliability of a closed network at internet prices. Sorry, but it can't happen.

And you're right, voip probably won't become the phone service of the masses. But that's not voip's fault. It's the consumer's fault. It's their ignorance. You don't buy a ford focus as your only car if you've got a family of 6. You also don't buy it for hauling firewood out of the forest. I will say, if a person had internet access, hooked up their voip adapter and NO COMPUTERS or ANYTHING...... Just the internet and voip adapter..... I'd give you a 99.9% chance of perfect success. But then again, that's what a traditional landline is; isn't it. 1 service and 1 use.

So; why do you expect the same type of service? Shared network vs dedicated network and $10-$15 per month vs $50-$60 per month.

**SpaethCo** · 02-12-2012 07:20 PM

Originally Posted by wingsohot

All this technical jargon is probably why VoIP will never become the phone service of the masses.

VoIP already is a product for the masses, but most people don't know that's actually what their phone is using. Just look at all the cable companies that offer phone service, in addition to ATT U-Verse and Verizon FiOS Voice. All of those products are delivered using the same IP protocols that providers like VOIPo use, the only difference is they get to connect their ATA widget directly to their network as it enters the customer home so that any equipment that a customer has installed won't be a factor.

Internet-based providers are at the mercy of whatever the customer has on their home network, which is why you have reports of everything from "it works perfectly" to "it never works right" even from neighbors who both use the same VoIP service.

**holmes4** · 02-12-2012 07:49 PM

Just read this interesting and insightful article in The Verge - Phoning it in: the dirty secret of IP calling, and how it will change the phone industry

**christcorp** · 02-13-2012 08:36 AM

Originally Posted by holmes4

Just read this interesting and insightful article in The Verge - Phoning it in: the dirty secret of IP calling, and how it will change the phone industry

I make voipO calls on my android. I only use it when I need to make a lot of calls and I don't feel like using up a bunch of my minutes. But there is an "ADDITIONAL" problem added to the original problem with voip. You've added more jitter and latency.

Definitely a good article. Unfortunately, until the "Net Neutrality" folks are educated; or technology changes where time sensitive data can be handled differently, voice and video conferencing will still have to compete with surfing, gaming, email, etc...The work around currently has been to add more bandwidth. But that isn't the answer. Voip calls don't need more than 120 kbps. But when all the other traffic on the internet and within your IsP's network, packets compete for what order they come in. Data can buffer; voip and video conferencing are very sensitive.

I think that most people could live with giving time sensitive apps like voip and video conferencing priority; unfortunately, there are the "Gamers" who think they should also have priority because their hobby is time sensitive. Until internet traffic is allowed to be prioritized, or technologically separated so the different types of traffic don't have to compete with lower priority traffic; voip will always have certain issues.