I had an issue yesterday when my PAPT2 failed to reregister after I rebooted my router. I submitted a ticket, the response was prompt, and they enabled a STUN server and set NAT keep-alive packets to be sent every 5 minutes to help prevent the problem from happening again. They also recommended that I disable the SPI firewall on my router because it may cause intermittent problems, even if it seems to be working.

I rebooted the router again today, and when the PAPT2 again failed to register (with the SPI firewall still on), I experimented a bit with putting the PAPT2 in a DMZ vs. turning off the firewall completely. As far as I could tell, the DMZ did not let it reregister, but shutting the firewall off did.

I'm not crazy about leaving the firewall off, but I suppose I could use an iptables-based firewall instead of the SPI firewall (I am using DD-WRT firmware). I'm just wondering if others out there have thoughts & experience on the pros & cons of an SPI firewall and other router security measures while using VOIP.

Thanks.

Which version of DD-WRT are you running?

Which version of DD-WRT are you running?

v24-sp2 standard, build 12188 (05/21/09).

Firmware: DD-WRT v24-sp2 (01/01/09) micro
I use this version with no problems at all. It was one of the most recommended builds.

Firmware: DD-WRT v24-sp2 (01/01/09) micro
I use this version with no problems at all. It was one of the most recommended builds.

And you leave the SPI firewall on?

I've had no trouble with the router for anything else, just an intermittent registration issue in the last couple days while the firewall is on.

I have a similar configuration and leave the SPI firewall off. It has not created extra issues with my other laptops, PC's etc from a security aspect.

Curious - correctly setting up a DMZ should bypass your router firewall altogether.

Firmware: DD-WRT v24-sp2 (01/01/09) micro
I use this version with no problems at all. It was one of the most recommended builds.

I think the newest release was to address an exploit that would give hackers full control of the router. I saw a news release about it yesterday.

I think the newest release was to address an exploit that would give hackers full control of the router. I saw a news release about it yesterday.

That's comforting... :eek:

I asked the OP about version, because I have SPI on with no issues whatsoever. One key difference, though, is that as a former beta tester, I'm able (and choosing) to connect with my own equipment (PBX-in-a-Flash), not a Voipo-supplied ATA. My DD-wrt version is shown below:



Router Model Asus WL-520GU/GC
Firmware Version DD-WRT v24-sp2 (06/09/09) mini-usb - build 12268M NEWD Eko


I don't know as if the hardware would make a difference, but what brand and model router are you running?

I'm running dd-wrt nokaid 07-22-09 on a Linksys WRT54GS and I saw several UDP packets from the Voipo servers to ports 5060 and 5061 being dropped. I forwarded these ports to my PAP2T and that solved all of my problems. I think that the default for dd-wrt is to close UDP connections after 120 seconds to prevent the number of connections which I have at 4096 from overflowing. I see no drawback of forwarding those two ports as it avoids this issue completely. The only possible drawback is that it allows any connections to hit the ATA not just ones from Voipo so it puts more security risk on the ATA.

And you leave the SPI firewall on?

I've had no trouble with the router for anything else, just an intermittent registration issue in the last couple days while the firewall is on.

Yes I leave it on.

I think the newest release was to address an exploit that would give hackers full control of the router. I saw a news release about it yesterday.

DD-WRT httpd vulnerability (milw0rm.com report)

As reported at www.miw0rm.com there is a vulnerability in the http-server for the DD-WRT management GUI that can be used for execution of an exploit to gain control over the router.

Note: The exploit can only be used directly from outside your network over the internet if you have enabled remote Web GUI management in the Administration tab. As immediate action please disable the remote Web GUI management. But that limitation could be easily overridden by a Cross-Site Request Forgery (CSFR) where a malicious website could inject the exploit from inside the browser.

We have fixed the issue and generated new builds of the latest DD-WRT version. You can temporarily download the these files from here until we did update the router database.
[UPDATE] We have integrated most of the fixed build files into the router database. You can check there if files for build 12533 are available for your router. If not (yet) please check the location mentioned above to obtain the files.

The exploit can also be stopped, using a firewall rule: Go to your router's admin interface to > Administration > Commands and enter the following text:

Edit- Figures they would have a exploit when I stop going and reading their site weekly.

I asked the OP about version, because I have SPI on with no issues whatsoever. One key difference, though, is that as a former beta tester, I'm able (and choosing) to connect with my own equipment (PBX-in-a-Flash), not a Voipo-supplied ATA. My DD-wrt version is shown below:



Router Model Asus WL-520GU/GC
Firmware Version DD-WRT v24-sp2 (06/09/09) mini-usb - build 12268M NEWD Eko


I don't know as if the hardware would make a difference, but what brand and model router are you running?

I am using the same router you are, Asus WL-520gU (I haven't put mini-usb on it since I haven't had a need to use the USB port).

Regarding the DD-WRT security hole, if you don't want to upgrade just yet for some reason, it can also be addressed with a firewall rule, as seen on the DD-WRT homepage (http://www.dd-wrt.com).

Thanks to those who have weighed in on this. I am leaning towards re-enabling the firewall and forwarding the necessary ports, but will have to do some testing for that.