Port Forwarding vs. DMZ & UPnP

[christcorp]

Mike, Thanks for the detailed reply. All makes sense. But leaves another question for me. How does a home network deal with conflicting ports? VOIPO requires a vast range of ports that conflicts with other applications. Is there a configuration of a home network that will allow these applications co-exist with VOIPO?

Very few things use dynamic ports. (Dynamic, meaning they change). Most devices; like my IP camera, uses a dedicated port. And I can make that port anything I want. Now; considering there are 65,535 ports, and Voipo doesn't start until port 5060, and it stops at 65,000; that leaves you 535 ports after; and more than 4,000 ports between 1024 and 5060 which are considered part of the registered ports...... I would say that you have more than enough ports to work with.

Now; if you happen to have some rare device that requires a specific port between 5060-65000, and you can't change it, then when you do your "PORT RANGE FORWARDING". (Similar to Port Forwarding, but instead of forwarding a single port, you forward a RANGE of ports. I.e. I PORT RANGE FORWARD 5060-65000. But lets say you have a device that MUST have a particular port. E.g. port 6000. There's 2 ways to get around this.

1. VOIP uses UDP; not TCP. MOST other things use TCP. So, in theory, you can port forward the same port to 2 different places if one uses TCP and the other uses UDP. E.g. You'd forward port 6000 TCP to one IP address; and 6000 UDP to a different IP address. I've tried this and I've never had a problem. Mind you, I did it only as an experiment. I've never found a piece of equipment on my end that had to have a specific port. Now, there are certain online game servers that do use tcp and udp ports. E.g. Warcraft uses 6112-6119 and port 4000. If this is your situation, this brings you to the 2nd alternative.

2. When voip is using ports dynamically, it's pretty smart. It will generally grab a port that both ends can agree on. The first part of voip is "SIP". That stands for Session Initiation Protocol. This is the port 5060. And pretty much; unless you have more than 1 voip adapter, this is the generally accepted port. This is the port that your voip adapter uses to go out through the internet; get to the gateway closest (Or contracted with by your voip provider) to the phone number you are trying to call. Either landline or cell number. This SIP basically calls the other end for you. It initiates the handshake so you and the other end can talk to each other. This is where both ends agree on ports and such. Once all that has been initiated, (Faster than you can blink), the RTP part starts. RTP is: Real-Time Transport Protocol. This is the actual voice conversation and packets. Voip uses UDP because it's faster and has other advantages. But the main thing is TCP can resend packets that don't make it properly. Well guess what. You can't RESEND VOICE PACKETS. The conversation is LIVE. If you miss a packet; too bad. You can't reinsert a packet of missed voice. Anyway; I'm getting off track. My point is, in the ports that are agreed upon for the RTP traffic during the SIP portion (Initiation); it is smart enough to use ports that aren't being used. So; when you PORT RANGE FORWARD Voipo, but you have a game like warcraft that MUST have ports 6114-6119 and 4000 in BOTH TCP and UDP, simply set up multiple port range line entries for voip.

e.g. Port Range Forward: 5060-6113 UDP to 192.168.1.30 (Or whatever your voip adapter is); then 6020-65000 also to 192.168.1.30. You don't have to worry about port 4000, because that is below the 5060 that you started with. However; if you always play the same game, or the device you are talking about always need the same ports, you could also port range forward those too. In my example: port range forward 6113-6119 BOTH TCP/UDP to 192.168.1.50 (Or whatever your computer/equipment is). Mind you, for a game, most times your PC initiates the connection and the game server simply agrees. So you don't really have to port forward for a game.

Sorry this is getting long. The "Professional" way this is done, is to NOT PORT FORWARD. Why? Because most companies, businesses, etc... that have a larger network probably also has a PUBLIC side for people coming to their website to buy things, service, letter to the editor, or whatever; and they have a PRIVATE side of the network for all the employees computers, etc... These businesses (And you too if your ISP allows it), buy MORE THAN 1 PUBLIC IP ADDRESS. E.g. you have 64.179.23.45 and 64.179.23.46 coming to your modem instead of just one. You assign one to your router for all your PC's, wireless, etc... The 2nd IP is assigned to your IP webcam or if you want, your VOIP adapter. EVERY IP address has 65,535 ports. So port 6000 on one IP address isn't the same as port 6000 on the other one. Think of it like a street address. There are MANY 325 addresses. 325 Miller avenue; 325 Morris avenue; 325 6th st; etc... Well, every IP address is a street and every port is a house on that street.

But you asked for the home user. Most home users aren't going to spend the extra $10-$15 a month for 2 or more static IP addresses from their ISP. So, between #1 and #2 above, you can work around most conflicting port issues. Would it be simpler if VoipO had a narrower amount of specific ports? Yes, they use to. But this isn't the most efficient way to do this. Matter of fact; for 95+% of all voipo users, they don't need to port forward. They don't do DMZ. They don't have server type of inbound traffic that needs to go some place specifically. So they don't have to port forward / port range forward anything. And even for the 5% who do have other devices, most times there isn't going to be a port conflict anyway, because if a game is using a specific port when a phone call comes in, SIP will initiate a different port for the RTP traffic. But for those who have a pretty intense network, port forwarding can be done effectively. If your network is TOO INTENSE, then chances are you know exactly what you're doing, and you probably have more than one static IP address from your ISP. Hope this helps. Sorry if it's too in depth. Actually, I probably over simplified the way SIP and RTP go through the process of making a phone call. Anyway; hope it helps. Mike....

[burris]

Mike....

Excellent concise explanation....Thank you for taking the time to explain this.

[budmaster]

Mike, Thank you for taking the time to educate us all.

[ymhee_bcex]

Mike,

I think the reality in most residential environments is much simpler. Firewalls distinguish between outgoing and incoming traffic. Moreover, incoming traffic is distinguished between solicited and unsolicited (I am simplifying, but not by much). For example, if you are running a web server and expect unsolicited requests from the internet, you need to somehow forward web port (typically, 80 or 443) to your computer.

That means that you should never put a Windows computer in DMZ, unless you REALLY know what you are doing. You might put a router into DMZ (since it has its own powerful firewall), but that's a topic for another post.

Now, let's apply this general information to VoIP traffic. I assume that you have a modem, router, and VoIP adapter (ATA). Sometimes modem and router is combined into a single device; Voipo-provided Grandstream adapter has built-in router - but logically, it's three different devices.

Adapter registers with VSP's server; so if everything is OK, the firewall treats incoming SIP traffic as solicited. Therefore, no port forwarding is needed. Occasionally, I saw that this is not the case (perhaps, SIP registration is longer than firewall timeout), and then forwarding ports 5060 and 5061 to your adapter really helps.

RTP traffic always is (or should be) solicited due to negotiation process that Mike mentioned. So, if you need (or think that you need) forwarding RTP ports to your adapter - I suggest that you talk to a specialist about what is the root cause of your problem.

So to answer OP about DMZ vs. port forwarding, the first answer is neither. If you run into problems, start troubleshooting them, and maybe the solution will be to forward SIP ports. However, don't start from it.

As far as UPnP goes... I think it's evil Again, this is over 10 years old, and if you really know why you need it, you may have a good reason for it (although, I haven't heard about good reason yet). Having VoIP service is certainly not a good reason.