Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13

Thread: Port Forwarding vs. DMZ & UPnP

  1. #11
    Join Date
    Feb 2007
    Posts
    423

    Default Re: Port Forwarding vs. DMZ & UPnP

    Honestly, if I was going to have 3 or more voip devices; which is getting similar to having a number of servers, I would pay my ISP to give me a "Block" of static IP's and I'd leave them off of the home network. If you buy a block of 8 IP addresses, you get to use 5 of them. The other 3 are reserved. One for the ISP network you're connecting to; one for the broadcast; and the 3rd is usually for you dsl/cable modem. So, I'd give 3 static IP's to the 3 voip adapters; then keep the other 2 for your PC/Home network.

    Of course, many people don't like doing this because of the expense. "A block of 8 (5 usable) IP addresses is approximately $15 a month. Most people prefer 1 IP address and using NAT to use a private IP network. e.g. 192.168.0.x. 2 voip adapters isn't too bad because you have SIP ports of 5060 and 5061 that is the standard for VOIP. So, the Nat traversing isn't to big of an issue. But when you get into the 3rd port, you have to use one outside of the normal 5060/5061. Not saying that it can't be done, just that it starts to complicate things. Your idea for more than one router is fine, but you don't want the VOIP adapters on the 2nd router. When you use a 2nd router in series, you have to "DOUBLE NAT". That is not the best thing to do. You can definitely wind up with audio issues and possibly connection issues. Then again, the thing about electronics and computers is; sometimes what should be ideal, seems to work fine. You'd have to try it. But under normal situations, there really is only 2 ways to do this without too many conflicts.

    1) Do as I prefer and buy a block of real public IP addresses.

    2) Assuming the 3 voips are from the same provider, DON'T USE 3 separate adapters. Use 2. Most adapters can do 2 phone numbers. Then set the first voip adapters with 5060 and 5061 SIP ports like normal and set the 2nd voip adapter with 5060 for the 3rd number. Hopefully NAT translations will work fine. If not, coordinate with voipo (If that's the voip company you're talking about), and see if using a STUN server would help. (It's a way to use NAT when normal nat traversing isn't cooperating. Either way, you'll do better only using 2 devices if you can and not using DMZ.

    The biggest problems in networks is when PORTS conflict. Even a large corporation has to use ports and Private ip's. You can't order 1000 IP addresses from your ISP because you have 1000 computers, servers, printers, etc... that's simply not logical. However, the large companies don't order just 1 IP address either. I'd stay away from the DMZ. It's good for troubleshooting, but not to leave it that way. Although, your voip adapters are about the least important thing on a network. They aren't storing any sensitive data. The worst that could happen if someone was to crack into it, would be they'd get your VOIP credentials if they knew what they were doing. You can always reset the adapter.
    Mike
    "Born Wild - Raised Proud"
    Do you like your life? - Thank a Vet!!!

  2. #12
    Join Date
    Feb 2007
    Location
    Kitsap County, WA.
    Posts
    734

    Default Re: Port Forwarding vs. DMZ & UPnP

    In my case Im behind a commercial grade firewall and NAT with multiple devices going out to multiple SIP servers at one location, and behind the same type firewall and router equipment, but without a proxy at a second location.

    At location one- SIP comes from 3 different sources in my case. (3 ata's) All Voipo but all different. RTP streams come from yet different sources. I have a SIP proxy on my router so it makes it a little easier. But on the firewall Ive had to allow not only each of the SIP servers a pin hole but the RTP servers as well pointed at the proxy. Since the RTP streams come from different servers than SIP, firewall devices should see them as unsolicited and therefore block them. If it didn't happen Id not have any faith in the firewall.

    At location 2 I have only one ATA. In this case I simply have made a firewall rule allowing both the SIP server (sip-central01.voipwelcome.com) to my device, as well as the RTP servers that tend to talk to my ATA during calls. I have absolutely no issues with this setup.

    I see attempts to connect to port 5060 on my firewall logs 100+ times a day from many other sources (mainly China) and they are always blocked.

    Since the SIP header contains the ATA's private address on LAN on a NATted network Im a little apprehensive about the need for port forwarding. Unfortunately since most SOHO routers do not include any method to create firewall rules aside from tying them into the "port forward setting" your stuck.

    In my case, (location 2) if I build a firewall rule for the Grandstream device, I stipulate the SIP server as UDP (sipcentral.voipwelcome.com:5060 to 172.31.125.50:5060-5061 (ata) and RTP UDP (RTP server address:* to 172.31.125.50:5004-5059

    If you want more control than a SOHO router will ever give you look into some of the other options out there.

    pfSense
    monowall
    untangle
    DD-WRT
    Sonicwall

    just to name a few.
    I Void Warranties.

  3. #13
    Join Date
    Jul 2010
    Posts
    180

    Default Re: Port Forwarding vs. DMZ & UPnP

    I have 6 line and always use voipo other ports than 5060 & 5061.
    The ports they use for SIP is: "5060, 5061, 5065, 5074, 5076, 5078, 5079, 5094, 5098"
    So I start from the top and go down, I never have to use port forwarding.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •