Incoming Calls, NOT!

[christcorp]

I agree with holmes4. I don’t see any need to disable SPI unless your router is having firewall issues. Forwarding ports or DMZ is supposed to open up a clear tunnel through the SPI firewall. If you find port forwarding or DMZ is not working correctly with SPI enabled, then I’d be looking for another router to buy…..

DMZ does not stop Statful Packet Inspect (Firewall) from happening. Some are still confusing the difference between NAT and Firewalls (SPI). NAT is for ROUTING. It allows more than one PRIVATE IP Address like 192.168.x.x or 10.x.x.x to SHARE one SINGLE PUBLIC IP address. This has absolutely NOTHING to do with Stateful Packet Inspection. SPI (Firewall) inspects the incoming packets for patterns and such. If you did not make a REQUEST for such traffic, it won't be allowed in. DMZ has absolutely nothing to do with that. DMZ is an easy way of forwarding ALL PORTS. That's part of the ROUTING process. When only 1 item in your network requires certain ports for incoming traffic, then DMZ is fine. But if you have 2 or more things that NEED certain ports; e.g. voip and gaming or IP camera or web server , etc... then you can't use DMZ. Again; DMZ has absolutely nothing to do with your firewall.

Now I will put out one caveat. I have not used every single combo router in the world, so it's possible that a router could have a DMZ that bypasses the firewall. But that doesn't sound possible. Again; when an incoming packet is at the router, it has an address. And that address has a port assigned. If you tell the router that 1 IP address is in the DMZ, then the router says: "Fine; I will send ALL inbound traffic to that IP address, unless an internal IP address specifically requested something". So while it might be possible, it is so improbable. DMZ is part of routing and NAT. SPI Firewall is about inspecting ALL incoming traffic.

Now, will having an IP address in the DMZ allow the incoming traffic to come in? Yes. For Voip, there is the session initiation process. (SIP). For a web server, usually there's some sort of authentication. Basically, if a device or software on your end is expecting certain types of packet and traffic, it will authenticate and accept the traffic. If not, there are other ways to protect. But bottom line: Having an IP address in the DMZ isn't bypassing the firewall. It's simply port forwaring.