Incoming Calls, NOT!

**tritch** · 02-11-2012 06:02 PM

Originally Posted by christcorp

So, bottom line. Make your router as basic as possible. No firewall turned on. No ALG turned on. No UPnP turned on. Give your Voip Adapter a static IP address of 192.168.1.x or whatever, so it's the SAME IP address ALL the time. Port forward in the router the ports necessary to that IP address. Then, use LOCAL software firewall, virus protection, etc... on each machine to protect them from outside influences.

I agree with holmes4. I don’t see any need to disable SPI unless your router is having firewall issues. Forwarding ports or DMZ is supposed to open up a clear tunnel through the SPI firewall. If you find port forwarding or DMZ is not working correctly with SPI enabled, then I’d be looking for another router to buy…..

**christcorp** · 02-11-2012 06:36 PM

I agree with holmes4. I don’t see any need to disable SPI unless your router is having firewall issues. Forwarding ports or DMZ is supposed to open up a clear tunnel through the SPI firewall. If you find port forwarding or DMZ is not working correctly with SPI enabled, then I’d be looking for another router to buy…..

DMZ does not stop Statful Packet Inspect (Firewall) from happening. Some are still confusing the difference between NAT and Firewalls (SPI). NAT is for ROUTING. It allows more than one PRIVATE IP Address like 192.168.x.x or 10.x.x.x to SHARE one SINGLE PUBLIC IP address. This has absolutely NOTHING to do with Stateful Packet Inspection. SPI (Firewall) inspects the incoming packets for patterns and such. If you did not make a REQUEST for such traffic, it won't be allowed in. DMZ has absolutely nothing to do with that. DMZ is an easy way of forwarding ALL PORTS. That's part of the ROUTING process. When only 1 item in your network requires certain ports for incoming traffic, then DMZ is fine. But if you have 2 or more things that NEED certain ports; e.g. voip and gaming or IP camera or web server , etc... then you can't use DMZ. Again; DMZ has absolutely nothing to do with your firewall.

Now I will put out one caveat. I have not used every single combo router in the world, so it's possible that a router could have a DMZ that bypasses the firewall. But that doesn't sound possible. Again; when an incoming packet is at the router, it has an address. And that address has a port assigned. If you tell the router that 1 IP address is in the DMZ, then the router says: "Fine; I will send ALL inbound traffic to that IP address, unless an internal IP address specifically requested something". So while it might be possible, it is so improbable. DMZ is part of routing and NAT. SPI Firewall is about inspecting ALL incoming traffic.

Now, will having an IP address in the DMZ allow the incoming traffic to come in? Yes. For Voip, there is the session initiation process. (SIP). For a web server, usually there's some sort of authentication. Basically, if a device or software on your end is expecting certain types of packet and traffic, it will authenticate and accept the traffic. If not, there are other ways to protect. But bottom line: Having an IP address in the DMZ isn't bypassing the firewall. It's simply port forwaring.

**christcorp** · 02-11-2012 07:05 PM

After re-reading my last 2 posts, I feel that it is possible for a lot of confusion on my point. I would like to very briefly clarify something. When an IP is in the DMZ, SPI is still happening, however, you have basically said: "I don't care if the packet was unsolicited or not, send it to me anyway". So in that regard, you could say that you are bypassing the firewall. However, the actual process of inspecting the packets still exists. And that could possibly affect the traffic you are trying to get in. That is why I said that in my opinion, it is best to turn off the SPI firewall all together and use software or hardware firewalls separately. Plus; for those who do gaming or other activities that require certain ports, you most likely will have an issue if you use the DMZ for voip. You can only have 1 device in the DMZ. And if you do that, then port forwarding will get messed up, because DMZ wants to forward ALL ports to that one IP address. Thanks for letting me clarify.

**wingsohot** · 02-11-2012 08:31 PM

All this technical jargon is probably why VoIP will never become the phone service of the masses. The average Joe just wants to be able to make and receive calls without having to have a vast knowledge of computers and routers and port forwarding etc...., and why should they have to do all this technical trouble shooting anyway?

You don't see this with the good old fashioned land line phone service or with cell phone service. 99% of people expect to dial a number and have the phone on the other end ring, afterall, that's what they are paying for.

**christcorp** · 02-11-2012 10:07 PM

That's because the good old fashioned land line phone and cell phone service have an internal network. Coast to coast it's all the same network. Whether it's Centurylink, Verizon (Landline), ATT, etc... they use the same system. They hand off to each other seamlessly. Voip relies on the internet. It relies on many different internet providers; different internet technologies; etc... That isn't voip's fault. Now, ask yourself, why Ma'Bell and cell service costs 5X more than voip? Sorry, but you can't have it both ways. People who come to voip, do so initially to save money. Well, you can't have the quality and reliability of a closed network at internet prices. Sorry, but it can't happen.

And you're right, voip probably won't become the phone service of the masses. But that's not voip's fault. It's the consumer's fault. It's their ignorance. You don't buy a ford focus as your only car if you've got a family of 6. You also don't buy it for hauling firewood out of the forest. I will say, if a person had internet access, hooked up their voip adapter and NO COMPUTERS or ANYTHING...... Just the internet and voip adapter..... I'd give you a 99.9% chance of perfect success. But then again, that's what a traditional landline is; isn't it. 1 service and 1 use.

So; why do you expect the same type of service? Shared network vs dedicated network and $10-$15 per month vs $50-$60 per month.

**christcorp** · 02-11-2012 10:43 PM

I did some research in the voipo forums for similar issues concerning firewalls, DMZ, etc... Here's one that sort of even makes my point.
http://forums.voipo.com/archive/index.php/t-1534.html?

The post in particular is:

olaf wrote:
07-24-2009, 10:16 AM
I had an issue yesterday when my PAPT2 failed to reregister after I rebooted my router. I submitted a ticket, the response was prompt, and they enabled a STUN server and set NAT keep-alive packets to be sent every 5 minutes to help prevent the problem from happening again. They also recommended that I disable the SPI firewall on my router because it may cause intermittent problems, even if it seems to be working. I rebooted the router again today, and when the PAPT2 again failed to register (with the SPI firewall still on), I experimented a bit with putting the PAPT2 in a DMZ vs. turning off the firewall completely. As far as I could tell, the DMZ did not let it reregister, but shutting the firewall off did.

I'm not crazy about leaving the firewall off, but I suppose I could use an iptables-based firewall instead of the SPI firewall (I am using DD-WRT firmware). I'm just wondering if others out there have thoughts & experience on the pros & cons of an SPI firewall and other router security measures while using VOIP.

Thanks.

This problem has nothing to do with this customer's problem. But I wanted to point out that putting something in the DMZ isn't TOTALLY bypassing the SPI firewall. This individual found that out first hand.

**wingsohot** · 02-12-2012 10:12 AM

So; why do you expect the same type of service? Shared network vs dedicated network and $10-$15 per month vs $50-$60 per month.

You're also forgeting that the $50-$60 range for cell is also including, not only voice, but text and data. If VoIP service was able to offer text and data, the cost would almost be the same anyway.

**SpaethCo** · 02-12-2012 07:20 PM

Originally Posted by wingsohot

All this technical jargon is probably why VoIP will never become the phone service of the masses.

VoIP already is a product for the masses, but most people don't know that's actually what their phone is using. Just look at all the cable companies that offer phone service, in addition to ATT U-Verse and Verizon FiOS Voice. All of those products are delivered using the same IP protocols that providers like VOIPo use, the only difference is they get to connect their ATA widget directly to their network as it enters the customer home so that any equipment that a customer has installed won't be a factor.

Internet-based providers are at the mercy of whatever the customer has on their home network, which is why you have reports of everything from "it works perfectly" to "it never works right" even from neighbors who both use the same VoIP service.

**christcorp** · 02-12-2012 09:03 PM

Originally Posted by SpaethCo

VoIP already is a product for the masses, but most people don't know that's actually what their phone is using. Just look at all the cable companies that offer phone service, in addition to ATT U-Verse and Verizon FiOS Voice. All of those products are delivered using the same IP protocols that providers like VOIPo use, the only difference is they get to connect their ATA widget directly to their network as it enters the customer home so that any equipment that a customer has installed won't be a factor.

Internet-based providers are at the mercy of whatever the customer has on their home network, which is why you have reports of everything from "it works perfectly" to "it never works right" even from neighbors who both use the same VoIP service.

So true. Couple other things. Ma'Bell has been sending your phone calls basically voip for over 30 years. You don't think one call on one pair of wires goes cross country to talk to grandma; do you? But again; it's an internal network. Also; one of the reasons the cable company's "Digital Voice" costs more than voip like vonage and voipo, is because they aren't traversing the country over the internet. They use IP basically from your house to their head end or possibly regional, but it's handed off to the PTSN system much sooner. Hence, why you pay $35 for digital voice over the cable company. But you are correct; people have been using some form of "VOIP" for a long time. Especially their long distance through ma'bell for 30+ years.

**burris** · 02-13-2012 09:15 AM

Originally Posted by christcorp

So true. Couple other things. Ma'Bell has been sending your phone calls basically voip for over 30 years. You don't think one call on one pair of wires goes cross country to talk to grandma; do you? But again; it's an internal network. Also; one of the reasons the cable company's "Digital Voice" costs more than voip like vonage and voipo, is because they aren't traversing the country over the internet. They use IP basically from your house to their head end or possibly regional, but it's handed off to the PTSN system much sooner. Hence, why you pay $35 for digital voice over the cable company. But you are correct; people have been using some form of "VOIP" for a long time. Especially their long distance through ma'bell for 30+ years.

You are correct....going back to my roots with my telephone company, I remember that we had to use MCI and their microwave network (UGH!) to service a customer in Phila, as that was the only way we could get there at the time. The service was primitive and even though the towers up the coast had self-healing loops, every time there was a storm or lightning, the service went down and had to be reset manually and there weren't too many ways to contact TCG (remember them?) at the time.