Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 24

Thread: Incoming Calls, NOT!

  1. #11
    Join Date
    Feb 2009
    Location
    Houston suburb
    Posts
    253

    Default Re: Incoming Calls, NOT!

    Quote Originally Posted by christcorp View Post
    So, bottom line. Make your router as basic as possible. No firewall turned on. No ALG turned on. No UPnP turned on. Give your Voip Adapter a static IP address of 192.168.1.x or whatever, so it's the SAME IP address ALL the time. Port forward in the router the ports necessary to that IP address. Then, use LOCAL software firewall, virus protection, etc... on each machine to protect them from outside influences.
    I agree with holmes4. I don’t see any need to disable SPI unless your router is having firewall issues. Forwarding ports or DMZ is supposed to open up a clear tunnel through the SPI firewall. If you find port forwarding or DMZ is not working correctly with SPI enabled, then I’d be looking for another router to buy…..

  2. #12
    Join Date
    Feb 2007
    Posts
    423

    Default Re: Incoming Calls, NOT!

    Putting something in the DMZ does not make it appear to be outside the router. It's simply a way of port forwarding "ALL PORTS". It has nothing to do with the SPI firewall, or getting around it. DMZ is just a way to do port forwarding or port range forwarding when you don't know which ports to forward. Some say that it bypasses the firewall, but it's simply giving permission for the packets to enter. The IP address in the DMZ has to authenticate those inbound packets, or they are useless. But because you are giving permission for all packets to be forwarded, it could be seen as bypassing.

    Firewalls do basically one thing. They block unsolicited incoming data. If you ask for it, a firewall is not going to help you. It will allow it in. That's why virus', trojans, malware, etc... are so tricky. If you receive a file in an email attachment, or you go to a website and accept certain conditions, then you have solicited and the SPI Firewall in the router is going to allow it to come in. With a true firewall (Free standing hardware) or a software firewall like zonealarm or black-ice, you can teach it and control it. A basic SPI firewall in a linksys type router is simply ON or OFF. Very few give you any real control. Real firewalls, and most software types also allow you control outbound traffic too. Some people don't think you need to worry about outbound because you wouldn't request to go some place unless you wanted to. Well, in many companies or those with children, you may want to control certain places they can't go to. But this is a secondary use for a firewall, and not what is of concern here.

    I've had computers for more than 30 years. I can honestly say that I have been able to protect them, and have NEVER had an unsolicited entry from the outside. And I don't have the SPI firewall turned on in the router. I use the software firewall that comes with the operating system; e.g. windows or linux. I then usually have a secondary that is much more controllable such as Zonealarm or black-ice. Many SPI firewalls in routers, that are basic with little or no control, do in fact cause some problems with server type services like voip, web servers, gaming, etc...

    As I mentioned above, a REAL NETWORK would never have such a thing as a router/switch/wireless/firewall/etc... combo device. For the majority of computer users, a combo router that we are talking about works flawlessly. Their computer use is very basic. For those who have a bit more complex network, including voip, intense gaming, servers, etc... they can use the combo type routers, but they need one that will do what they want, and they need to learn a little more about how to use it. For those who truly have a real network, (Not just multiple computers on the internet); but computers sharing with each other; web server; email server; game servers; file serving/sharing; etc... then the all in one combo router isn't the way to go. Actually; the router part is fine, but you would install separate hardware to different parts of your network. E.g. Hardware firewall, switches, static Public IP addresses; etc...

    I always tell people to start off their combo router in a very tight mode with SPI on, no port forwarding, etc... You don't fix what isn't broken. When you have inconsistencies with servers; such as voip, the first thing you do is experiment using the DMZ. If that works, then you have a PORT problem. You DON'T LEAVE it in the DMZ. You figure out the ports you need and you forward those ports or range. Then turn off the DMZ. (Again, the DMZ is simply PORT FORWARD ALL PORTS). Nothing more. It's not outside your router. If you still have problems, and it isn't the ports, then you turn off the ALG. Then move on to turning off the SPI. Once you know what fixes the problem, you can address if you need that function for another part of your network. But no, you don't need the SPI firewall on your router if you have a decent software router. The software can actually be much better. But if a person thinks hardware is always better, you can buy a standalone hardware firewall. Turn off the SPI in the combo router so your voip is happy, plug the hardware firewall into one of the combo router's switch lan ports, then feed that to a switch for all your computers. Now you have the best of all worlds. Unless of course in your COMBO Router, you are also using that for your wifi. But that has a different set of protections and we don't have to discuss that here.
    Last edited by christcorp; 02-11-2012 at 06:44 PM.
    Mike
    "Born Wild - Raised Proud"
    Do you like your life? - Thank a Vet!!!

  3. #13
    Join Date
    Feb 2007
    Posts
    423

    Default Re: Incoming Calls, NOT!

    I agree with holmes4. I don’t see any need to disable SPI unless your router is having firewall issues. Forwarding ports or DMZ is supposed to open up a clear tunnel through the SPI firewall. If you find port forwarding or DMZ is not working correctly with SPI enabled, then I’d be looking for another router to buy…..
    DMZ does not stop Statful Packet Inspect (Firewall) from happening. Some are still confusing the difference between NAT and Firewalls (SPI). NAT is for ROUTING. It allows more than one PRIVATE IP Address like 192.168.x.x or 10.x.x.x to SHARE one SINGLE PUBLIC IP address. This has absolutely NOTHING to do with Stateful Packet Inspection. SPI (Firewall) inspects the incoming packets for patterns and such. If you did not make a REQUEST for such traffic, it won't be allowed in. DMZ has absolutely nothing to do with that. DMZ is an easy way of forwarding ALL PORTS. That's part of the ROUTING process. When only 1 item in your network requires certain ports for incoming traffic, then DMZ is fine. But if you have 2 or more things that NEED certain ports; e.g. voip and gaming or IP camera or web server , etc... then you can't use DMZ. Again; DMZ has absolutely nothing to do with your firewall.

    Now I will put out one caveat. I have not used every single combo router in the world, so it's possible that a router could have a DMZ that bypasses the firewall. But that doesn't sound possible. Again; when an incoming packet is at the router, it has an address. And that address has a port assigned. If you tell the router that 1 IP address is in the DMZ, then the router says: "Fine; I will send ALL inbound traffic to that IP address, unless an internal IP address specifically requested something". So while it might be possible, it is so improbable. DMZ is part of routing and NAT. SPI Firewall is about inspecting ALL incoming traffic.

    Now, will having an IP address in the DMZ allow the incoming traffic to come in? Yes. For Voip, there is the session initiation process. (SIP). For a web server, usually there's some sort of authentication. Basically, if a device or software on your end is expecting certain types of packet and traffic, it will authenticate and accept the traffic. If not, there are other ways to protect. But bottom line: Having an IP address in the DMZ isn't bypassing the firewall. It's simply port forwaring.
    Last edited by christcorp; 02-11-2012 at 06:41 PM.
    Mike
    "Born Wild - Raised Proud"
    Do you like your life? - Thank a Vet!!!

  4. #14
    Join Date
    Feb 2007
    Posts
    423

    Default Re: Incoming Calls, NOT!

    After re-reading my last 2 posts, I feel that it is possible for a lot of confusion on my point. I would like to very briefly clarify something. When an IP is in the DMZ, SPI is still happening, however, you have basically said: "I don't care if the packet was unsolicited or not, send it to me anyway". So in that regard, you could say that you are bypassing the firewall. However, the actual process of inspecting the packets still exists. And that could possibly affect the traffic you are trying to get in. That is why I said that in my opinion, it is best to turn off the SPI firewall all together and use software or hardware firewalls separately. Plus; for those who do gaming or other activities that require certain ports, you most likely will have an issue if you use the DMZ for voip. You can only have 1 device in the DMZ. And if you do that, then port forwarding will get messed up, because DMZ wants to forward ALL ports to that one IP address. Thanks for letting me clarify.
    Mike
    "Born Wild - Raised Proud"
    Do you like your life? - Thank a Vet!!!

  5. #15
    Join Date
    Jul 2011
    Posts
    163

    Default Re: Incoming Calls, NOT!

    All this technical jargon is probably why VoIP will never become the phone service of the masses. The average Joe just wants to be able to make and receive calls without having to have a vast knowledge of computers and routers and port forwarding etc...., and why should they have to do all this technical trouble shooting anyway?

    You don't see this with the good old fashioned land line phone service or with cell phone service. 99% of people expect to dial a number and have the phone on the other end ring, afterall, that's what they are paying for.

  6. #16
    Join Date
    Feb 2007
    Posts
    423

    Default Re: Incoming Calls, NOT!

    That's because the good old fashioned land line phone and cell phone service have an internal network. Coast to coast it's all the same network. Whether it's Centurylink, Verizon (Landline), ATT, etc... they use the same system. They hand off to each other seamlessly. Voip relies on the internet. It relies on many different internet providers; different internet technologies; etc... That isn't voip's fault. Now, ask yourself, why Ma'Bell and cell service costs 5X more than voip? Sorry, but you can't have it both ways. People who come to voip, do so initially to save money. Well, you can't have the quality and reliability of a closed network at internet prices. Sorry, but it can't happen.

    And you're right, voip probably won't become the phone service of the masses. But that's not voip's fault. It's the consumer's fault. It's their ignorance. You don't buy a ford focus as your only car if you've got a family of 6. You also don't buy it for hauling firewood out of the forest. I will say, if a person had internet access, hooked up their voip adapter and NO COMPUTERS or ANYTHING...... Just the internet and voip adapter..... I'd give you a 99.9% chance of perfect success. But then again, that's what a traditional landline is; isn't it. 1 service and 1 use.

    So; why do you expect the same type of service? Shared network vs dedicated network and $10-$15 per month vs $50-$60 per month.
    Mike
    "Born Wild - Raised Proud"
    Do you like your life? - Thank a Vet!!!

  7. #17
    Join Date
    Feb 2007
    Posts
    423

    Default Re: Incoming Calls, NOT!

    I did some research in the voipo forums for similar issues concerning firewalls, DMZ, etc... Here's one that sort of even makes my point.
    http://forums.voipo.com/archive/index.php/t-1534.html?

    The post in particular is:
    olaf wrote:
    07-24-2009, 10:16 AM
    I had an issue yesterday when my PAPT2 failed to reregister after I rebooted my router. I submitted a ticket, the response was prompt, and they enabled a STUN server and set NAT keep-alive packets to be sent every 5 minutes to help prevent the problem from happening again. They also recommended that I disable the SPI firewall on my router because it may cause intermittent problems, even if it seems to be working. I rebooted the router again today, and when the PAPT2 again failed to register (with the SPI firewall still on), I experimented a bit with putting the PAPT2 in a DMZ vs. turning off the firewall completely. As far as I could tell, the DMZ did not let it reregister, but shutting the firewall off did.

    I'm not crazy about leaving the firewall off, but I suppose I could use an iptables-based firewall instead of the SPI firewall (I am using DD-WRT firmware). I'm just wondering if others out there have thoughts & experience on the pros & cons of an SPI firewall and other router security measures while using VOIP.

    Thanks.
    This problem has nothing to do with this customer's problem. But I wanted to point out that putting something in the DMZ isn't TOTALLY bypassing the SPI firewall. This individual found that out first hand.
    Mike
    "Born Wild - Raised Proud"
    Do you like your life? - Thank a Vet!!!

  8. #18
    Join Date
    Jul 2011
    Posts
    163

    Default Re: Incoming Calls, NOT!

    So; why do you expect the same type of service? Shared network vs dedicated network and $10-$15 per month vs $50-$60 per month.

    You're also forgeting that the $50-$60 range for cell is also including, not only voice, but text and data. If VoIP service was able to offer text and data, the cost would almost be the same anyway.

  9. #19
    Join Date
    Feb 2007
    Posts
    423

    Default Re: Incoming Calls, NOT!

    Quote Originally Posted by wingsohot View Post
    So; why do you expect the same type of service? Shared network vs dedicated network and $10-$15 per month vs $50-$60 per month.

    You're also forgeting that the $50-$60 range for cell is also including, not only voice, but text and data. If VoIP service was able to offer text and data, the cost would almost be the same anyway.
    Ummmm...... Not trying to dog you, but how can Voip offer you "Data", when "DATA is REQUIRED to make voip work" Voip can't offer Data. Physically it's impossible and totally illogical. That's like saying a computer should offer internet service.

    However; you do bring up a very logical evolution. Now, with 4g LTE capabilities, cellular systems could technically put both Cable and DSL broadband services out of business. Unfortunately, it's a cost issue. Cell phones don't offer unlimited data. And trying to share your cellular data with your home computers is too expensive. And having a separate cell plan for each person is also too expensive. I.e. My existing unlimited data (Grandfathered); limited voice minutes; limited text plan; costs about $60-$70 a month. For both, my wife and me, that would be about $140 a month. If we used this replace home internet and thus voip, we'd have to add more voice minutes. Plus; while we have unlimited data on the phone, there is a cap for tethering to a laptop/desktop. It's not unlimited. PLUS, the latency isn't that great, so if you are into gaming or other time sensitive activities, it sucks. Although, with the newer LTE 4G it's definitely much better. Plus, you can't leave things connected 24/7 if you need to take your phone with you and use it somewhere else. So technically; cell phones can definitely put DSL, Cable broadband, Ma'Bell phone, and voip out of business. But because of cost and a few limitations, that's a few years off.

    But voip can't "OFFER" text and data. Can a fax machine OFFER Dial Tone Texting is designed for mobile use. It's quick and simple. Limited number of character. No attachments. You need data for voip to work. If you are at home and have a data connection, you can text to people with cell phones. Go to verizonwireless.com and you can text online all you want. But again; voip can't offer text and data. It's not physically possible or even practical. If you want to compare prices, compare the $50-$60 monthly Ma'Bell Land Line phone with voip. You can't compare voip with a cell phone. They serve 2 totally different purposes. Landline phones cost 5X more, because of the dedicated network and overhead costs. Voip doesn't cost as much, because it doesn't have ANY NETWORK. It uses the "Internet Network" which is already available. Just like Fax doesn't have it's own network, it uses an existing landline network. (Hence, why it took a long time to get a standard for faxing). Many different fax companies trying to talk to each other. Well voip has all these different ISP's with different backhauls, connecting to different gateways, eventually connecting to the Ma'Bell landline service. You will have difficulties. That's why you pay so much for landline service.

    If you are expecting the same quality and reliability and ease of use from Voip that you get from a land line, then you are naive, and probably should go back to paying your $50-$60 a month for phone and long distance service. Now, if you are willing to become educated, you can come to within 90-95% of the quality/reliability of a land line. If you don't want to learn anything, and you just want simple plug and play like wingsohot wants, then you'll probably have a 90% chance of having really good voice service. Being you want just plug and play, chances are you don't have anything more than a real basic home network. And there's a good chance your ISP is totally compatible. But there's also a chance that you can fall into the 10% who do have issues. I go to forums specifically about my ISP. There are some in the country, depending where they live, where they are getting 200+ms hops in their internet connection. That doesn't mean much to many here, but I can tell you right now that that will cause all sorts of quality issues with VOIP. Is this Voip's problem? No. But the customer doesn't know that. They aren't gamers, so they don't notice those long ping times in between hops. But voip does. And of course this ignorant person will say that voip sucks. Even though it has absolutely nothing to do with voip.

    Bottom line: 90%+ of voip customers are going to have a real decent experience. They will realize that the quality probably isn't 100% as good as landlines, BUT, they will notice that they get TONS more features and capabilities, at 1/5th the cost of a landline, and they will live with the tradeoff and be very happy. The other 10% have a choice. Some will learn that they can make voip work for them and they will make the changes needed. Some won't become educated, they'll blame the voip provider, they'll move to another voip provider that works, and this will be their rationalization that the previous voip provider sucked. "They didn't suck, the individual was ignorant, but it helps them rationalize". Then, there will be a small amount who's internet provider simply is not compatible. Some manipulate ports and data. (Yes, they DON'T WANT YOU TO HAVE VOIP). Some simply have old crap equipment and it can't operate clean/fast enough. These people simply have no real option. But sorry; a Focus CAN'T have the same level of quality as a Cadillac. Not for the price difference. It's naive to believe otherwise. And a focus can't have the same capabilities as a pickup truck. Again; naive. Compare apples to apples. Voip is NOT landline, landlines are NOT cellular, and Cellular is NOT voip. When people realize that they are different; have different purposes; use different technologies; have different pros/cons; then they will realize the true potential. In the future, when old people who won't change die off, and fax machines and other dialup type users realize that technology is no longer needed; landlines will no longer exist. It will be Cellular and some sort of voip.
    Mike
    "Born Wild - Raised Proud"
    Do you like your life? - Thank a Vet!!!

  10. #20
    Join Date
    Dec 2008
    Posts
    13

    Default Re: Incoming Calls, NOT!

    Quote Originally Posted by wingsohot View Post
    All this technical jargon is probably why VoIP will never become the phone service of the masses.
    VoIP already is a product for the masses, but most people don't know that's actually what their phone is using. Just look at all the cable companies that offer phone service, in addition to ATT U-Verse and Verizon FiOS Voice. All of those products are delivered using the same IP protocols that providers like VOIPo use, the only difference is they get to connect their ATA widget directly to their network as it enters the customer home so that any equipment that a customer has installed won't be a factor.

    Internet-based providers are at the mercy of whatever the customer has on their home network, which is why you have reports of everything from "it works perfectly" to "it never works right" even from neighbors who both use the same VoIP service.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •