Port Forwarding

**usa2k** · 11-22-2009 02:19 PM

I agree with the purpose of port forwarding.

If your ATA works directly connected to the modem, and not behind a router, I would question your network, or the quality of the router. Port forwarding in that case can be a bandaid to overcome your network issues.

People may sometimes forward Port 80 to an internal web server. This allows a web server to be reachable from an otherwise unreachable NAT address. These are techniques to overcome the normal rules of the router.

In SPI firewalling, the ATA will send a packet on a regular interval to the VoIP provider. The SPI firewall blocks all uninitiated communication to the router. Same as when your browser requests network data, there is a short interval where replies can come back via the outbound info sent. The response must be quick enough or the whole deal is over and the SPI firewall opening is again closed. The registration interval of an ATA must be compatible with the window of opportunity the SPI firewall allows.

No dial tone for example, can be the effect of loss of this registration. Poor ISP connectivity can also muddy this scenario. Port forwarding allows a limited way in to the ATA to establish communications. Beyond the Port 5060 port being forwarded, I would hazard a guess that the network traversal by the modem is doing a poor job. I would seriously think about replacing the router if it works fine directly connected to the modem.

It would be an interesting statistic, to learn about what modem combinations need port forwarding, and if more than the key port needs to be forwarded.

**burris** · 11-22-2009 02:36 PM

I too, am from the no port forwarding school in order to make the basics work.

If what you all say is true, then we would all have to use DMZ and forwarding, etc.
I don't choose to use the ATA or my DSL modem, for that matter, to do any other functions than I believe it to be designed to do. I have a router for PPPoE as well as routing for my VOIP ATA.
I think that when these isolated problems occur, they are as a result of mis-management on the users setup, and these work-arounds should only be necessary in rare cases when a diagnosis is not available or perhaps when there are esoteric setups that fall outside the realm of provider supplied and provisioned ATAs. This may even extend to unique arrangements with the users ISPs as well.
Just my opinion...

**chpalmer** · 11-22-2009 02:40 PM

It would be an interesting statistic, to learn about what modem combinations need port forwarding, and if more than the key port needs to be forwarded.

Good idea usa2k- Ive just started a post with mine...

http://forums.voipo.com/showthread.p...4664#post14664

I have multiple systems at the office and of coarse Voipo here. Im constantly moving and testing things and never need any port forwarding. But I believe that some manufacturers just don't have enough knowledge to properly handle voip through their devices.

My firewall does not like to allow incoming calls unless they originate from the carriers port 5060 (or whatever my device is pointing at) so I simply give the carrier server a firewall rule to allow all ports and problem solved.

**scott2020** · 11-22-2009 09:37 PM

Originally Posted by chpalmer

My firewall does not like to allow incoming calls unless they originate from the carriers port 5060 (or whatever my device is pointing at) so I simply give the carrier server a firewall rule to allow all ports and problem solved.

I had a voice gateway I left 5060 open to pretty much every connection. That was a mistake! Basically someone could enter phonenumber@my ip address and the call would go through. Not good! I have since locked it down so don't go getting any ideas!

**chpalmer** · 11-23-2009 12:53 AM

Originally Posted by scott2020

I had a voice gateway I left 5060 open to pretty much every connection. That was a mistake! Basically someone could enter phonenumber@my ip address and the call would go through. Not good! I have since locked it down so don't go getting any ideas!

Your running a sip server?

My rule is setup as-

174.37.45.134 - UDP - all ports > lan address all ports (I do this for each of Voipo's servers.)

So unless sip-*.voipwelcome.com gets hacked or someone spoofs one of their addresses, ect... I should be safe...

**gls101** · 11-24-2009 10:11 PM

Originally Posted by burris

I think that when these isolated problems occur, they are as a result of mis-management on the users setup, and these work-arounds should only be necessary in rare cases when a diagnosis is not available or perhaps when there are esoteric setups that fall outside the realm of provider supplied and provisioned ATAs.

I can think of one other cause - the crap that router vendors peddle to unsuspecting end users.

I fought a Linksys RVL200 VPN router for over a year. It would do VPN semi-decently, but that was about it. Even though it offered the ability to do port forwarding (among other 'features') in the setup menus, the feature didn't consistently work, and trying to run an ATA behind it was almost impossible. I could forward a port and verify that it worked one day, only to find it closed a few days later, with nothing changed in the setup. And this was while running the latest available firmware. It was a complete joke of a router.

I finally flashed a WRT54GS with Tomato (with OpenVPN), and that was the end of my problems. Port forwarding was no longer needed for either of my ATA's, and the VPN feature is like night and day compared to the junk RVL200. Even my data throughput is better.

I suppose this could be classified as 'mis-management on the users setup', but it was caused by the design of the manufacturer. I often wonder how many others are victims of absolute junk foisted on the public by manufacturers that expect us to do their beta testing.

Gary Sanders