Port Forwarding vs. DMZ & UPnP

[budmaster]

I see conflicting information on this site regarding port forwarding or placing the ATA in the DMZ. Is there a true advantage of doing one vice the other. What if you have several other devices such as IP cameras that require port forwarding? Will the ATA on the DMZ affect those devices?

Also, what about UPnP? There seems to be conflicting information if UPnP should be enabled or not. Any advice or education is appreciated. Thanks.

[Mike_TV]

I've had my ATA in the DMZ since day one and haven't set up any port forwarding for it. I set up a DHCP reservation, based on the ATA's MAC address, for a specific IP address and use that IP address to put the ATA in the DMZ.

My router's firmware, a DD-WRT version, only allows a single device in the DMZ so if I had a second device come along that required the DMZ too, I would have to reconfigure something. Haven't run into that yet.

[christcorp]

You have to realize, that UPnP, DHCP, etc... was all designed because more and more people are having crude home networks. It's designed so the average person who doesn't know the difference between DSL and cable; or the difference between a router, switch, and hub are able to connect more than one computer or device on their home network. But UPnP and DHCP are never "Better". It's always better to use static IP addresses (Or at least DHCP reservation). It's always better to reserve ports and forward them as needed. DMZ only allows one device to be put into the DMZ. (Which means you have to use a static IP address for that device). It opens all the ports for that one device. Some think the DMZ actually puts the device in the DMZ outside of the firewall. That isn't completely true. It mainly forwards ALL ports to that one item. So yes, if you have items like IP cameras, servers, or other devices that need to be talked to from the outside, then the DMZ can and most likely will cause a conflict.

"Real" networks; such as corporate, businesses, etc... do separate configurations whenever possible. Some with a lot of devices will use DHCP, but they have "Separate" firewalls and networking than what you are doing at home. Technically; there is absolutely no difference between your home network with 3-4 PC's, a printer, a voip adapter, and some sharing; than with a large corporate network. "Technically". Where the difference comes in, is that the larger networks are using separate firewalls, subnets, etc... Therefor, they have more flexibility. But the concept is the same.

The right answer, is for individuals to be willing to learn a little bit about networking. They don't need a degree in computer science. If all you want is for a few computers to share the internet and possibly share a printer, then you will have no problem living in the world of "Plug and Pray" without any port forwarding, DMZ, etc... But if you want to add servers; (Voip counts as a server; so do IP cameras, etc...); basically anything that the outside world talks to inside your network; then the best way to do it, is to learn how to assign static IP addresses; port/port range forward; use a router just for routing/NAT; use firewalls separately (Either separate hardware or individually configured software); etc... It is not difficult. And then, as you add more devices like your PS3 or Roku box to stream netflix, IP camera for home security, a network printer or hard drive that everyone can share without a PC having to be on, etc... you will find that there are less issues and it works much better. Remember; making a network "Simpler" wasn't designed because it's "BETTER". It was designed to sell more to consumers. When PC's first came out, you learned to do most things yourself, or you had to hire a computer geek. Manufacturers sell all in one router/switch/firewall/wireless to sell to the average person and make them believe they can do everything. You can't. But for 90+% of home PC owners, it works perfectly fine. But then again; 90+% of home PC users don't have VOIP as part of their home computer network; they don't have IP cameras; and they don't have servers. And NO, "Digital Voice" phone service from your Cable Company is NOT the SAME THING as voip (As we are using it).

[budmaster]

Mike, Thanks for the detailed reply. All makes sense. But leaves another question for me. How does a home network deal with conflicting ports? VOIPO requires a vast range of ports that conflicts with other applications. Is there a configuration of a home network that will allow these applications co-exist with VOIPO?

[christcorp]

Mike, Thanks for the detailed reply. All makes sense. But leaves another question for me. How does a home network deal with conflicting ports? VOIPO requires a vast range of ports that conflicts with other applications. Is there a configuration of a home network that will allow these applications co-exist with VOIPO?

Very few things use dynamic ports. (Dynamic, meaning they change). Most devices; like my IP camera, uses a dedicated port. And I can make that port anything I want. Now; considering there are 65,535 ports, and Voipo doesn't start until port 5060, and it stops at 65,000; that leaves you 535 ports after; and more than 4,000 ports between 1024 and 5060 which are considered part of the registered ports...... I would say that you have more than enough ports to work with.

Now; if you happen to have some rare device that requires a specific port between 5060-65000, and you can't change it, then when you do your "PORT RANGE FORWARDING". (Similar to Port Forwarding, but instead of forwarding a single port, you forward a RANGE of ports. I.e. I PORT RANGE FORWARD 5060-65000. But lets say you have a device that MUST have a particular port. E.g. port 6000. There's 2 ways to get around this.

1. VOIP uses UDP; not TCP. MOST other things use TCP. So, in theory, you can port forward the same port to 2 different places if one uses TCP and the other uses UDP. E.g. You'd forward port 6000 TCP to one IP address; and 6000 UDP to a different IP address. I've tried this and I've never had a problem. Mind you, I did it only as an experiment. I've never found a piece of equipment on my end that had to have a specific port. Now, there are certain online game servers that do use tcp and udp ports. E.g. Warcraft uses 6112-6119 and port 4000. If this is your situation, this brings you to the 2nd alternative.

2. When voip is using ports dynamically, it's pretty smart. It will generally grab a port that both ends can agree on. The first part of voip is "SIP". That stands for Session Initiation Protocol. This is the port 5060. And pretty much; unless you have more than 1 voip adapter, this is the generally accepted port. This is the port that your voip adapter uses to go out through the internet; get to the gateway closest (Or contracted with by your voip provider) to the phone number you are trying to call. Either landline or cell number. This SIP basically calls the other end for you. It initiates the handshake so you and the other end can talk to each other. This is where both ends agree on ports and such. Once all that has been initiated, (Faster than you can blink), the RTP part starts. RTP is: Real-Time Transport Protocol. This is the actual voice conversation and packets. Voip uses UDP because it's faster and has other advantages. But the main thing is TCP can resend packets that don't make it properly. Well guess what. You can't RESEND VOICE PACKETS. The conversation is LIVE. If you miss a packet; too bad. You can't reinsert a packet of missed voice. Anyway; I'm getting off track. My point is, in the ports that are agreed upon for the RTP traffic during the SIP portion (Initiation); it is smart enough to use ports that aren't being used. So; when you PORT RANGE FORWARD Voipo, but you have a game like warcraft that MUST have ports 6114-6119 and 4000 in BOTH TCP and UDP, simply set up multiple port range line entries for voip.

e.g. Port Range Forward: 5060-6113 UDP to 192.168.1.30 (Or whatever your voip adapter is); then 6020-65000 also to 192.168.1.30. You don't have to worry about port 4000, because that is below the 5060 that you started with. However; if you always play the same game, or the device you are talking about always need the same ports, you could also port range forward those too. In my example: port range forward 6113-6119 BOTH TCP/UDP to 192.168.1.50 (Or whatever your computer/equipment is). Mind you, for a game, most times your PC initiates the connection and the game server simply agrees. So you don't really have to port forward for a game.

Sorry this is getting long. The "Professional" way this is done, is to NOT PORT FORWARD. Why? Because most companies, businesses, etc... that have a larger network probably also has a PUBLIC side for people coming to their website to buy things, service, letter to the editor, or whatever; and they have a PRIVATE side of the network for all the employees computers, etc... These businesses (And you too if your ISP allows it), buy MORE THAN 1 PUBLIC IP ADDRESS. E.g. you have 64.179.23.45 and 64.179.23.46 coming to your modem instead of just one. You assign one to your router for all your PC's, wireless, etc... The 2nd IP is assigned to your IP webcam or if you want, your VOIP adapter. EVERY IP address has 65,535 ports. So port 6000 on one IP address isn't the same as port 6000 on the other one. Think of it like a street address. There are MANY 325 addresses. 325 Miller avenue; 325 Morris avenue; 325 6th st; etc... Well, every IP address is a street and every port is a house on that street.

But you asked for the home user. Most home users aren't going to spend the extra $10-$15 a month for 2 or more static IP addresses from their ISP. So, between #1 and #2 above, you can work around most conflicting port issues. Would it be simpler if VoipO had a narrower amount of specific ports? Yes, they use to. But this isn't the most efficient way to do this. Matter of fact; for 95+% of all voipo users, they don't need to port forward. They don't do DMZ. They don't have server type of inbound traffic that needs to go some place specifically. So they don't have to port forward / port range forward anything. And even for the 5% who do have other devices, most times there isn't going to be a port conflict anyway, because if a game is using a specific port when a phone call comes in, SIP will initiate a different port for the RTP traffic. But for those who have a pretty intense network, port forwarding can be done effectively. If your network is TOO INTENSE, then chances are you know exactly what you're doing, and you probably have more than one static IP address from your ISP. Hope this helps. Sorry if it's too in depth. Actually, I probably over simplified the way SIP and RTP go through the process of making a phone call. Anyway; hope it helps. Mike....

[burris]

Mike....

Excellent concise explanation....Thank you for taking the time to explain this.

[budmaster]

Mike, Thank you for taking the time to educate us all.

[ymhee_bcex]

Mike,

I think the reality in most residential environments is much simpler. Firewalls distinguish between outgoing and incoming traffic. Moreover, incoming traffic is distinguished between solicited and unsolicited (I am simplifying, but not by much). For example, if you are running a web server and expect unsolicited requests from the internet, you need to somehow forward web port (typically, 80 or 443) to your computer.

That means that you should never put a Windows computer in DMZ, unless you REALLY know what you are doing. You might put a router into DMZ (since it has its own powerful firewall), but that's a topic for another post.

Now, let's apply this general information to VoIP traffic. I assume that you have a modem, router, and VoIP adapter (ATA). Sometimes modem and router is combined into a single device; Voipo-provided Grandstream adapter has built-in router - but logically, it's three different devices.

Adapter registers with VSP's server; so if everything is OK, the firewall treats incoming SIP traffic as solicited. Therefore, no port forwarding is needed. Occasionally, I saw that this is not the case (perhaps, SIP registration is longer than firewall timeout), and then forwarding ports 5060 and 5061 to your adapter really helps.

RTP traffic always is (or should be) solicited due to negotiation process that Mike mentioned. So, if you need (or think that you need) forwarding RTP ports to your adapter - I suggest that you talk to a specialist about what is the root cause of your problem.

So to answer OP about DMZ vs. port forwarding, the first answer is neither. If you run into problems, start troubleshooting them, and maybe the solution will be to forward SIP ports. However, don't start from it.

As far as UPnP goes... I think it's evil Again, this is over 10 years old, and if you really know why you need it, you may have a good reason for it (although, I haven't heard about good reason yet). Having VoIP service is certainly not a good reason.

[christcorp]

Couldn't agree more. UPnP is evil. I've never found it to be worth a darn. I've also found that the overwhelming majority of people never need to forward any ports. Just as you said. There are some however that do. Sometimes it's because they are heavy gamers who have a lot of ports in use. Some have other hardware devices/servers/etc... that need specific ports. But generally; ports shouldn't have to be forwarded. As for the firewalls/Stateful Packet Inspection found in most common consumer grade all in one routers; I've never been a fan of them. I've seen them cause way too many problems. Same with ALG/SIP. I'm all for firewalls, just not an integrated one in the router. You can get excellent hardware firewalls new and used for under $50. And when used properly, software firewalls like zonealarm and black-ice are exceptional. The internal firewall of a combo router/switch/firewall/wireless AP are usually a simple ON/OFF. I prefer a firewall that I can configure specifically.

But that's just me. Then again; there is no way in the world I would ever use Norton's Anti-virus on my computer either. Can't tell you all the problems that damn thing will give you. But generally; voip shouldn't require you to forward ports. Most people don't have to do it.

[KASRA]

You have to realize, that UPnP, DHCP, etc... was all designed because more and more people are having crude home networks. It's designed so the average person who doesn't know the difference between DSL and cable; or the difference between a router, switch, and hub are able to connect more than one computer or device on their home network. But UPnP and DHCP are never "Better". It's always better to use static IP addresses (Or at least DHCP reservation). It's always better to reserve ports and forward them as needed. DMZ only allows one device to be put into the DMZ. (Which means you have to use a static IP address for that device). It opens all the ports for that one device. Some think the DMZ actually puts the device in the DMZ outside of the firewall. That isn't completely true. It mainly forwards ALL ports to that one item. So yes, if you have items like IP cameras, servers, or other devices that need to be talked to from the outside, then the DMZ can and most likely will cause a conflict.

"Real" networks; such as corporate, businesses, etc... do separate configurations whenever possible. Some with a lot of devices will use DHCP, but they have "Separate" firewalls and networking than what you are doing at home. Technically; there is absolutely no difference between your home network with 3-4 PC's, a printer, a voip adapter, and some sharing; than with a large corporate network. "Technically". Where the difference comes in, is that the larger networks are using separate firewalls, subnets, etc... Therefor, they have more flexibility. But the concept is the same.

The right answer, is for individuals to be willing to learn a little bit about networking. They don't need a degree in computer science. If all you want is for a few computers to share the internet and possibly share a printer, then you will have no problem living in the world of "Plug and Pray" without any port forwarding, DMZ, etc... But if you want to add servers; (Voip counts as a server; so do IP cameras, etc...); basically anything that the outside world talks to inside your network; then the best way to do it, is to learn how to assign static IP addresses; port/port range forward; use a router just for routing/NAT; use firewalls separately (Either separate hardware or individually configured software); etc... It is not difficult. And then, as you add more devices like your PS3 or Roku box to stream netflix, IP camera for home security, a network printer or hard drive that everyone can share without a PC having to be on, etc... you will find that there are less issues and it works much better. Remember; making a network "Simpler" wasn't designed because it's "BETTER". It was designed to sell more to consumers. When PC's first came out, you learned to do most things yourself, or you had to hire a computer geek. Manufacturers sell all in one router/switch/firewall/wireless to sell to the average person and make them believe they can do everything. You can't. But for 90+% of home PC owners, it works perfectly fine. But then again; 90+% of home PC users don't have VOIP as part of their home computer network; they don't have IP cameras; and they don't have servers. And NO, "Digital Voice" phone service from your Cable Company is NOT the SAME THING as voip (As we are using it).

hi mike
i have 3 VoIP devices at home and i was thinking because of security issue the company that i get VoIP service which can manages and see the VoIP device remotely and can access the VoIP device and that leaves security hole in my network(how about if i put VoIP device in DMZ would make my network more secure or not ) I was reading you idea about having different hardware like second router with separate firewall but i was thinking if i have one modem with two router each router have own DHCP it would not create conflict , i have done same thing in the past the issue was i had to reset my VoIP devices all the time( i had modem/ router one device and another router was connected to main modem/ router and both DHCP were on . i like to get your idea about this if you would
thanks