VOIP ATA, Softphone, and Port Forwarding

**auswalk** · 11-12-2012 11:50 AM

After many hours of reading on voip technology I have some questions.

Right now I have a VOIPO ATA Adapter sitting inside a DMZ behind my router. I assigned it an internal private static ip address and I set my router to forward all UDP packets from 5000-65000 to it.

First, why is this a requirement? (Please note without this forwarding my calls wouldn't work properly) My softphone software running on my PC inside my network requires no such port forwarding, why does the voip ATA box require this? Second if I wanted to add another VOIP ATA box, then this would seem to be a problem since I have UDP packets forwarded to a specific adapter.

In my readings, I read about STUN servers and these looked to be an alternative to port forwarding. Is this correct?

Thanks

**christcorp** · 11-15-2012 01:07 PM

I am a little confused about some of your post. You say you have your voipo adapter inside the DMZ of your router. Then, you said you forward packets to it. You can't do both. Well; you can, but you're defeating the purpose. When something is in the DMZ, and the DMZ is turned on, you are effectively forwarding ALL PORTS to that IP address. When you use both DMZ and port forwarding, you are asking for the possibility of some problems. Especially if you are also trying to use Softphone software on a PC.

Another thing. It's good that you tried forwarding UDP ports, but don't forget that for the session initialization (SIP), it is NOT UDP. It is TCP. That's port 5060. Either way; choose one or the other: DMZ or Port Forwarding. Not both.

Now; something I have found is a major cause of VOIP problems, are people's home network routers. There are 2 features that are usually turned on by default that can cause issues. If you turn both off, you may be in much better shape. I haven't had ANY problems since doing this and I've had VoipO since the very beginning. I do remember when I got a NEW router, I had some voip issues initially after installing it. Then remembered: OH YEA, Turn off those router functions. Again; all is perfect. What are these 2 router features?

1. Firewall/SPI
2. ALG

As for the firewall, you should turn OFF in the router: SPI. That is a firewall in the router. Also, there is a section called ALG. It lists programs like SIP. Turn off the ALG. If you really want a firewall for your computers you can install a software firewall like Zonealarm or Blackice on your computers and protect them locally. But SPI and ALG on in the router can definitely cause issues with voip. I definitely prefer either software firewall on the local PC or a standalone hardware firewall that I can keep the voip adapter outside of. ALG is designed for Voip, games, etc... but it assumes it is software on your PC. So with it on, it sometimes conflicts with standalone hardware trying to do the same thing.

For what it's worth, with SPI/Firewall and ALG turned off, I don't use ANY Port Forwarding or DMZ. No need to. I am all for Firewalls, but I recommend software versions on the individual machines instead of on the router where it affects everything whether it wants it or needs it. good luck.

**burris** · 11-15-2012 01:39 PM

Mike..

You mention that TCP is the optimim initialization for Voip.
Doesn't VOIPo recomment UDP when that question comes up?

I agree that TCP is the fastest communication to set up the call but UDP will get it there almost as fast with less overhead.
If everyone went to TCP for setup, I think the servers might overload.

I think you can run SIP over TCP but then UDP for RTP.

Maybe that's why when you set up your router for port forwarding, the selection offers either or both. At least mine does.

**christcorp** · 11-15-2012 02:39 PM

Yes, the UDP is for RTP. The TCP is strictly for port 5060. And/or 5061 if you're using more than one voip channel.

**auswalk** · 11-15-2012 06:29 PM

Mike,

I mean the dsl modem -> router -> voipo ata -> cordless phone

So if I run the softphone software on my PC I don't have to port forward anything. But my voipo ata adapter requires UDP ports 5004-65000 forwarded to it for calls to function properly.

I have ALG services checked in my router config but firewall disabled. You are saying I should uncheck all of these and then I won't have to do port forwarding?

Application Layer Gateway (ALG) Settings
Select the applications below.
Enable
Name
Comment

Amanda
Support for Amanda backup tool protocol.

Egg
Support for eggdrop bot networks.

FTP
Support for FTP.

H323
Support for H323/netmeeting.

IRC
Allows DCC to work though NAT and connection tracking.

MMS
Support for Microsoft Streaming Media Services protocol.

Quake3
Support for Quake III Arena connection tracking and nat.

Talk
Allows netfilter to track talk connections.

TFTP
Support for TFTP.

IPsec
Support for IPsec passthrough

Starcraft
Support for Starcraft/Battle.net game protocol.

MSN
Support for MSN file tranfer.

PPTP Pass Through
Support for PPTP passthrough.

**ymhee_bcex** · 11-18-2012 12:12 AM

auswalk,
I think Mike's recommendations may be a little ambiguous (either that, or I disagree with some of them). You should turn off ALG and SPI (SPI is a feature of firewall; I think that's what he means by Firewall/SPI). I don't think you should turn off firewall on the router altogether.

Normally, you don't need to put adapter in DMZ, nor forward any ports. Adapter should work just like your softphone - register and forget it. Usually, you enable port forwarding for troubleshooting purposes (such as one-way audio, etc.).

And usually consumer routers notify you that DMZ and port forwarding are conflicting settings; so you really do one or another.

Last, assuming you have Voipo-provided locked adapter, you can't set up STUN server yourself.

**auswalk** · 11-18-2012 06:05 PM

Originally Posted by ymhee_bcex

auswalk,
I think Mike's recommendations may be a little ambiguous (either that, or I disagree with some of them). You should turn off ALG and SPI (SPI is a feature of firewall; I think that's what he means by Firewall/SPI). I don't think you should turn off firewall on the router altogether.

Normally, you don't need to put adapter in DMZ, nor forward any ports. Adapter should work just like your softphone - register and forget it. Usually, you enable port forwarding for troubleshooting purposes (such as one-way audio, etc.).

And usually consumer routers notify you that DMZ and port forwarding are conflicting settings; so you really do one or another.

Last, assuming you have Voipo-provided locked adapter, you can't set up STUN server yourself.

That is the problem. When I don't port forward 5004-65000 I get one-way audio etc.

**burris** · 11-18-2012 06:33 PM

I have been with VOIPo since before the beginning and this is what I have that gives me excellent results.

Since I was around before, I have the privilege of being able to use any of my collection of ATAs and program them myself. Since we're talking about phone service and since I haven't had a land line for 7 years and I have to please my wife, I long ago decided to find the best settings and leave them alone.

I don't ever use STUN and I wouldn't ever put anything in the DMZ. In my router, I have SPI and ALG off. I have a third party firewall as the router firewall causes me problems.
I have the ATA set with a static IP and the router ports 5004-65000 forwarded to that static IP.

My ASUS router has DD-WRT and I don't use any QOS, since for me, it causes more problems than it is worth and my DSL speed is 6/786.

The above settings offer me a connection that rivals POTS in both connectivity and audio quality.

I wish I could take credit for all this, but the credit must go to Brandon\VOIPo who spent many hours over the years tutoring me and ultimately convincing me the right path to take.
My basic nature is to effect change for the sake of change, but as I mentioned, this is phone service and not really the place to fool around and then blame the provider when it doesn't work.

To be fair, everybody has a different setup and talks and listens on different circuits, so there will certainly be differences. However, talk to VOIPo...they do know what they are doing.

**christcorp** · 11-27-2012 09:32 AM

Originally Posted by ymhee_bcex

auswalk,
I think Mike's recommendations may be a little ambiguous (either that, or I disagree with some of them). You should turn off ALG and SPI (SPI is a feature of firewall; I think that's what he means by Firewall/SPI). I don't think you should turn off firewall on the router altogether.

Normally, you don't need to put adapter in DMZ, nor forward any ports. Adapter should work just like your softphone - register and forget it. Usually, you enable port forwarding for troubleshooting purposes (such as one-way audio, etc.).

And usually consumer routers notify you that DMZ and port forwarding are conflicting settings; so you really do one or another.

Last, assuming you have Voipo-provided locked adapter, you can't set up STUN server yourself.

I did mean to turn OFF ALG and ALSO to turn OFF the Firewall in the router all together. Some routers call it firewall and some call it SPI. (Stateful packet Inspection). I DO RECOMMEND turning the firewall off. At least as a means to verify if the firewall is causing the problem. There are many more AND BETTER firewall options than using the basic SPI capability of a consumer grade router.

I haven't used SPI in my router in more than 10 years. (Can't remember the last time I used it). And FWIW, I've NEVER had a virus, trojan, DOS attack, or attack of any kind on my home system. At least disable it long enough to determine if it's contributing to the problem. Also; don't use DMZ, just use port forwarding.

**ymhee_bcex** · 11-30-2012 01:32 AM

I guess, OP should make his own choice... Where Mike and I agree - turn off SPI.

I've never seen a router that uses the term SPI ("stateful packet inspection") to mean firewall (software that prohibits inbound traffic) - so here we have some terminology confusion. One can argue that SPI is a component of firewall - but a small and fairly useless component.

I've never had a need to turn off firewall on the router, even for troubleshooting purposes - but if you are desperate, give it a try. Just don't keep it off for long - having a firewall is invitation for big trouble, in my mind.

The original question is about the need to forward wide range of ports (5000-65000) and what happens if there is another SIP client on the network. Fair question, and I would work with support to at least limit, if not completely eliminate the range of ports that require forwarding. I remember that on Sipura the UDP ports are configurable; I've never seen unlocked Grandstream, but hopefully support guys can configure UDP port range as well.