TA behind firewall in AT&T CallVantage

TA behind firewall in AT&T CallVantage http://www.dslreports.com/forum/r20906305 en Wed, 11 Nov 2009 14:05:43 EDT Wed, 11 Nov 2009 14:05:43 EDT Re: TA behind firewall http://www.dslreports.com/forum/remark,20928178 JD : thats a lot of good info. Thanks for the diagrams too. Never thought about runnin all that to look into it more. Maybe it is the auto neg issue and not that its a half duplex. Thanks.. I will have to go check it out on my pc when I get the internet back. lol.]]> http://www.dslreports.com/forum/remark,20928178 Sun, 10 Aug 2008 10:26:01 EDT Re: TA behind firewall http://www.dslreports.com/forum/remark,20917468 NetFixer : Your experience is different than mine. The port status image from my primary router that I posted clearly shows that the DVG-5102S is not inherently limited to half duplex on its WAN port, and I can't imagine why anyone from AT&T CallVantage support would tell you that it only supports half duplex (I suspect that what they were trying to say was that the DVG-5102S does not have a way to bypass auto negotiation). It is not unusual for network devices to have compatibility problems auto negotiating with some other devices, and that is what is happening in your case. From your perspective, the DVG-5102S would certainly seem to be limited to half duplex, but it is not limited to half duplex by design.

As to the other problems/symptoms you report, I use my DVG-5102S as an ATA only rather than as a router, so I have not tested its bandwidth or firewall capabilities. I have however on a few occasions attached my notebook to its LAN port, and I did not notice any speed degradation when connecting to other devices on my primary LAN when going through its WAN port. I suspect that your speed limitation is because frequently a device that can not auto negotiate full duplex, also has problems auto negotiating a 100 mbps connection.

Mine also did not have its firewall in any way disabled "out of the box", and even the simplest NAT router (and the DVG-5102S is not just a simple NAT router) does not leave connected devices "open for attack".

EDIT:
Since your 9 mbps download speed limitation statement differed from my own recollection, I just connected my notebook the the LAN port on my DVG-5102S and did both a download and upload test. The results are shown below, I definitely do not see any 9 mbps limitation.

[att=1]

[att=2]

I also ran a firewall test to my local web server, and this is the result, so I don't know in what way my PC connected to the LAN port of my DVG-5102S (which is using the factory default firewall settings) would be "open for attack".

[att=3]

FYI: The notebook used for this firewall test does actually have several internet services such as http, ftp, telnet, and vnc running and allowed by its local software firewall.

For comparison, here are the results of that same scan when my notebook is directly connected to a LAN port on my RV082 primary router. As you can see, the DVG-5102S is indeed acting as a very effective firewall.

[att=4]
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall.

DVG-5102S download speed test
DVG-5102S upload speed test

]]> http://www.dslreports.com/forum/remark,20917468 Fri, 08 Aug 2008 00:02:00 EDT Re: TA behind firewall http://www.dslreports.com/forum/remark,20916697 JD : Sorry I wasnt very clear...

I have tested it with and without the ATA on a FIOS connection and the thruput was limited to a half duplex.

It auto configs "measuring ur bandwidth". It has to auto negotiate due to the limitations on the thruput.

I have seen a 14 meg down line get chopped to round 9 megs..

Without the ATA its full use of the bandwidth....

Netfixer... do you have a connection with over 10 megs?

This is the only true way to see what it will give off.

CallVantage tech support as well verifies that its only a half duplex and with a high bandwidth connection they actually would rather you use a router in front of that ATA to make sure that you/customer gets full benefit of the ISP.

And the firewall.. I mean that it doesnt have a robust agressive firewall set from the factory. Seems like everything is open when it comes outa the box. Not that its really a bad thing... but u are still open for attack if you have your pc directly connected......]]> http://www.dslreports.com/forum/remark,20916697 Thu, 07 Aug 2008 21:08:41 EDT Re: TA behind firewall http://www.dslreports.com/forum/remark,20916619 NetFixer :

said by JD

:

I agree that the Dlink ATA is a "router" but there are downsides..

First off... its only a Half Duplex unit...

Perhaps some older D-Link ATA devices are half duplex, but the currently used DVG-5102S is not limited to half duplex. Perhaps yours is limited by the device to which it is connected?

This is how my primary Linksys RV082 router sees the DVG-5102S WAN port:
[att=1]

said by JD

:

And second... It isnt very savy when it comes to the firewall... it might as well have no firewall within it...

I won't debate the robustness of the current D-Link DVG-5102S ATA's firewall since I have not had a reason to extensively test it, but it certainly seems to have as full featured a firewall as most SOHO routers. Could you explain your conclusion?

[att=2]
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall.

DVG-5102S WAN port status

]]> http://www.dslreports.com/forum/remark,20916619 Thu, 07 Aug 2008 20:51:45 EDT Re: TA behind firewall http://www.dslreports.com/forum/remark,20914913 JD : Apreciate the explaination. I think this is all very interesting. I agree that the Dlink ATA is a "router" but there are downsides..

First off... its only a Half Duplex unit...

And second... It isnt very savy when it comes to the firewall... it might as well have no firewall within it.

Kudos on all the info on this post and others.. keep it up]]> http://www.dslreports.com/forum/remark,20914913 Thu, 07 Aug 2008 15:16:57 EDT Re: TA behind firewall http://www.dslreports.com/forum/remark,20913604 Bane75 :

said by djrobx

said by Bane75

:

How would it improve my security? There are a couple of reasons that I can think of off the top of my head. It would prevent extraneous Internet noise from hitting the TA; TA's are not exactly computing power houses and are fairly easy to overwhelm. Second, if an exploit were to be discovered in the TA or in the SIP protocol itself, beyond the existing protocol deficiencies, chances are ATT's servers are not going to try to exploit my TA.

I disagree. D-Link stuff is not enterprise level and the quality of SOHO routers in the traffic handling department leaves quite a bit to be desired. Most have a hard time handling 8 or 9 megs of bandwidth, and would fall over if my 15 meg connection were to be saturated by a DoS attack. Additionally, numerous consumer routers have had remotely exploitable conditions in the past.

Granted this is somewhat unlikely to happen, but so is my house being robbed. As unlikely as it is that my house will be robbed I still limit who can access it by locking the doors and treating the TA in this manner is no different.

Limiting the TA to only connecting to ATT will limit attack vectors on the TA to primarily DNS poisoning.]]> http://www.dslreports.com/forum/remark,20913604 Thu, 07 Aug 2008 11:33:12 EDT Re: TA behind firewall http://www.dslreports.com/forum/remark,20913513 Bane75 :

said by JD

:

wow man.. just sounds like you are goin way overboard on an incomming ip address....

Never said u were a novice.. I normally learn quite a bit from reading yours and others posts...

Just a friendly question was all :huh:

Sorry if I came off confrontational. It's not going over board at all. Phone service is very important, and I do not need it taken offline by bot nets doing port scans or any other random script kiddy stupidity.]]> http://www.dslreports.com/forum/remark,20913513 Thu, 07 Aug 2008 11:20:14 EDT Re: TA behind firewall http://www.dslreports.com/forum/remark,20912088 djrobx :

said by Bane75

You don't really need to allow any inbound requests to the TA at all. Mine's working just fine without any ports directed to it.

Personally, I would not do this. I think there is too great a risk of disrupted service due to unforseen AT&T maintenance, versus anything that might happen due to "internet noise" or some sort of obscure exploit. The TA is intended to handle all of a person's internet connection needs, and is essentially a fully functional router. You're already way ahead of the game by limiting it to handling only VOIP traffic.]]> http://www.dslreports.com/forum/remark,20912088 Thu, 07 Aug 2008 01:44:43 EDT Re: TA behind firewall http://www.dslreports.com/forum/remark,20910232 JD : wow man.. just sounds like you are goin way overboard on an incomming ip address....

Never said u were a novice.. I normally learn quite a bit from reading yours and others posts...

Just a friendly question was all :huh:]]> http://www.dslreports.com/forum/remark,20910232 Wed, 06 Aug 2008 18:38:40 EDT Re: TA behind firewall http://www.dslreports.com/forum/remark,20910093 NetFixer :

said by Bane75

:

I was hoping that maybe they had an official list, so I don't have to dig through firewall logs.

Searching archived syslog files is how I determined the IP addresses that were used by my DVG-5102S.

For additional security, you may be able to get away with simply blocking all unsolicited incoming SIP traffic since the active SIP sessions are originated from the ATA. If your ATA doesn't use multiple external IP addresses (or a dynamic IP address which changes frequently), your ATA may not need the incoming SIP connection.

In my case, I use a load balancing router, and I would intermittently get a false E-911 warning alarm several times a day even though the ATA was on-line and there were no indications that it ever lost sync with the AT&T server. After looking at my syslog entries I noticed that a dozen or more times a day I would get a blocked incoming SIP packet from AT&T. After allowing those packets to reach the ATA, I did not get the false E-911 alarms anymore.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall.]]> http://www.dslreports.com/forum/remark,20910093 Wed, 06 Aug 2008 18:14:34 EDT Re: TA behind firewall http://www.dslreports.com/forum/remark,20909993 Bane75 : I am aware of needing DNS access also, I'm not a novice when it comes to IT :D

I would be surprised if the IP addresses or DNS entries of the servers ever changed. Most likely for this large of a service deployment they are using some kind of load balancer with multiple servers behind a virtual IP. So if they ever need to change anything service is still up.

I was hoping that maybe they had an official list, so I don't have to dig through firewall logs. ]]> http://www.dslreports.com/forum/remark,20909993 Wed, 06 Aug 2008 17:56:51 EDT Re: TA behind firewall http://www.dslreports.com/forum/remark,20909917 Bane75 : How would it improve my security? There are a couple of reasons that I can think of off the top of my head. It would prevent extraneous Internet noise from hitting the TA; TA's are not exactly computing power houses and are fairly easy to overwhelm. Second, if an exploit were to be discovered in the TA or in the SIP protocol itself, beyond the existing protocol deficiencies, chances are ATT's servers are not going to try to exploit my TA. ]]> http://www.dslreports.com/forum/remark,20909917 Wed, 06 Aug 2008 17:43:44 EDT Re: TA behind firewall http://www.dslreports.com/forum/remark,20909006 JD : Is there any real reason for you to limit what can TRY to connect to the ATA? Or is this just something you are thinking is a good idea???

I dont see how limiting the possible connections to the ATA would help your network security.]]> http://www.dslreports.com/forum/remark,20909006 Wed, 06 Aug 2008 15:15:49 EDT Re: TA behind firewall http://www.dslreports.com/forum/remark,20906487 NetFixer : I have never seen any official list, but the only two AT&T IP addresses I have seen my DVG-5102S connect to for SIP/RTP sessions are 12.194.239.134 and 204.178.15.141. The 12.194.239.134 IP address is the normal SIP/RTP connection, and the 178.15.141 IP address appears to be an inbound SIP connection used for polling.

Of course, the IP addresses used in your area and for your ATA may be different. I suspect that they are also not etched in stone, so if you only allow any specific subset of IP addresses to be used by your ATA, you may find your service could be interrupted the next time AT&T does network maintenance or firmware upgrades.

You will of course also need to give your ATA access to DNS servers.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall.]]> http://www.dslreports.com/forum/remark,20906487 Wed, 06 Aug 2008 05:03:52 EDT TA behind firewall http://www.dslreports.com/forum/remark,20906305 Bane75 : I am locating my TA behind my monowall firewall. I would like to limit the inbound and outbound access to the TA to ATT's servers only. IS there a list anywhere of ATT IP addresses or DNS names for their VOIP servers?

Thanks]]> http://www.dslreports.com/forum/remark,20906305 Wed, 06 Aug 2008 02:05:39 EDT