dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1694
share rss forum feed

mikeylbl

join:2011-02-28
Scarborough, ON

[TekTalk] Best way to setup tektalk adaptor through router?

Hey all

I just received my 502 adaptor.. I'm using a router.

What is the best setup to connect this device?

I see a LAN and WAN in the back.

Thanks

Mike


Old Martin
Premium
join:2006-02-23
kudos:33

1 recommendation

Hi,

If you connect the ATA to your router, make sure the Ethernet goes from Router lan port to ATA wan port.

In router....
-disable ALG and SPI router firewalls
-Add rule to forward ports 443, 5060 to 5080, and 16384 to 16482 (Both UDP and TCP)

Regards,
Martin
--
TSI Martin (Escalations / E-Services) - TekSavvy Solutions Inc.
Authorized TSI employee ( »»TekSavvy FAQ »Official support in the forum )
Follow us on Twitter : @TekSavvyCSR ; @TekSavvyNetwork


Devanchya
Smile
Premium
join:2003-12-09
Ajax, ON
this deserves a Sticky!

davey6693

join:2012-04-04
Waterloo, ON

1 edit
reply to Old Martin
Edited.

I didn't know the ATA needed to monopolize TCP port 443. That's a shame as it's just about the only port you can go through from behind a heavy firewall (outisde of 80) and I was using that for ssh up to this point.


cable4me

@teksavvy.com
reply to Old Martin
Click for full size
Click for full size
See here that explains it clearly: »voipdito.com/en/blog/SIP+NAT+Tra ··· raversal

Since the ATA initiate traffic from behind the firewall via registration, there is no need to open up any ports. All subsequent traffic from the server inclusing an invite for incoming call are replies to that.

Your suggestions make no sense. If you disable the SPI firewall and or port forwarding such a large range of ports, you are asking for trouble.

All you need to do it let the ATA knows that it is behind a NAT by turning on the NAT support. It would figure out its WAN address with message from the server.


NytOwl

join:2012-09-27
canada
reply to Old Martin
said by Old Martin:

In router....
-disable ALG and SPI router firewalls

As someone who works in IT security, that makes me twitch.

People should not be advised to disable firewall functions in their routers that affect their entire network rather than just the ATA.

To me, configuring the router so that the ATA is in the DMZ, separate of everything else, would make better sense.

Perhaps not ideal for everybody, nor every consumer-grade router, but I'd suggest a different approach than simply "disable the firewalls".

notfred

join:2012-09-15
reply to cable4me
I agree with cable4me, I have my ATA behind my Linux router with no ports forwarded and it works fine. It recognises that it is behind NAT and just uses something like STUN for the ports it requires from what I can tell, I haven't sniffed it in detail.

Mango
What router are you using?
Premium
join:2008-12-25
www.toao.net
kudos:15
Reviews:
·Callcentric
·AcroVoice
·Anveo
reply to NytOwl
Placing an ATA in DMZ is a significant security risk, and if you really do work in IT security, you should know better than to suggest a configuration as irresponsible as that.

I suspect Martin recommended disabling SPI because it is implemented poorly in some routers and causes problems with VoIP. Do I wish SPI worked properly 100% of the time? Absolutely I do, but the fact is it doesn't, and if you want to use VoIP behind a router with malfunctioning SPI, sometimes the only workaround is to disable it. If your VoIP devices work properly behind a router with SPI you can by all means leave it on.

Keep in mind that if you place your ATA in DMZ, you're making its web interface and any other services it may be running publicly available. This includes accepting SIP calls from any source. (To a certain extent, this is also the case with port forwarding - Martin and I disagree about this - though port forwarding is better than DMZ as you can be selective about which ports you forward.) If your specific device is hardened with long passwords and it's configured only to accept calls from your service provider, maybe you won't have a problem if you use DMZ, but you can't assume that's everyone's case. Furthermore, strong passwords may mean nothing if your device has an unpatched security hole, such as the ones used to unlock locked ATAs.

Finally, a reason not to use DMZ that is unrelated to security is that DMZ only works with one device at a time. If you ever need to use a second VoIP device, you'll need to make it work without DMZ. So why not configure your equipment properly the first time?

tl;dr: Except perhaps for brief periods of testing, there is no reason to ever place a VoIP device in DMZ.


NytOwl

join:2012-09-27
canada

1 recommendation

I agree with you, Mango.

I replied rather quickly and should've elaborated further, as you just did. I hadn't put that much thought into it.

I also come from a world of Enterprise networking, where DMZs in many cases can still be port-restricted and thus arguably are not true unrestricted DMZs as they are in consumer-grade equipment. My bad.

I just take issue with the quick recommendation to simply "disable the firewall function" without first testing with other solutions.

And finally, yes, configure your equipment properly the first time, as you said. Huge +1 there.

Mango
What router are you using?
Premium
join:2008-12-25
www.toao.net
kudos:15
Reviews:
·Callcentric
·AcroVoice
·Anveo
said by NytOwl:

I just take issue with the quick recommendation to simply "disable the firewall function" without first testing with other solutions.

Definitely a valid point. No point in reducing security unless things absolutely won't work any other way.

On a slightly related topic, if you have the time I would be delighted if you would take a look at »SPI vs. restricted cone NAT . I'm curious about how SPI works and why it sometimes doesn't work properly.

chipface

join:2011-07-13
Reviews:
·TekSavvy Cable
·Rogers Hi-Speed
reply to Old Martin
said by Old Martin:

Hi,

If you connect the ATA to your router, make sure the Ethernet goes from Router lan port to ATA wan port.

In router....
-disable ALG and SPI router firewalls
-Add rule to forward ports 443, 5060 to 5080, and 16384 to 16482 (Both UDP and TCP)

Regards,
Martin

Will that also work with the Linksys SPA 2102?

Mango
What router are you using?
Premium
join:2008-12-25
www.toao.net
kudos:15
Try it without disabling things and without adding port forwarding. If your phone doesn't ring or you have one-way audio, then you can investigate further.

InvalidError

join:2008-02-03
kudos:5
reply to Mango
said by Mango:

I suspect Martin recommended disabling SPI because it is implemented poorly in some routers and causes problems with VoIP.

How do you disable SPI on a consumer-grade NAT-ing router?

In most consumer-grade routers, the only reason it does "SPI" is because it is an intrinsic requirement for NAT: you cannot do NAT without maintaining some form of state tables to keep track of which exterior ports and remote IP:ports are associated with which LAN clients. It is effectively impossible to do NAT without some basic form of SPI to keep track of connection mappings.

Mango
What router are you using?
Premium
join:2008-12-25
www.toao.net
kudos:15
Reviews:
·Callcentric
·AcroVoice
·Anveo
From what I understand (and if I'm wrong please correct me) SPI is not a standard and can mean different things depending on the make/model of the router.

Sometimes, SPI implies DPI which also examines the data inside the packet, and drops or alters packets that don't conform to its standards. That's what breaks VoIP. This is also known as SIP ALG, SIP Helper, and probably other things, depending on the router. Sometimes, this specific behaviour can be disabled, while retaining the other positive features of SPI.

If your router doesn't allow you to disable this behaviour, a workaround that often works is not to use port 5060. However, this requires your VoIP service provider to listen on multiple ports which they may not.

InvalidError

join:2008-02-03
kudos:5

1 recommendation

said by Mango:

From what I understand (and if I'm wrong please correct me) SPI is not a standard and can mean different things depending on the make/model of the router.

Technically, SPI alone does not do anything specially useful apart from rejecting traffic that does not match the known state of any active connection, hence the term Stateful Inspection.

Doing NAT requires inspecting or tracking individual connections to know when sessions begin so port mappings can be assigned for IP rewriting across the LAN-WAN interface and end so port mappings can be deleted once no longer in use to free up resources for future connections. The NAT's SPI implementation might not be as strict or thorough as a formal SPI firewall might be but it will still act as one for most intents and purposes - I cannot imagine a way to write a normal NAT (dynamic 1:N) without accidentally making it behave as a basic SPI firewall.

DPI is pretty much the same as SPI except for being able to dig deeper into packets.