Re: Router settings with VoIP - any explanatory documentation?

You've been told wrong. If you're using STUN and a proxy server (and most
SIP service providers do), then you should not need to change ANYTHING on
your router.

Paul DS.

"Paul D.Smith" <paul_d_smith@x-hotmail.com> wrote in message
news:42d3ccb3$0$6484$ed9e5944@reading.news.pipex.n et...
> You've been told wrong. If you're using STUN and a proxy server (and most
> SIP service providers do), then you should not need to change ANYTHING on
> your router.
>
> Paul DS.
>

It did clearly say in my post:

The STUN server ((S)imple (T)raversal of (U)DP through (N)ATs), along with
help of the proxy/registrar at your SIP provider should normally do
everything else for you.

This pretty much covers what you commented about.

It was 'Ed' who wanted the more in-depth description for the ports etc.

Was it any good for you Ed?

Tony,

You're talking about configuring DMZs and hard-coded IP addresses in your
original post, neither of which should be required. For example, a fully
hardened router (all inbound ports closed, no DMZ, DHCP addresses etc.) will
still work completely with a STUN enabled ATA/softphoine without any
configuration changes at all.

Paul DS.

Tony may disagree (see our earlier exchanges) but see below...

Paul DS

"Ed" <a.@.invalid> wrote in message
news:1121203776.26690ab196d5cb1c0ebc59bc7efd462d@t eranews...
> On Tue, 12 Jul 2005 19:33:59 +0100, Tony wrote:
>
> >Was it any good for you Ed?
>
> Yes Tony, it certainly helped to make things a little clearer. Thanks
> to your explanation and doing a bit further reading elsewhere, I've
> now got my ATA fully (fingers crossed) working for 2 lines! Phew what
> a palaver getting all those scores of optional parameters set.
>
> A few queries:
>
> These names (like "RTPLang" or "Voice") I was told to use in my router
> configuration, I had assumed they were some kind of reserved names for
> particular functions. I'm beginning now to think they're not reserved
> names but I can use whatever name for these services that I like, as
> long as I can understand them. Is that right?
>

PDS> Probably but for SIP with STUN you can ignore these. Services such as
Yahoo Messenger and MS Messenger need you to open various holes through your
security (i.e. open ports on your router) which is exactly why I don't use
them. SIP does not require you do anything like this.

> Then regarding DMZ, which my router doesn't have as an option. From my
> reading of DMZ is nothing more than a particular device with an IP
> address on my LAN which has all ports open. If so, can I not achieve
> the identical thing to DMZ by just defining all ports on that IP
> address as open? Is there anything else that the "proper" DMZ function
> does which is over an above my simply opening all ports on that IP
> address?
>

PDS> A DMZ usually an area between a weakened firewall (to the outside) and
a fully hardened firewall (to your internal network) where servers such as
mail or web servers are placed. They have to be in a weakened area because
you have to allow people from the outside world to get to them, but you
don't want these same people into your internal LAN.

So you can do something like...

Internet -- weak firewall -- DMZ -- strong firewall -- Internal network

On the weak firewall you open whatever ports you need to direct traffic to
the machines located in the DMZ.

Now there is sometimes a "DMZ options" which basically says "unless told
otherwise, an inbound connection is sent to this specific machine. This is
fine apart from one problem. If your "DMZ machine" is a WinDoze machine,
odds are it can be compromised and unless it is separated from your internal
network by a good firewall, the WinDoze machine can sometimes be used to
relay attacks to your internal network.

So, the strong firewall is really required although with careful
configuration you might be able to get away with using a software firewall
such as ZoneAlarm _PROVIDING_ you mark the DMZ machine as "I wouldn't trust
it as far as I could throw it"!

Bottom line though - you don't need a DMZ or any specially opened ports.

> Finally relating to STUN. That is configured on my ATA (which has 2
> lines) as a global parameter rather than as a parameter per line. I
> find that a bit confusing, since my 2 lines are attached to 2 totally
> different providers. From your explanation it seems that STUN is a
> provider-specific facility so I would have assumed that I would put a
> separate parameter in for each line.

PDS> I _think_ (and I have to read some more on STUN) that you should be OK.
My understanding is that a STUN server allows your client to find out
answers to "I'm behind a NAT, but what does the outside world think my IP
address is"? The answer won't change between the two SIP service providers
so a single STUN server _might_ be able to satisfy both.

Paul D.Smith wrote:
> Tony,
>
> You're talking about configuring DMZs and hard-coded IP addresses
> in your original post, neither of which should be required. For
> example, a fully hardened router (all inbound ports closed, no DMZ,
> DHCP addresses etc.) will still work completely with a STUN enabled
> ATA/softphoine without any configuration changes at all.

In theory yes, in practice not always. I have a Sipura 2000 that flatly
refuses to connect without DMZ set.

Ivor

> In theory yes, in practice not always. I have a Sipura 2000 that flatly
> refuses to connect without DMZ set.
>
> Ivor
>

What are the symptoms? Can you call out? Can someone call you? Do you
hear nothing but the other end does, or vice versa? What diagnostics such
as line trace do you have?

This sounds very much like a poorly implemented box which personally, I'd
return. Since other ATAs work fine without me needing to tweak my router, I
would expect this one to as well.

Paul "very picky" DS

On Wed, 13 Jul 2005 13:14:28 +0100, "Paul D.Smith"
<paul_d_smith@x-hotmail.com> wrote:

>> In theory yes, in practice not always. I have a Sipura 2000 that flatly
>> refuses to connect without DMZ set.
>>
I also have Sipura (2100) which works well as ATA and as router when
connected directly to NTL cable modem. Have tried everything I know of
(DMZ, port forwarding..) with Sipura behind Dell Truemobile 1184
router and can make calls and be heard but cannot hear the person at
the other end. For now I can settle for the first configuration but
would love to get Sipura working behind the router.

"James Ikom" <ikomj@hotmail.com> wrote in message
news:dqdad1pt486k5lqa0oputior1fdeu5t0he@4ax.com...
> On Wed, 13 Jul 2005 13:14:28 +0100, "Paul D.Smith"
> <paul_d_smith@x-hotmail.com> wrote:
>
>>> In theory yes, in practice not always. I have a Sipura 2000 that flatly
>>> refuses to connect without DMZ set.
>>>
> I also have Sipura (2100) which works well as ATA and as router when
> connected directly to NTL cable modem. Have tried everything I know of
> (DMZ, port forwarding..) with Sipura behind Dell Truemobile 1184
> router and can make calls and be heard but cannot hear the person at
> the other end. For now I can settle for the first configuration but
> would love to get Sipura working behind the router.

Have you got STUN SERVER TEST, enabled on the SIP config menu? Turn it
off.... and see how that goes.

On Wed, 13 Jul 2005 17:26:23 +0100, "Sven" <svenkalestinio@nospam.net>
wrote:

>
>"James Ikom" <ikomj@hotmail.com> wrote in message
>> I also have Sipura (2100) which works well as ATA and as router when
>> connected directly to NTL cable modem. Have tried everything I know of
>> (DMZ, port forwarding..) with Sipura behind Dell Truemobile 1184
>> router and can make calls and be heard but cannot hear the person at
>> the other end. For now I can settle for the first configuration but
>> would love to get Sipura working behind the router.
>
>Have you got STUN SERVER TEST, enabled on the SIP config menu? Turn it
>off.... and see how that goes.
Thanks for the suggestion. Stun test enable was set to OFF by default.
I set it to ON and tried again but no difference. Any further
thoughts?
Thanks

Paul D.Smith wrote:
>> In theory yes, in practice not always. I have a Sipura 2000 that
>> flatly refuses to connect without DMZ set.
>>
>> Ivor
>>
>
> What are the symptoms? Can you call out? Can someone call you?
> Do you hear nothing but the other end does, or vice versa? What
> diagnostics such as line trace do you have?
>
> This sounds very much like a poorly implemented box which
> personally, I'd return. Since other ATAs work fine without me
> needing to tweak my router, I would expect this one to as well.
>
> Paul "very picky" DS

I think it's down to the router actually, rather than the Sipura, because
it works fine behind a Fritz!Box Fon which doesn't even have the option to
set DMZ.

Ivor

James Ikom wrote:
> On Wed, 13 Jul 2005 17:26:23 +0100, "Sven"
> <svenkalestinio@nospam.net> wrote:
>
>>
>> "James Ikom" <ikomj@hotmail.com> wrote in message
>>> I also have Sipura (2100) which works well as ATA and as router
>>> when connected directly to NTL cable modem. Have tried everything
>>> I know of (DMZ, port forwarding..) with Sipura behind Dell
>>> Truemobile 1184 router and can make calls and be heard but cannot
>>> hear the person at the other end. For now I can settle for the
>>> first configuration but would love to get Sipura working behind
>>> the router.
>>
>> Have you got STUN SERVER TEST, enabled on the SIP config menu?
>> Turn it off.... and see how that goes.
> Thanks for the suggestion. Stun test enable was set to OFF by
> default. I set it to ON and tried again but no difference. Any
> further thoughts?
> Thanks

With me, it worked fine with STUN TEST set to OFF, with it ON I got one
way audio, the other end could hear me but I couldn't hear them.

Ivor

> I think it's down to the router actually, rather than the Sipura, because
> it works fine behind a Fritz!Box Fon which doesn't even have the option to
> set DMZ.
>
> Ivor
>

Umm. I suppose that's possible. I wonder what router the OP has? Wait a
minute, perhaps the router is closing "unused" connections? To get through
routers/NATs/firewalls, the ATA will open pin-holes _outbound_ and the proxy
will send inbound calls through these pin-holes. I wonder if the router is
"helpfully" closing these pin-holes because of a lack of data traffic
through them whilst the ATA is sitting around waiting for a call?

If the OP can say which router, perhaps someone can tell us if there is such
a function, perhaps with a configurable timeout that can be tweaked, that
would do this?

Alternatively, maybe the Sipura can be tweaked to send traffic periodically
to keep the pin-holes open.

Paul DS.