Solved ASUS GT-AXE16000 Port Forward for VOIP; DMZ or Not?

[EtheAv8r]

I am preparing to Port my UK Landline with BT to VOIP with my new FTTP provider. The switchover from BT Halo 3 FTTC service was completed a few months ago and is working fine. I had to delay the porting of my landline over to VOIP until my contract with BT ended to avoid penalty charges. The new ISP has not charged me at all for the new 600/600 FTTP Internet connection until the BT contract has ended.

The ISP router is in Bridge Mode and connected to my ASUS GT-AXE16000 router. I have installed a Gigaset Fusion FX800W Base unit wired directly to the router and given it a reserved IP address. As I am not using the ISP provided VOIP kit (outdated and basic Gigaset N300AIP) or their provided Router, I am on my own for configuration, they say they will help "if" they can with non provided by them, kit.

I have setup 2 Port Forward rules in the ASUS router:

• SIP Signalling ports 5060 to 5070 with the Gigaset Fusion IP address
• RTP Audio ports 8766 to 35000 with the Gigaset Fusion IP address

Do I also need to put the Gigaset Fusion IP address in a DMZ or should I leave in as part of the internal LAN?

Many thanks....

 

[RMerlin]

You should not forward any port to use an IP phone.

 

[Tech9]

I also have VoIP ATA in use and it works with no port forwarding, but this device perhaps offers extra features with specific requirements.

Gigaset Fusion: The innovative and elegant all-in-one phone system

The Gigaset Fusion is a combination of a desk phone, DECT base station and mini telephone system all in one device.

www.gigaset.com

I would follow the setup recommendations if this is the case. At least test it behind router's firewall first and see what works and what doesn't.

 

[EtheAv8r]

OK, thanks, port forward rules removed. I am running Merlin firmware.

 

[sfx2000]

You should not forward any port to use an IP phone.

Depends - with SIP phones, if one gets ring, but no audio...

SIP is TCP, but the RTP audio is UDP...

Is SIP ALG still a thing with AsusWRT these days?

 

[RMerlin]

Depends - with SIP phones, if one gets ring, but no audio...

SIP is TCP, but the RTP audio is UDP...

Still shouldn't need to forward any port. I have two VoIP lines, one connected to a Grandstream VoIP phone (for work) and another to a Cisco ATA (for home). No port forwarding required for either of them.

Is SIP ALG still a thing with AsusWRT these days?

I don't know if Asus ever fixed it on their end (used that you could either actively block SIP traffic, or allow it but be forced to load the SIP ALG which breaks SIP). In Asuswrt-Merlin, you can either block the traffic, allow it (which is the default setting), or allow it and load the SIP ALG helper. I fixed that quite a few years ago.

Those ALG helpers need to be removed from the firmware, as they are not only obsolete, but they will break things if loaded (like SIP for instance). I'll probably have to talk to them about it at some point. Newer models based on kernel 4.x even get a boot time syslog entry indicating that these helpers are obsolete and should no longer be used.

 

[sfx2000]

Still shouldn't need to forward any port. I have two VoIP lines, one connected to a Grandstream VoIP phone (for work) and another to a Cisco ATA (for home). No port forwarding required for either of them.

What's interesting is that I also have a VoIP phone, along with mobiles that support Voice over WiFi from the Carriers...

What's common is they all do L2TP tunnels from the client to the back orfice...

This makes it easy, as there is not TCP/UDP ports to expose...

 

[sfx2000]

Those ALG helpers need to be removed from the firmware, as they are not only obsolete, but they will break things if loaded (like SIP for instance).

Agreed - still, there are edge cases, unfortunately, need ALG support perhaps...

It's a 10 percent problem, which means likely they'll keep it in...

 

[RMerlin]

Agreed - still, there are edge cases, unfortunately, need ALG support perhaps...

I would expect anything manufactured in the past 10 years to be able to work without ALG. Even my my old SPA112 has all the STUN and NAT traversal options required to work properly through NAT.

That antique SPA112 is finally getting retired this week - it frequently randomly stops registering when issues using TLS, where for a few days I end up forced to disable TLS. I decided I had enough when it did it again last night at 2 am while I was working on something else. Got a Grandstream HT802 coming this week to replace it.

 

[EtheAv8r]

Depends - with SIP phones, if one gets ring, but no audio...

SIP is TCP, but the RTP audio is UDP...

Is SIP ALG still a thing with AsusWRT these days?

The reason I set up the port forward is because that is the recommendation in lots of online info on setting up SIP phones.

 

[OzarkEdge]

The reason I set up the port forward is because that is the recommendation in lots of online info on setting up SIP phones.

If your SIP device maintains registration with a VoIP server in the cloud, then the server will know where your device is for delivering inbound calls, and your router NAT will see that they get to your LAN SIP device. Port forwarding is not required.

I also disable WAN\SIP Passthrough on the ASUS router to prevent one-way audio.

OE

 

[sfx2000]

I would expect anything manufactured in the past 10 years to be able to work without ALG. Even my my old SPA112 has all the STUN and NAT traversal options required to work properly through NAT.

I agree - and most modern gear can do NAT traversal without any addtional efforts...

Regarding ALG's - concur that it was a stopgap solution for it's day, and not really needed - I think it's one of those things that it's easier to keep in place, as it might be more work to remove it from a QA perspective - QA engineers potentially would have to rewrite 100's of test cases for a feature removal.

 

[EtheAv8r]

If your SIP device maintains registration with a VoIP server in the cloud, then the server will know where your device is for delivering inbound calls, and your router NAT will see that they get to your LAN SIP device. Port forwarding is not required.

I also disable WAN\SIP Passthrough on the ASUS router to prevent one-way audio.

OE

Do you mean this, which is enabled by default in the Merlin Firmware?

 

[RMerlin]

Do you mean this, which is enabled by default in the Merlin Firmware?

Set it to "Enabled" but NOT with NAT helper.

 

[EtheAv8r]

Set it to "Enabled" but NOT with NAT helper.

OK, thank you, I will. Porting day is 1st March, I will report beck with how it goes.

 

[RMerlin]

Amazon delivered my new ATA today (Free delivery: Thursday. $9 delivery: Monday. I decide not to pay: still arrived Monday.)

 

[EtheAv8r]

Well as a wrap-up, today County Broadband emailed me the SIP Connection setup parameters at 10:30. With nothing in the Router regarding Port Forwards etc and "Enabled" but NOT with NAT helper set as per RMerlin above, I setup my new Gigaset Fusion base unit with the parameters and clicked Save, and that was it. less than a minute later I received a test call from County Broadband and all works perfectly. Inbound ands outbound call all good with no issues anywhere, both DECT remotes working perfectly.

So thanks for the advice, and goodbye BT!