Exclude a port, say 5060, from NAT function?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
DWCruiser
DD-WRT Novice


Joined: 15 Aug 2016
Posts: 14

PostPosted: Sun Aug 02, 2020 8:22    Post subject: Exclude a port, say 5060, from NAT function? Reply with quote
Hi,

Is it possible to exclude port 5060 from NAT? If so, can you please show me how?

What i want is for the VoIP phone to work. It's built into my ISP router, and the ISP router is placed behind the (gateway) DD-WRT router.

Constraints:

1. I understand that DD-WRT router does not have sort of a SIP ALG button which can simply be turned off . This would solve the issue of the VoIP not ringing on subsequent incoming calls.

2. My ISP does not give out details of SIP phone as they think we are too dumb to know how to use it.

(Putting the ISP router into a separate VLAN does not work because of NAT and SIP ALG)

Many thanks.
Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5703
Location: Akershus, Norway

PostPosted: Sun Aug 02, 2020 9:15    Post subject: Reply with quote
Do Port forward or set the ISP router in the DMZ.

https://kb.intermedia.net/Article/3034
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8142

PostPosted: Sun Aug 02, 2020 15:11    Post subject: Reply with quote
To be precise, you're not excluding the port(s) from NAT. You always need NAT because your router always needs to convert the local IP of your VOIP adapter (and other devices) to the public IP of the WAN. That never changes. But if you need to allow remote devices/systems to initiate connections over certain ports on the WAN (which is normally blocked), then as PYB suggests, you need to port forward those ports (or else DMZ the VOIP adapter).

Only problem w/ DMZ is that it exposes *all* ports to the target device. And if the device doesn't have a good firewall, it *might* be subject to hacking.

Frankly, I'm surprised these days that so many VOIP providers still requires port forwarding. My own (OOMA) avoids the issue entirely by establishing a secure, encrypted tunnel between the VOIP adapter and the remote service provider w/ OpenVPN. Problem solved.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
DWCruiser
DD-WRT Novice


Joined: 15 Aug 2016
Posts: 14

PostPosted: Mon Aug 03, 2020 3:27    Post subject: Reply with quote
Per Yngve Berg wrote:
Do Port forward or set the ISP router in the DMZ.

https://kb.intermedia.net/Article/3034


Thank you so much for that.

I've tried Port Forwarding. The VoIP phone rings on the first two incoming calls. After that, it does not ring on subsequent incoming calls.

Your linked article gives out quite a number of variables which i'll see if they make a difference.

I also came across another article at "https://www.nextiva.com/blog/disable-sip-alg.html' which gives up on DD-WRT. 'Crying or Very sad' . My question above is very much a wild guess based on this article suggesting 'no ip nat service sip tcp port 5060' on Cisco.

My ultimate desire is to isolate the VoIP/router from the rest of my LAN. But maybe it cannot be done.

Thanks again so much much for your help.
DWCruiser
DD-WRT Novice


Joined: 15 Aug 2016
Posts: 14

PostPosted: Mon Aug 03, 2020 3:54    Post subject: Reply with quote
eibgrad wrote:
To be precise, you're not excluding the port(s) from NAT. You always need NAT because your router always needs to convert the local IP of your VOIP adapter (and other devices) to the public IP of the WAN. That never changes.


I think i understand what you mean. At the same time, the following somehow explains why my VoIP fails to ring on subsequent incoming calls.

Problems with incoming calls show up due to the ‘Register’ request in the UA feature of SIP proxies. This request is used to localize and reach the user who needs to receive the incoming call.

The problem starts when the SIP ALG rewrites the ‘Register’ request. This results in the proxy being unable to detect the NAT, in turn preventing incoming calls from reaching the desired destination.


(from https://www.nextiva.com/blog/disable-sip-alg.html )

But DMZ works fine.

Quote:

I'm surprised these days that so many VOIP providers still requires port forwarding. My own (OOMA) avoids the issue entirely by establishing a secure, encrypted tunnel between the VOIP adapter and the remote service provider w/ OpenVPN.


I have been using a VoIP service for >10 years. It does not need Port Forwarding as you said. But our traditional Telecom company (Telstra) is a rather late player in providing VoIP services. Hence its peculiarities.

Thank you.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum