Port triggering vs forwarding

Posts: 11 · Vonage Forum Associate Joined: Dec 30, 2008 Posts: 11

Tech support suggested I disable my firewall to stop the frequent one-way calls I've been getting. I said no way, so now they suggest port forwarding. Don't want to do that either 'cuz it would leave the port open to the entire Internet all the time.

My Netgear WNR3500 router allows Port triggering. Will that accomplish what TS wants?

Another question is if TS is on the right track here at all. The problem is with outgoing calls in which the called party can't hear me. I rarely get incoming calls on Vonage. I've done all the speed checks, pinging, tracking, etc., and today I changed the port on my phone adapter... the standard TS drill I imagine. Have no idea whether any of this will work, as the problem is intermittent.

TIA
Ed

Posts: 656 · Posted: Sat Jun 27, 2009 7:45 pm Post subject:

About 90% of all audio issues related to Voip is the customer's own firewall / NAT Router. So if you have a consistent 1 way audio issue, it is most likely the firewall blocking RTP packets to the new IP assigned to the audio session.

If you choose not to disable the firewall, which I suggest you do for at least a short test period, you will most likely not resolve the issue with Port Forwarding or Port Triggering since you will still be NAT'd and your firewall will still be inspecting traffic. There are 3 other options.

1) Place the WAN IP of the Vonage adapter into the DMZ of your router. If it is a true DMZ, it will place the Vonage adapter outside of your firewall.

2) Place the Vonage adapter between your modem and your router.

3) Cancel Vonage since this issue is caused by your own hardware and is not something that Vonage support can fix for you unless you are willing to modify your router's security.

Posts: 11 · Vonage Forum Associate Joined: Dec 30, 2008 Posts: 11

VonTechMgr wrote:

About 90% of all audio issues related to Voip is the customer's own firewall / NAT Router. So if you have a consistent 1 way audio issue, it is most likely the firewall blocking RTP packets to the new IP assigned to the audio session.

If you choose not to disable the firewall, which I suggest you do for at least a short test period, you will most likely not resolve the issue with Port Forwarding or Port Triggering since you will still be NAT'd and your firewall will still be inspecting traffic. There are 3 other options.

1) Place the WAN IP of the Vonage adapter into the DMZ of your router. If it is a true DMZ, it will place the Vonage adapter outside of your firewall.

2) Place the Vonage adapter between your modem and your router.

3) Cancel Vonage since this issue is caused by your own hardware and is not something that Vonage support can fix for you unless you are willing to modify your router's security.

Well, that's far more straightforward than what I've been getting from TS. I'm definitely leaning toward option 3. The problem with 1 is, according to the documentation for my router, is a DMZ server basically defests the firewall, making my network vulnerable to being exploited on the Internet. That's not worth the risk. The problem wit 2 is it compromises the bandwidth of my DLS. As I understand it, one advantage of a router, as oppsed to a switch, is the bandwidth is routed entirely to the current use rather than being shared. Thus by putting Vonage outside the router I compromise other usage of my network. Good for Vonage, bad for me. I'm going to compare my last 6 months of calls with what they would have cost if I went back to ATT.

When you say this not something Vonage can fix, I have to agree. I would go further and say that it's something no Voip service can fix. I do not consdier it an issue is caused by my own hardware. I doubt that the typical Vonage user has any better. IOW, if it has this shortcoming for me, it's a shortcoming for many other users, perhaps swept under the edge of the carpet.

Thanks.

Ed

Posts: 656 · Posted: Sat Jun 27, 2009 10:21 pm Post subject:

I would agree with you on the bandwidth issue if the Vonage device is between the modem and router as it will prioritize a great portion of your overall bandwidth when a phone call is Active.

On the other hand, I feel you may not fully understand the DMZ. Yes this does place a single LAN IP outside of the firewall and makes this IP appear to not be NAT'd but it has no risk at all to your network. Think of it as not having the Vonage device at all. As long as ICMP is disabled on your routers WAN port, you feel a sense of security since someone running an IP / Port scanner will not see a live host. Well, the same thing goes for the Vonage adapter. By default ICMP is disabled on the WAN port so by placing this outside the DMZ, it is just as invisible to the internet as your router. It will not respond to ICMP so an IP scanner will not see it. The only thing that will be visible is UDP port 10000 which is not different then if it were behind the router without the DMZ.

The reason I say it's your hardware, and I don't just mean "YOUR" hardware. In general, the basic user who has audio issues does not understand that Voip functionality and quality is highly dependent upon their own hardware, bandwidth, priority of said bandwidth, the quality on the ISP node, the amount of traffic on the ISP node, path between Voip adapter and Voip service provider's media servers.

Now in your case, in order to even receive audio, the first RTP packet of the audio session has to come from your device. The Vonage media relay will not send any RTP packets to you until it has received the first packet from you on the correct source IP and port that is found in the SDP of the initial SIP Invite. With that said, your issue of no outbound audio on outbound calls indicates that the issue is at your firewall since we know that at least 1 RTP packet gets from your Vonage adapter to the media relay. If it did not, you would have no audio at all. It also tells us that it is not a BGP routing issue of some sort because again, you have inbound audio which means at least 1 RTP packet has made it to the Vonage media relay.

So just to be clear, I was not indicating your hardware is shotty in anyway. Just stating the root cause of your audio issue is definitely the firewall. And to your point, other users don't have better or worse. It's the same all around. So when people read how bad Vonage service is, they don't take the chance to fully understand how Voip works and where the majority of problems are. They just come to find that it is not their 130 year old copper analog telephone service where you just plug a phone into the wall and like magic, it work perfectly. Most negativity comes from those who just will not understand because they don't want to and are not willing to take the time to. It is just easier to bash Vonage and go back to the old phone service provider then try to find a solution.

Posts: 48 · Posted: Sun Jun 28, 2009 10:51 am Post subject:

VonTechMgr wrote:

There are 3 other options.

There is, perhaps, a fourth option to consider: Change routers.

I've had two different Voip adaptors (RTP-300 and VDV21-VD) behind three different (two Linksys and one D-Link) routers over a period of four years and not had any problem (of this sort, anyway) with Vonage Voip.

Posts: 11 · Vonage Forum Associate Joined: Dec 30, 2008 Posts: 11

VonTechMgr wrote:

I would agree with you on the bandwidth issue if the Vonage device is between the modem and router as it will prioritize a great portion of your overall bandwidth when a phone call is Active.

So it has no effect when the phone is not in use?

VonTechMgr wrote:

On the other hand, I feel you may not fully understand the DMZ. Yes this does place a single LAN IP outside of the firewall and makes this IP appear to not be NAT'd but it has no risk at all to your network. Think of it as not having the Vonage device at all. As long as ICMP is disabled on your routers WAN port, you feel a sense of security since someone running an IP / Port scanner will not see a live host. Well, the same thing goes for the Vonage adapter. By default ICMP is disabled on the WAN port so by placing this outside the DMZ, it is just as invisible to the internet as your router. It will not respond to ICMP so an IP scanner will not see it. The only thing that will be visible is UDP port 10000 which is not different then if it were behind the router without the DMZ.

OK, I've defined a fixed LAN IP address for the Vonage adapter and defined it to be the default DMZ server. Is that all that is required?

Is there some test I can do to determine if this solves my problem? Just making calls is not enlighting because it is an itermittent problem.

VonTechMgr wrote:

So when people read how bad Vonage service is, they don't take the chance to fully understand how Voip works and where the majority of problems are. They just come to find that it is not their 130 year old copper analog telephone service where you just plug a phone into the wall and like magic, it work perfectly. Most negativity comes from those who just will not understand because they don't want to and are not willing to take the time to. It is just easier to bash Vonage and go back to the old phone service provider then try to find a solution.

But without casting undue dispersions on Vonage, isn't it fair to say that the typical user doesn't have the capacity to understand the finer points of the technology? They just want the calls to be completed and reasonable voice quality. Yet, from what you have said, sometimes they don't get the basice service they signed up for, and to fix it they have to do things to their hardware/software that (a) are a bit beyond clicking icons on the desktop, and (b) APPEAR to go against common security principles. I see that as a problem with Voip rather than Vonage.

If I can probe a bit further, why does the problem we have been discussing (one-sided calls) not happen all the time when the SPI firewall is operating?

Thanks for youy help, and patience.

Ed

Posts: 11 · Vonage Forum Associate Joined: Dec 30, 2008 Posts: 11

Picsman wrote:

There is, perhaps, a fourth option to consider: Change routers.

I've had two different Voip adaptors (RTP-300 and VDV21-VD) behind three different (two Linksys and one D-Link) routers over a period of four years and not had any problem (of this sort, anyway) with Vonage Voip.

I did change routers. I don't think it had any effect. Hard to tell, though, since it has always been a spotty thing.

BTW, are you running a SPI hardware firewall?
Ed

Posts: 656 · Posted: Sun Jun 28, 2009 1:55 pm Post subject:

You may see a small decrease in bandwidth when the phone is not in use but when you are an an active call, your going to notice a loss in overall bandwidth to the point you may not be happy with.

A static IP on the Vonage adapter and placing that IP in the DMZ would be all that is required. After reading the specs on your model router, it does seem to be a true DMZ not like some of the other routers on the market. This should resolve your issue and the only way to test would be to make numerous phone calls.

You are 100% correct about your statement dealing with the common user and why Vonage does take a hit in the complaint department. Take the issues that are caused by the customer premise equipment and some of the deficiencies of the internet in general and your going to get one unhappy customer because they expect it to work out of the box. In most cases it does without any user intervention.

Without actually seeing a packet capture during an active call when the issue occurs, I cannot be sure but if I had to guess, I would say it comes down to a race condition.

The problem with SPI is that is modifies the headers in the SIP packets. Vonage has a built-in solution to deal with SIP and RTP through NAT. When the source IP of the IP packet header is 1 IP and the SDP / Contact headers are another IP, Vonage knows the user is NAT'd. When an SPI firewall rewrites Contact headers in SIP Registrations so that after the packet passes through the SPI enabled router, Vonage receives the SIP packet with the Contact header as being the Public IP which is the same as the IP header. Therefore user is seen as Not NAT'd. This is bad. Same goes for the SPI firewall rewriting the SDP in the SIP Invite or 200 OK.

On the SIP side, the 20 second quick Registration is meant to keep the pinhole through NAT open which is why port forwarding is not needed on a basic NAT router. When the user is treated as NAT'd, when an Invite on an outbound call or a 200 OK on an inbound call comes from the user, the Vonage media relay will not send any RTP packets until the first packet is received from the user so that the media relay knows what IP and port to send to.

If the SPI firewall rewrites the headers as mentioned and Vonage sees the user as Not NAT'd, the media relay will send RTP packets to the source IP of the SIP messaging and to the port in the SDP instantly. Normally the problem that may occur is that the DOS feature of the firewall will ban the media relay IP for the session since it sees a stream of packets coming from an unknown IP and will only allow the packets in once you start to send packets out. However, some routers are very flakey and can react differently depending upon hardware revisions and firmware.

It is possible that your router is allowing packets in which means you have to have sent at least 1 packet to the media relay on the correct IP and port but for some reason begins to restrict packets out. The issue may become intermittent depending upon whether out not your sent the first packet to the media relay or the media relay sent to you which is where the race condition comes in. And this is also why I am almost 100% sure your SPI is rewriting your SIP headers.

There is one other possibility that could cause an intermittent 1 way audio where no audio is being sent to far end. This would be in the case that there is a broken BGP route somewhere between your ISP and the IP handoff's they use to get to Vonage. Vonage has 4 outbound locations used for outbound calls and depending upon the number dialed, it may use a different location. Even dialing the same number many times may result in a different GW location used due to carrier failover. If this is the case, and your SPI firewall is rewriting the SIP headers, this could result in intermittent 1 way audio with no outbound RTP packet reaching Vonage. If your router is not rewriting SIP headers and this was the case, you would have no audio at all since Vonage would not send you any RTP until it received RTP from you.

Posts: 48 · Posted: Sun Jun 28, 2009 6:16 pm Post subject:

jagman wrote:

Picsman wrote:

There is, perhaps, a fourth option to consider: Change routers.

I've had two different Voip adaptors (RTP-300 and VDV21-VD) behind three different (two Linksys and one D-Link) routers over a period of four years and not had any problem (of this sort, anyway) with Vonage Voip.

I did change routers. I don't think it had any effect. Hard to tell, though, since it has always been a spotty thing.

BTW, are you running a SPI hardware firewall?
Ed

Running a D-Link DIR-625. Firmware version 3.07. It has SPI.