Internet Remote access using Draytek 1

[OldAndKnackered]

Afternoon Gents,

I've got a 500v2 on 8.1(67) with SIP trunks. I've managed to configure the Draytek to allow the SIP traffic through OK. I've also uesd Open Ports for 50790 - 50813 to allow remote access onto the system from the internet. What I was wondering was, is there a way on the Draytek to only allow external traffic from the SIP provider and the STUN server for the VoIP and from our office for the Remote access. I've set it so the Draytek itself can only be managed from the office, but I don't know about the rest.

Regards

Cat

 

[DutchRonald]

Open the following ports to the IPO (In the Draytek: NAT > Open Ports):

5060-5090 UDP (SIP)
3478 UDP (STUN)
49152-53246 TCP/UDP (Voip & Remote management)

You can't set it to accept connections from a fixed IP because the Voip RTP stream is coming from your provider and the management is coming from your office, so 2 different IP addresses. So just leave it open.

 

[amriddle01]

Dont open/forward the STUN port, the whole point of STUN is to discover the type of NAT applied by your router, this will not be accurate and therefor pointless if you forward the port



"No problem monkey socks

 

[amriddle01]

Also you can use the systems IP Routes to ensure only your address and those of the SIP provider and STUN server are responded to externally, so you can do what you want



"No problem monkey socks

 

[OldAndKnackered]

@ AM Riddle

So would that take the form of the address of the SIP provider, then the gateway it should use, and/or the LAN address that is doing the SIP?

E.g Address A.B.C.D
Mask whatever
G/W A.B.C.E
Dest LAN 2 ?

 

[amriddle01]

You put the specific address you want to reply to with a 32 bit mask, your router as gateway and whatever LAN port is connected to the network as the destination and repeat this for other addresses, then remove the 0.0.0.0 route but remember doing this will stop traffic to any address on the web not added



"No problem monkey socks

 

[OldAndKnackered]

On the IPO is that 255.255.255.255 or 0.0.0.0 ?

 

[DutchRonald]

Hi Amriddle,

STUN uses port 3478 to communicate with the requesting client. So leaving this port closed will result in no STUN detection, IMHO.
In fact, I've seen this happen once or twice where port 3478 was closed and thus resulting in no STUN communication whatsoever.

 

[amriddle01]

Traffic initiated from the inside shouldn't be getting blocked as it's trusted, port blocking and redirection is usually an inbound thing and if its blocked on return the it reports that fact in the STUN result, that's the point



"No problem monkey socks

 

[jamie77]

See if you can use SIP ALG on the Draytek rather than STUN. We use this with Gamma trunks and seems to work well. But also have various sites using both ways!

Drayteks are not the most robust and feature rich routers in the world. We binned ours for Sonicwalls and they seem much better. They can also limit the port forwarding to particular addresses.

I've never forwarded the STUN port for any site

Jamie Green

[bold]A[/bold]vaya [bold]R[/bold]egistered [bold]S[/bold]pecialist [bold]E[/bold]ngineer

 

[amriddle01]

Gamma suck IMHO, a decent SIP provider doesn't need any port forwarding or STUN, their SBC does all the work and that's regardless of router being used



"No problem monkey socks

 

[jamie77]

We find Gamma to be good and their techs very helpful TBH. Far better than our old choice of Voiceflex, who do suck!!!!!!

They don't need STUN and prefer not to have it.

Apart from battling the IT support peeps I don't see anything wrong with port forwarding. Don't have experience with SBC provided trunks.

Your starting to sound like Sean Andy!!!!!!!!! ;-)

Jamie Green

[bold]A[/bold]vaya [bold]R[/bold]egistered [bold]S[/bold]pecialist [bold]E[/bold]ngineer

 

[amriddle01]

Well we are a SIP provider just as he is, so that's probably why But all you do with trunks that have SBCs involved is enter the trunk details and make sure your IP route is in place (as with any SIP trunk) and that's it, it finds its way through no problem.



"No problem monkey socks

 

[amriddle01]

BTW yes Gamma tech support are very helpful, it's just their implementation of trunks I don't like, they don't need to do it that way



"No problem monkey socks

 

[tlpeter]

Well we are a SIP provider just as he is, so that's probably why But all you do with trunks that have SBCs involved is enter the trunk details and make sure your IP route is in place (as with any SIP trunk) and that's it, it finds its way through no problem.

We do the same and it is very easy to implement because of the dedicated DSL or ethernet connection to the SBC.


BAZINGA!

I'm not insane, my mother had me tested!

 

[hairlessupportmonkey]

Your starting to sound like Sean Andy!!!!!!!!!

Thats my boy

Also, SIP ALG? Why would you do that? For a trusted SIP trunks this screws your nice NAT rule by making the source ports for the SIP traffic random and not 5060 any more. Nasty.....

ACSS - SME
General Geek

 

[jamie77]

Works for us!!!!

Jamie Green

[bold]A[/bold]vaya [bold]R[/bold]egistered [bold]S[/bold]pecialist [bold]E[/bold]ngineer