Port Forwarding for external VOIP access? 1

[EustaceLufgren]

OK, I am using a BCM internally...I forget the model, either 200 or 400. We bought seats for the VOIP access and want to use the i2050 softphone for travelling users. Problem is, our subnet is 192.168.1.0/24, a very common private subnet range. This makes using the VPN client that comes with our firewall (a Watchguard Firebox X15 Edge) impossible when the same subnet is in use in the external client environment, like a hotel or wifi hotspot. Changing our internal subnet is highly undesirable due to a host of statically configured devices and all the client computers with static links to them. Additionally, the VPN client has proven unreliable...sometimes it works, sometimes it doesn't, giving cryptic error messages in the firewall log.

So what I want to do is set up port forwarding. In fact, I've already done so. I took port 7000 and forwarded all TCP and UDP traffic coming in from outside to the local IP of the BCM (192.168.1.15). Well, it doesn't work. I've scoured the manuals and can't find any info on this. Is it trying to communicate over another port? The client computer is setup to use port 7000 and connect to a BCM device, and its addressed to the firewalls external IP address.

Is there another way to do this? I really want to avoid having to use the VPN client. I also MAY be able to run a line from our router to the switch and configure the BCM with an external address (ie 64.xxx.xxx.xxx). Would this be adviseable? It would be nice if I could set this up, and then only allow VOIP on that interface, and just use the NIC set up for internal access for administration. Although, if possible, some sort of port forwarding system would be ideal. We've already set this up for Terminal Services and it works great. Any advice? Thanks very much.

 

[redcomet]

theres no way...
Port 7000 is just for registration.
speech uses dynamicaly allocated port numbers for RTP traffic. you may get ONE phone working.

 

[EustaceLufgren]

Thanks for the reply! I got into the BCM and it listed "PortRanges" or something like that under IP telephony. It was set at 28000 to 28511. I got into my firewall and forwarded UDP and TCP traffic to the BCM. Still no dice...you mention RTP traffic...do I need to be forwarding those packets instead of UDP or TCP, or does RTP use UDP?

 

[redcomet]

The ports listed under "Port Ranges" are the ports the IP Phones use for RTP traffic (right, RTP is based on UDP)
The first registered phone uses the first port, the second registered phone should use the second port and so on. But this does not always apply and thats the problem. If one phone looses connection and registers again it may allocate a new port. You always have to change this in your firewall/nat configuration.

 

[EustaceLufgren]

Great...thanks for the info. However, I've got them all forwarded (the full range) and I still can't make a connection between the client and server. Any other suggestions? Is there another mystery port out there?

 

[redcomet]

sorry, don't know any other ports used

 

[3Sixty]

There has been many attempts to get this to work without VPN. So far there has been no one who has had it working all of the time.The trend seems to be people get the phone registered but get one way speech calls.

Good Luck

Marshall

http://www.marshallshouse.co.uk

 

[EustaceLufgren]

In that case, does anyone have any recommendations on how to configure the network so I can avoid changing the local subnet? If I gave the BCM a public static IP address, would that work, or is that less desirable than a VPN?

 

[biv343]

That would work if you want your phone system sitting on the internet like a bait pile, waiting for folks to attack it. Granted, you've got 32 firewall filter rules you can configure, but still not the best use for the box.

Get a VPN - much simpler and more secure for what you want to do.

 

[biv343]

Sorry - didn't read that you already have a VPN in place with a possible subnet conflict. Just re-read my post and your original description.

Either way, NAT won't work unless all firewalls between the PC and the BCM are "VOIP" aware and support bi directional (or cone) NAT. If the BCM was on a public address, and your PC was on a public address, things would be OK, except that it's a huge security hole for your BCM as well as your client PC.

Not sure if there is an easy way around this unless you had a separate VPN for just VOIP, which wouldn't be practical.

 

[nsantin]

You should be able to get your VPN to work. When you connect you can delete the route from the routing table and re-create it as the tunnel being the gateway.

I've had to do this before on my laptop and never had an issue.

eg:
Office network: 192.168.1.x/255.255.255.0

When at a Hotel you get IP: 192.168.1.50.

When you vpn you get IP: 192.168.1.100

When connected, goto DOS, enter these 2 commands:
1. ROUTE DELETE 192.168.1.0
2. ROUTE ADD 192.168.1.0 MASK 255.255.255.0 192.168.1.100

If it doesn't work, then just reboot and give up. (This won't break anything)

 

[EustaceLufgren]

Excellent suggestions...I will try and simulate that, see if it works. However, getting the company president to do that would be a bit of a stretch. I might be able to script something to do it for him but, then again, I'd have to have the current IP address.

I think my two remaining options appear to be either go ahead and make a system wide subnet change or get another Firebox to use for a distinct (unique) subnet just for the VOIP. I guess its just an issue of pitting cost of firewall vs. cost of labour.

 

[nsantin]

Depends on the features of your VPN client, with ours we use static IPs so I was able to write a script that is called automatically when the user connects.

I have a hard enough time trying to get some users to understand how to connect their VPN client, let alone asking them mess around with routing tables.

 

[carlosmcse]

We have 11 sites with a mix of BCM200 and BCM400's they are all connected to each other with Contivity Switches for VPN and VoIP. At one point our main location was setup with a BCM400 with a public IP on the DMZ zone of our firewall and block all traffic execpt VoIP and on the edge firewall allowed internet traffic to this host so all of our employees can use their softphones without connecting to the VPN. we knew that this was not a safe way to use VoIP because the traffic can be intercepted via the internet so now all of our users use SSL VPN to our network and then connect their ip phones to the BCM all traffic is now secured via the SSL VPN.

 

[monsimac]

I have a similar problem with our BCM, we are a smallish business and many people work from home, BT sold us the system by telling us those people would be able to have extensions at home using VoIP (We have IP Phone 2002 handsets), but I have had to use Internet Connection sharing and plumb the phones via a computer to get them to connect via the VPN, and obviously if the user turns the computer off or disconnects from the VPN the phone no longer works.

Can anyone recommend a reasonably priced gateway router/ box which would connect to the VPN (without needing a computer, we use the VPN built into windows SBS 2003)and then the IP phone would plug into that. Or any other "idiot" proof solutions, as many users struggle with teh whole must be connected to the VPN issue!