I’ve got a question for the STW geek collective.

I’m on an “Orange Livebox” out here in France and the menu system is pretty pants as I’m used to Netgear router styling of port forwarding ect…

There is nothing specific I can see on port forwarding other than firewall rules “low, medium, high and customized” the customized version takes the default high settings and allows you to add rules..

Not bad but it doesn’t appear the rule I am adding works! I’ve got a siemens c475 ip phone that only works on low firewall mode but when its on customised with 5060 port open it doesn’t work… any ideas? and any ideas how I can work out what the “medium firewall” settings are to throw into the customized panel as I don’t think I need high… descriptions below::

Low
The firewall does not filter anything. Be careful, this level is reserved to advanced users to whom security is not a priority. Note also that even in this mode, a connection iniated from Internet will not be permitted if a NAT/PAT rule is not created on purpose.

Medium
The firewall drops all entering connections. This parameter is recommended against certain types of dangerous data travelling over the Internet. Outcoming traffic is allowed except Netbios services.

High
The firewall allows the exit of standard services (www,ftp,mail,news,…) and drops not expected entering connections. This setting is recommended to have a maximal security level.
Warning : incompatible with Unik.

Customized
This profile allows the customization of the high profile describe above. You can also define some additional specific filtering rules. (Reserved to expert users).

I bet it uses something other than TCP – are you sure it’s a TCP port you need to open? UDP maybe?

udp is the port but it says “udp” or “tcp” or “both” so I set it to both for 5060 – I’ve given the phone a static ip also so I can point it to that but in the firewall rules there are quite a few options so i left it blank ie “open on all” for now.. .the options are

Source IP
address

Mask IP
address

Destination IP
address

Mask IP
address

I currently have destination port and source port as 5060

Common thing on home routers and IP Phones/Soft Phones is that the routers have Application Level Gateways for various services one of which is for SIP. Idea is that the ALG should help in solving any NAT related problems, however in lots of cases the softswitch that your phone is registering to, is a lot better at solving NAT issues than a very cheap in comparison home router, also a lot of the routers SIP ALG’s really mangle up the packets. Try turning off the SIP ALG before you go about trying to punch holes in your firewall.

http://www.voip-info.org/wiki/view/Routers+SIP+ALG

Also for SIP phones if you do end up opening up things in your firewall then there is usually a whole pile of TCP/UDP ports invovled. Quick Google brings up these as common ports for Siemens IP phones.

Port Type Number Service
?UDP 53 DNS PORT
?UDP 3478 STUN SERVER COMMUNICATIONS?
UDP 5060/61 SIP COMMUNICATIONS (plus custom ports)?
UDP 5082 SIP COMMUNICATIONS (OUTBOUND PROXY)
UDP 5004-5020 RTP,RTCP,VOICE

NAT is a massive headache for VOIP. I remember a sharp learning curve when dealing with VOIP about 8 years ago – rolled out our own SIP registration server, instead of using the [unreliable] public servers.

Good informative post though Russell96 🙂

Can you not replace the livebox? I didn’t think Orange would let you, but they do give out the settings so you can. We don’t use ours.

Orange France might be different of course.

Thanks Russell, I’ll open them up – I can’t see anywehre to turn the Sip Alg off or even any mention of it? the router is used by another company who have an orange landline going into it also so don’t want to mess to much with their setup other than open stuff up – do you think the sip alg would effect them?

Perfect ok the customisation worked – and now the phones on! however problem number 2! it appears battlefield 3 now wont work so I googled the tcp / udp ports to open and did all that and restarted the router but no joy of getting into the game… doh! anyway of customising the firewall so its more like medium security ie is there a way to open a bulk number of safe ports that maybe effecting it?

Cant get battlefield to work on this customised settings with loads of ports opened – and apparently you cant have more than 23 custom rules so thats me limited!

what is the main issue with setting the routers firewall to low?

Low
The firewall does not filter anything. Be careful, this level is reserved to advanced users to whom security is not a priority. Note also that even in this mode, a connection iniated from Internet will not be permitted if a NAT/PAT rule is not created on purpose.

what will happen to me?

you could always open the Orange box up completely (i.e. allows everything in) and then add a hardware firewall on the inside of your network.
A little extreme but probably safer and would do the trick.

SIP ALG on some routers is a command line only option you have to Telnet to the routers management IP address instead. For Games consoles (I assume that’s the case for BF3) have you tried turning UPNP on instead of opening a whole pile of ports?

not buying a hardware firewall but thanks for the suggestion – also battlefield and the phone both work with the settings on low for the firewall but is this safe enough?

upnp is on but doesnt seem to help the issue
sip alg – not sure how to telnet so best not!