Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.



3 posts

Wannabe Geek


Topic # 100428 11-Apr-2012 15:33 Send private message

I just thought I'd take the time to post this.  Hopefully it will help someone!!

Since I moved into a house with FTTH I have had to be on an Xnet internet connection.  I won't get into the details because I don't have all of them but suffice to say there was ONE choice of ISP and only ONE plan to choose from.  Well OK, there are TWO plans but one of them is 128Kbps/128Kbps...  hardly decent use of the FTTH!! :)

So my WRP400 arrived and so did the Chorus guy to install it for me - despite me saying that I didn't need an install because the FTTH termination was already there and running.  An Ethernet port just waiting to provide me some 30Mbps/6Mbps Internets!!

Because we had a lot of stuff to do (having just moved into the house) I didn't get the time to put my SSG5 as the edge device which meant that up until now I've had the WRP400 sitting on the edge doing it's thing.  This was great for the VoIP as it didn't require any thinking to set it up.  Not so great when you have an SSG5 sitting behind it though as a FW and you want to fwd ports through it to an AP on the inside of the SSG.  Things would start to get time consuming having to fwd through so many devices but most of all... it's really hard when the Linksys interface only allows you to fwd ports (using Applications and Gaming) to any IP on the private address range of the router... But what about my other ranges on the inside of the SSG??

And now this post take shape.  Just last night I finished installing the SSG5 as the edge device.  I say just last night as it took me a little while.  Getting the internet working wasn’t an issue.  Finding the info to make the incoming VoIP work however... that took a little more Googling!

I found several posts that were sort of useful and it was piecing bits of each of them together that I made this work.

Essentially this is it in a nutshell.  That is, without giving away my networks details.

SSG has PPPoE setup on the Untrust interface.  This is really easy to configure and if you’ve just factory reset your SSG then it’s all part of the wizard if you choose to do that!  I set the Idle disconnect to 0 so it keeps the link up all the time.

You need to setup MIP on your Untrust interface.  For this example I’ll use the default Ethernet0/0.  Expand Networking > Interfaces and click on “List”.  Click “Edit” next to the Untrust interface (which should be up with the green tick if your PPPoE is working).  Up the top of the page select MIP and click the “New” button at top right.

Enter your Mapped IP.  This is the IP address assigned to your PPPoE connection.  I have a static being on FTTH and I’m not sure if you could enter an interface description in lieu of an IP address here.

Enter your Host IP.  This is the external IP address of the WRP400 as it sits on your SSG.  I have my WRP400 setup on the DMZ port of the SSG.

Leave the Netmask and Host Virtual Router Name as their defaults.

You need a policy to let the DMZ access the internet.  You can use either the Wizard for this or just make one manually.  Either way you want from DMZ to Untrust and allow ANY source, ANY destination and ANY Service.  You want to enable NAT for Source Translation.  You can either tick this option in the Wizard or it’s on the “Advanced” page at the top if you’ve snubbed the wizard.

Next you need incoming and outgoing policies for your VFX ports.  First you need to create a custom service though.

Expand Policy > Policy Elements > Services and select “Custom”.  Up the top right click “New” and then put the radio button for the first line in TCP.  Enter Source Port Low and High as 0 and 65535 respectively.  (This means that any port from the server can be used to send this request to your telephone and it will be accepted).  Enter Destination Port Low and High as 8060 and 8065.  Leave the last two fields (ICMP) blank.

Put the radio button on the next line down into UDP and enter the same ports as above, again leaving the last two ICMP ones blank.

Now the 3rd Line down.  Put the radio button in TCP and enter the Source Port Low and High as 0 and 65535 again.  Destination Low and High are 5060 and 5065 this time.  4th line down do for UDP on the same ports.  Give the service a name at the top (I used VFX so I could spot it easily in the list) and click OK.

That’s the custom service, now the Policies...

From Untrust to DMZ.  Source is ANY and destination is the MIP(x.x.x.x) from the drop-down.  For Service select “VFX” (or whatever you called your custom service) from the drop-down.  Click “Advanced” down the bottom and Tick the “Traffic Shaping” box.  Select Traffic Priority as “Highest Priority” and click “OK”.

From DMZ to Untrust.  (N.B. This is a second policy just for QoS of your voice.  If you did this on the policy you already have for DMZ to Untrust you would prioritize all your traffic the same which wouldn’t be great for high data usage and phone concurrent phone calls). 

Source ANY, Destination ANY and Service is VFX from the drop-down.  Click Advanced and choose NAT, Source Translation.  Again enable the “Traffic Shaping” tick box with “Traffic Priority” set to “Highest Priority”.  Click “OK”.

By default SIP ALG should be ticked as “on” but we’ll go and check just in case.  Expand “Security” and click ALG.  You should see a tick on SIP.

That’s it – should be good to go!  Try and make a call out and in using your analogue phone on your WRP.

What did you just do?

Created a Mapped IP from your public(Untrust) internet interface through to your WRP400 on your DMZ that allows clients on the WRP400 to access the internet freely and maps the Xnet VFX ports through so your phone will work.  You now have an SSG where it should be (edge device) and your WRP400 nicely safe and sound behind it with only the essential ports forwarded to make your VFX service work.

Just to clarify, if you’ve received a range of ports from Xnet/WxC on this topic.  The last range will be UDP 35384-37384.  These are the “media” ports.  The SIP ALG will take care of these so you DO NOT include them in your Custom Service.  Why??  Well... this is a big chunk of ports, 200 of them.  Any of these could be randomly chosen by a client on the network as its outgoing port to browse the Internet or connect to an FTP server.  This wouldn’t work well if it was reserved by the SSG in a Custom Service.

I’ve not included the WRP400 setup steps here as they are easily found on the Google.

Well that’s it.  My first post at GZ...  Comments are welcome!

Create new topic
3551 posts

Uber Geek
+1 received by user: 60

Trusted
WorldxChange

  Reply # 607924 11-Apr-2012 15:47 Send private message

The wrp400 is obviously a basic home gateway device but the the SSG a different story and a pretty powerful SMB device and you have different requirements around your home network so nice work on writing up a great first post Jon




Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink

             

https://www.facebook.com/wxccommunications

859 posts

Ultimate Geek
+1 received by user: 7

Trusted
Subscriber

  Reply # 607947 11-Apr-2012 17:18 Send private message

Nice Jon, I would also note that you only need to allow 58.28.20.150 in on 5060 and 8060.
This will assist to lock down who or what can call you to being only via WxC.




Hmmmm

169 posts

Master Geek
+1 received by user: 9


  Reply # 607950 11-Apr-2012 17:32 Send private message

I feel like i have to add, the static ip you are currently getting on your connection is a temporary thing, eventually you will be on a dynamic ip pool again, meaning your IP address will change with every new PPPoE connection.
Just thought it was worth mentioning.

3551 posts

Uber Geek
+1 received by user: 60

Trusted
WorldxChange

  Reply # 607971 11-Apr-2012 18:40 Send private message

grudge: I feel like i have to add, the static ip you are currently getting on your connection is a temporary thing, eventually you will be on a dynamic ip pool again, meaning your IP address will change with every new PPPoE connection.
Just thought it was worth mentioning.


Actually no it's not,  FTTH connections have static IP's  




Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink

             

https://www.facebook.com/wxccommunications



3 posts

Wannabe Geek


  Reply # 608734 13-Apr-2012 12:42 Send private message

cisconz: Nice Jon, I would also note that you only need to allow 58.28.20.150 in on 5060 and 8060.
This will assist to lock down who or what can call you to being only via WxC.


Thanks David, a good call.  I did a VERY brief Google to see if I could find the IP address of the VFX server(s) but didn't get a result in the first page so just left it...  I'm a big fan of security so this is info that I'll make use of tonight!!

For those unsure of how this would be implemented against my above post...

On the Policy page, edit the incoming policy from Untrust to DMZ that you have created using the Custom VFX Service.  Change the "Source Address" to be 50.28.20.150.  Because this policy is already bound with the custom VFX service as above so will allow the port ranges configured within from this specific address.  

Quick question:  David, are you saying that there is no requirement for the ranges of 8060-8065 and 5060-5065 and we only need 8060 and 5060?  I just don't want to confuse anyone so when I have your answer and Phil's to the below question I'll update the original post.

Phil, could you please confirm this is the only address we could expect voice from WxC on? 

Jon 

3551 posts

Uber Geek
+1 received by user: 60

Trusted
WorldxChange

  Reply # 608737 13-Apr-2012 12:44 Send private message

Yes it is




Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink

             

https://www.facebook.com/wxccommunications

Create new topic








Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when new jobs are posted to our jobs board:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:




News »

Trending now »
Hot discussions in our forums right now:

Forms of government for New Zealand
Created by charsleysa, last reply by Kyanar on 18-Apr-2014 20:55 (98 replies)
Pages... 5 6 7


MH370 - Call for Search & Rescue Help
Created by DS248, last reply by Sideface on 17-Apr-2014 17:28 (735 replies)
Pages... 47 48 49


galaxy s4 now on 4.4.2
Created by nzrock, last reply by timmmay on 19-Apr-2014 08:44 (52 replies)
Pages... 2 3 4


why does the tax payer have to pay for the prince and princess' 6 star holiday?
Created by joker97, last reply by Geektastic on 17-Apr-2014 15:49 (67 replies)
Pages... 3 4 5


Snap suffering Trans-Tasman congestion 18/04?
Created by Lias, last reply by NonprayingMantis on 19-Apr-2014 00:05 (26 replies)
Pages... 2


Help ! Home business connection and VDSL dead. yikes.
Created by Scotsman, last reply by Scotsman on 17-Apr-2014 21:10 (26 replies)
Pages... 2


Free connection to Ultra Fibre not true
Created by kapitikarl, last reply by cbrpilot on 15-Apr-2014 13:24 (27 replies)
Pages... 2


TVNZ on Demand Jailbreak Detection
Created by TranceManNZ, last reply by hio77 on 18-Apr-2014 20:25 (12 replies)


Geekzone Live »
Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.