Geekzone: technology news, blogs, forums
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

3 posts

Wannabe Geek

# 100428 11-Apr-2012 15:33
Send private message

I just thought I'd take the time to post this.  Hopefully it will help someone!!

Since I moved into a house with FTTH I have had to be on an Xnet internet connection.  I won't get into the details because I don't have all of them but suffice to say there was ONE choice of ISP and only ONE plan to choose from.  Well OK, there are TWO plans but one of them is 128Kbps/128Kbps...  hardly decent use of the FTTH!! :)

So my WRP400 arrived and so did the Chorus guy to install it for me - despite me saying that I didn't need an install because the FTTH termination was already there and running.  An Ethernet port just waiting to provide me some 30Mbps/6Mbps Internets!!

Because we had a lot of stuff to do (having just moved into the house) I didn't get the time to put my SSG5 as the edge device which meant that up until now I've had the WRP400 sitting on the edge doing it's thing.  This was great for the VoIP as it didn't require any thinking to set it up.  Not so great when you have an SSG5 sitting behind it though as a FW and you want to fwd ports through it to an AP on the inside of the SSG.  Things would start to get time consuming having to fwd through so many devices but most of all... it's really hard when the Linksys interface only allows you to fwd ports (using Applications and Gaming) to any IP on the private address range of the router... But what about my other ranges on the inside of the SSG??

And now this post take shape.  Just last night I finished installing the SSG5 as the edge device.  I say just last night as it took me a little while.  Getting the internet working wasn’t an issue.  Finding the info to make the incoming VoIP work however... that took a little more Googling!

I found several posts that were sort of useful and it was piecing bits of each of them together that I made this work.

Essentially this is it in a nutshell.  That is, without giving away my networks details.

SSG has PPPoE setup on the Untrust interface.  This is really easy to configure and if you’ve just factory reset your SSG then it’s all part of the wizard if you choose to do that!  I set the Idle disconnect to 0 so it keeps the link up all the time.

You need to setup MIP on your Untrust interface.  For this example I’ll use the default Ethernet0/0.  Expand Networking > Interfaces and click on “List”.  Click “Edit” next to the Untrust interface (which should be up with the green tick if your PPPoE is working).  Up the top of the page select MIP and click the “New” button at top right.

Enter your Mapped IP.  This is the IP address assigned to your PPPoE connection.  I have a static being on FTTH and I’m not sure if you could enter an interface description in lieu of an IP address here.

Enter your Host IP.  This is the external IP address of the WRP400 as it sits on your SSG.  I have my WRP400 setup on the DMZ port of the SSG.

Leave the Netmask and Host Virtual Router Name as their defaults.

You need a policy to let the DMZ access the internet.  You can use either the Wizard for this or just make one manually.  Either way you want from DMZ to Untrust and allow ANY source, ANY destination and ANY Service.  You want to enable NAT for Source Translation.  You can either tick this option in the Wizard or it’s on the “Advanced” page at the top if you’ve snubbed the wizard.

Next you need incoming and outgoing policies for your VFX ports.  First you need to create a custom service though.

Expand Policy > Policy Elements > Services and select “Custom”.  Up the top right click “New” and then put the radio button for the first line in TCP.  Enter Source Port Low and High as 0 and 65535 respectively.  (This means that any port from the server can be used to send this request to your telephone and it will be accepted).  Enter Destination Port Low and High as 8060 and 8065.  Leave the last two fields (ICMP) blank.

Put the radio button on the next line down into UDP and enter the same ports as above, again leaving the last two ICMP ones blank.

Now the 3rd Line down.  Put the radio button in TCP and enter the Source Port Low and High as 0 and 65535 again.  Destination Low and High are 5060 and 5065 this time.  4th line down do for UDP on the same ports.  Give the service a name at the top (I used VFX so I could spot it easily in the list) and click OK.

That’s the custom service, now the Policies...

From Untrust to DMZ.  Source is ANY and destination is the MIP(x.x.x.x) from the drop-down.  For Service select “VFX” (or whatever you called your custom service) from the drop-down.  Click “Advanced” down the bottom and Tick the “Traffic Shaping” box.  Select Traffic Priority as “Highest Priority” and click “OK”.

From DMZ to Untrust.  (N.B. This is a second policy just for QoS of your voice.  If you did this on the policy you already have for DMZ to Untrust you would prioritize all your traffic the same which wouldn’t be great for high data usage and phone concurrent phone calls). 

Source ANY, Destination ANY and Service is VFX from the drop-down.  Click Advanced and choose NAT, Source Translation.  Again enable the “Traffic Shaping” tick box with “Traffic Priority” set to “Highest Priority”.  Click “OK”.

By default SIP ALG should be ticked as “on” but we’ll go and check just in case.  Expand “Security” and click ALG.  You should see a tick on SIP.

That’s it – should be good to go!  Try and make a call out and in using your analogue phone on your WRP.

What did you just do?

Created a Mapped IP from your public(Untrust) internet interface through to your WRP400 on your DMZ that allows clients on the WRP400 to access the internet freely and maps the Xnet VFX ports through so your phone will work.  You now have an SSG where it should be (edge device) and your WRP400 nicely safe and sound behind it with only the essential ports forwarded to make your VFX service work.

Just to clarify, if you’ve received a range of ports from Xnet/WxC on this topic.  The last range will be UDP 35384-37384.  These are the “media” ports.  The SIP ALG will take care of these so you DO NOT include them in your Custom Service.  Why??  Well... this is a big chunk of ports, 200 of them.  Any of these could be randomly chosen by a client on the network as its outgoing port to browse the Internet or connect to an FTP server.  This wouldn’t work well if it was reserved by the SSG in a Custom Service.

I’ve not included the WRP400 setup steps here as they are easily found on the Google.

Well that’s it.  My first post at GZ...  Comments are welcome!

Create new topic
3594 posts

Uber Geek


  # 607924 11-Apr-2012 15:47
Send private message

The wrp400 is obviously a basic home gateway device but the the SSG a different story and a pretty powerful SMB device and you have different requirements around your home network so nice work on writing up a great first post Jon

Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink


1220 posts

Uber Geek

Lifetime subscriber

  # 607947 11-Apr-2012 17:18
Send private message

Nice Jon, I would also note that you only need to allow in on 5060 and 8060.
This will assist to lock down who or what can call you to being only via WxC.



266 posts

Ultimate Geek

  # 607950 11-Apr-2012 17:32
Send private message

I feel like i have to add, the static ip you are currently getting on your connection is a temporary thing, eventually you will be on a dynamic ip pool again, meaning your IP address will change with every new PPPoE connection.
Just thought it was worth mentioning.

3594 posts

Uber Geek


  # 607971 11-Apr-2012 18:40
Send private message

grudge: I feel like i have to add, the static ip you are currently getting on your connection is a temporary thing, eventually you will be on a dynamic ip pool again, meaning your IP address will change with every new PPPoE connection.
Just thought it was worth mentioning.

Actually no it's not,  FTTH connections have static IP's  

Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink


3 posts

Wannabe Geek

  # 608734 13-Apr-2012 12:42
Send private message

cisconz: Nice Jon, I would also note that you only need to allow in on 5060 and 8060.
This will assist to lock down who or what can call you to being only via WxC.

Thanks David, a good call.  I did a VERY brief Google to see if I could find the IP address of the VFX server(s) but didn't get a result in the first page so just left it...  I'm a big fan of security so this is info that I'll make use of tonight!!

For those unsure of how this would be implemented against my above post...

On the Policy page, edit the incoming policy from Untrust to DMZ that you have created using the Custom VFX Service.  Change the "Source Address" to be  Because this policy is already bound with the custom VFX service as above so will allow the port ranges configured within from this specific address.  

Quick question:  David, are you saying that there is no requirement for the ranges of 8060-8065 and 5060-5065 and we only need 8060 and 5060?  I just don't want to confuse anyone so when I have your answer and Phil's to the below question I'll update the original post.

Phil, could you please confirm this is the only address we could expect voice from WxC on? 


3594 posts

Uber Geek


  # 608737 13-Apr-2012 12:44
Send private message

Yes it is

Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink


Create new topic

Twitter and LinkedIn »

Follow us to receive Twitter updates when new discussions are posted in our forums:

Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:

Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:

News »

Major Japanese retailer partners with smart New Zealand technology IMAGR
Posted 14-Oct-2019 10:29

Ola pioneers one-time passcode feature to fight rideshare fraud
Posted 14-Oct-2019 10:24

Spark Sport new home of NZC matches from 2020
Posted 10-Oct-2019 09:59

Meet Nola, Noel Leeming's new digital employee
Posted 4-Oct-2019 08:07

Registrations for Sprout Accelerator open for 2020 season
Posted 4-Oct-2019 08:02

Teletrac Navman welcomes AI tech leader Jens Meggers as new President
Posted 4-Oct-2019 07:41

Vodafone makes voice of 4G (VoLTE) official
Posted 4-Oct-2019 07:36

2degrees Reaches Milestone of 100,000 Broadband Customers
Posted 1-Oct-2019 09:17

Nokia 1 Plus available in New Zealand from 2nd October
Posted 30-Sep-2019 17:46

Ola integrates Apple Pay as payment method in New Zealand
Posted 25-Sep-2019 09:51

Facebook Portal to land in New Zealand
Posted 19-Sep-2019 18:35

Amazon Studios announces New Zealand as location for its upcoming series based on The Lord of the Rings
Posted 18-Sep-2019 17:24

The Warehouse chooses Elasticsearch service
Posted 18-Sep-2019 13:55

Voyager upgrades core network to 100Gbit
Posted 18-Sep-2019 13:52

Streaming service Acorn TV launches in New Zealand with selection with British shows
Posted 18-Sep-2019 08:55

Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.