I just thought I'd take the time to post this.  Hopefully it will help someone!!

Since I moved into a house with FTTH I have had to be on an Xnet internet connection.  I won't get into the details because I don't have all of them but suffice to say there was ONE choice of ISP and only ONE plan to choose from.  Well OK, there are TWO plans but one of them is 128Kbps/128Kbps...  hardly decent use of the FTTH!! :)

So my WRP400 arrived and so did the Chorus guy to install it for me - despite me saying that I didn't need an install because the FTTH termination was already there and running.  An Ethernet port just waiting to provide me some 30Mbps/6Mbps Internets!!

Because we had a lot of stuff to do (having just moved into the house) I didn't get the time to put my SSG5 as the edge device which meant that up until now I've had the WRP400 sitting on the edge doing it's thing.  This was great for the VoIP as it didn't require any thinking to set it up.  Not so great when you have an SSG5 sitting behind it though as a FW and you want to fwd ports through it to an AP on the inside of the SSG.  Things would start to get time consuming having to fwd through so many devices but most of all... it's really hard when the Linksys interface only allows you to fwd ports (using Applications and Gaming) to any IP on the private address range of the router... But what about my other ranges on the inside of the SSG??

And now this post take shape.  Just last night I finished installing the SSG5 as the edge device.  I say just last night as it took me a little while.  Getting the internet working wasn’t an issue.  Finding the info to make the incoming VoIP work however... that took a little more Googling!

I found several posts that were sort of useful and it was piecing bits of each of them together that I made this work.

Essentially this is it in a nutshell.  That is, without giving away my networks details.

SSG has PPPoE setup on the Untrust interface.  This is really easy to configure and if you’ve just factory reset your SSG then it’s all part of the wizard if you choose to do that!  I set the Idle disconnect to 0 so it keeps the link up all the time.

You need to setup MIP on your Untrust interface.  For this example I’ll use the default Ethernet0/0.  Expand Networking > Interfaces and click on “List”.  Click “Edit” next to the Untrust interface (which should be up with the green tick if your PPPoE is working).  Up the top of the page select MIP and click the “New” button at top right.

Enter your Mapped IP.  This is the IP address assigned to your PPPoE connection.  I have a static being on FTTH and I’m not sure if you could enter an interface description in lieu of an IP address here.

Enter your Host IP.  This is the external IP address of the WRP400 as it sits on your SSG.  I have my WRP400 setup on the DMZ port of the SSG.

Leave the Netmask and Host Virtual Router Name as their defaults.

You need a policy to let the DMZ access the internet.  You can use either the Wizard for this or just make one manually.  Either way you want from DMZ to Untrust and allow ANY source, ANY destination and ANY Service.  You want to enable NAT for Source Translation.  You can either tick this option in the Wizard or it’s on the “Advanced” page at the top if you’ve snubbed the wizard.

Next you need incoming and outgoing policies for your VFX ports.  First you need to create a custom service though.

Expand Policy > Policy Elements > Services and select “Custom”.  Up the top right click “New” and then put the radio button for the first line in TCP.  Enter Source Port Low and High as 0 and 65535 respectively.  (This means that any port from the server can be used to send this request to your telephone and it will be accepted).  Enter Destination Port Low and High as 8060 and 8065.  Leave the last two fields (ICMP) blank.

Put the radio button on the next line down into UDP and enter the same ports as above, again leaving the last two ICMP ones blank.

Now the 3rd Line down.  Put the radio button in TCP and enter the Source Port Low and High as 0 and 65535 again.  Destination Low and High are 5060 and 5065 this time.  4th line down do for UDP on the same ports.  Give the service a name at the top (I used VFX so I could spot it easily in the list) and click OK.

That’s the custom service, now the Policies...

From Untrust to DMZ.  Source is ANY and destination is the MIP(x.x.x.x) from the drop-down.  For Service select “VFX” (or whatever you called your custom service) from the drop-down.  Click “Advanced” down the bottom and Tick the “Traffic Shaping” box.  Select Traffic Priority as “Highest Priority” and click “OK”.

From DMZ to Untrust.  (N.B. This is a second policy just for QoS of your voice.  If you did this on the policy you already have for DMZ to Untrust you would prioritize all your traffic the same which wouldn’t be great for high data usage and phone concurrent phone calls). 

Source ANY, Destination ANY and Service is VFX from the drop-down.  Click Advanced and choose NAT, Source Translation.  Again enable the “Traffic Shaping” tick box with “Traffic Priority” set to “Highest Priority”.  Click “OK”.

By default SIP ALG should be ticked as “on” but we’ll go and check just in case.  Expand “Security” and click ALG.  You should see a tick on SIP.

That’s it – should be good to go!  Try and make a call out and in using your analogue phone on your WRP.

What did you just do?

Created a Mapped IP from your public(Untrust) internet interface through to your WRP400 on your DMZ that allows clients on the WRP400 to access the internet freely and maps the Xnet VFX ports through so your phone will work.  You now have an SSG where it should be (edge device) and your WRP400 nicely safe and sound behind it with only the essential ports forwarded to make your VFX service work.

Just to clarify, if you’ve received a range of ports from Xnet/WxC on this topic.  The last range will be UDP 35384-37384.  These are the “media” ports.  The SIP ALG will take care of these so you DO NOT include them in your Custom Service.  Why??  Well... this is a big chunk of ports, 200 of them.  Any of these could be randomly chosen by a client on the network as its outgoing port to browse the Internet or connect to an FTP server.  This wouldn’t work well if it was reserved by the SSG in a Custom Service.

I’ve not included the WRP400 setup steps here as they are easily found on the Google.

Well that’s it.  My first post at GZ...  Comments are welcome!