Voip security, firewalls, home network setup

Forums › VoIP › Voip security, firewalls, home network setup

AnotherDummy

21 posts

Geek
+1 received by user: 4

#177584 7-Aug-2015 14:02

Hi folks.

This is Voip/Network issue.
I have been with 2talk at home for about a year now and have finally realised I probably have zero security!
My setup: Vodafone cable modem->Cisco SPA122 ATA (hooked up to old cordless analog phone set)->Airport Extreme (in bridge mode) extended with an airport express.

I think need a firewall! The airport xtreme does supposedly have a basic firewall in it, but this apparently gets disabled when swithced to bridge mode. I elected to put the SPA122 before the Aiport extreme because I had read of dropouts when trying to run the voip hardware from the Airport base and never actually paid any more attention that that (was more worried about getting the phone working at that point in time!)

Could/Should I put the SPA122 into bridge mode, let the Airport do the NAT and run the SPA122 off the airport? If I do this, the firewall would be enabled again, but would I need to set something up in that firewall to make sure the voip traffic is handled properly? (I understand there are very few configurable options on that basic inbuilt firewall).

Can someone provide some advice? I'm happy to buy some gear, not necessarily looking for the cheapest gear, it'll cost what it costs. We already had the Airport base when we ditched the old phone line so it was just easy to keep using it. I can handle the thought of manually configuring stuff if required.

Our home requirements are fairly standard, probably about 6 mobile devices, a couple smart tv's and 2 mac's mostly running off wi-fi right now.

Thanks :)

sbiddle

30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1360707 7-Aug-2015 14:52

You should use the Airport as your firewall/router and then plug the SPA122 in behind that. There is no need for bridge mode.

If you had issues with that in the past you need to look at your configuration to work out what was wrong.

AnotherDummy

21 posts

Geek
+1 received by user: 4

#1360713 7-Aug-2015 14:59

Ok, thanks I'll give that a shot. I always had the impression that wouldn't work without enabling stuff like port forwarding etc etc, then there's the head spinning double NAT...
I'll post back if things come unstuck :)

AnotherDummy

21 posts

Geek
+1 received by user: 4

#1361106 8-Aug-2015 12:20

Ok, my phone appears to be working now positioned after my Airport, but I can't bring up the web interface through my network.
I can only access it via a direct Ethernet connection to my laptop. I am using the New IP address given by query from the attached phone. The admin password has been changed from its default setting. I can ping the SPA122 and I downloaded an app called Fing to see what it picked up, it sees the device and knows it's Cisco h/w.

Any ideas? It has to be seeing the internet or my calls wouldn't be getting through!

chevrolux

4962 posts

Uber Geek
+1 received by user: 2638
Inactive user

#1361139 8-Aug-2015 13:46

Because you are trying to connect to the 'WAN' of the SPA122 it will block access by default. You will want to set your SPA to 'bridge mode' so that the ethernet ports just act as a switch instead of a router.

AnotherDummy

21 posts

Geek
+1 received by user: 4

#1361164 8-Aug-2015 14:52

Thanks, I did have it in bridge mode.
I found my problem after a bit more research, there is an option to allow remote management via the WAN port. I found this and enabled it and I'm now good to go (you can specify an IP address or a range so I will lock that down to suit).

Thanks all for your help. I'll work out over the next few days if my calls are all good (no drop outs or missed calls etc)

AnotherDummy

21 posts

Geek
+1 received by user: 4

#1361303 8-Aug-2015 21:34

A few last comments in case anyone refers here in the future; as part of this exercise l ended up having to reset to factory defaults (my own fault, messed something up)

A few things proved useful: with SPA122 set up in bridge mode after the airport base station using ****110# from the phone connected to the ATA gives you an IP address for the WAN port which you can't actually get into at first. Using ****210# gives you the address for the LAN port that you need to use.

After auto provisioning, I did not go back to the voice->provisioning options and change the option to enable provisioning to 'no'. Same for the option to enable firmware updates. This caused a bit more confusion because after a final reboot of the equipment when I thought I was done this afternoon, I found I had lost my password change and my change to allow remote management via the WAN port. It must have re-downloaded the 2talk file and changed those settings back to the 2talk defaults. After setting those 2 automatic update options to 'no' I re-applied the password change and went back into Administration->Management->Web Access Management and enable remote access and rebooted again to satisfy myself that things were settled.

Lastly, once you're happy enough, remember to backup your configuration!

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

sbiddle

30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1361308 8-Aug-2015 22:06

The SPA122 features a router so WAN access is disabled by default for security purposes. 99% of people purchasing an ATA would simply get a SPA112 as the router functionality would very rarely ever be used so it's not worth paying the extra $ for it.

If WAN access isn't unblocked and the device is in the default NAT configuration mode you can just plug into the LAN port, get a DHCP lease and log into the device. There is no need to reset it.