support wiki

helpful humans at 423-456-6700

User Tools

Site Tools


Sidebar

System Setup
Getting Started
Setup Wizard
Porting Numbers
Caller ID
Special Projects

Networking
Network Introduction
Recommended Equipment
Ideal Network Setup
Firewall/Network Configuration
  Routers That Should Not Be Used
Switches
Ubiquiti ER X Configs
How To Disable SIP ALG
Networking Disasters
OpenVPN on Grandstream Phones
Port Forwarding / External Remote Phones

Customer Admin Portal
Login
Dashboard
Coms
  Fax
  SMS/Text
  E-Mail
Configuration
  Basic Mode
  Extensions-Adding
  Extensions-Function
  Groups
  Receptionists
  Schedule
  Hold Music
  Advanced Mode
  PA Ring Tone
  Recordings
  Keys
  Tricks
My Services
  Numbers
  Lines
  International Calling
  e911
  Conference
  Backup
  Call Recordings
  Phonebook
My Account
  Overview
  Account Info
  Options
  Payment
  Wallet
  Reports

Functions & Advanced Features
Schedule Override
External Storage: USB
Hold vs Park
Hunt Groups
Paging
Line Emulation
Relay/Door/Alarm Control
Feature Code List
Voicemail
Grandstream Wave
Zoiper

Hardware
Hello Hub V2
Hello Hub Nano - Cloud Connector
Supported Phones (Auto-Config)
Grandstream HT801/802 Tricks
Pairing Instructions for DP750/752
Grandstream WP820
PA Speaker (SIP) Configuration

Deprecated
Hello Hub V1
Hello Hub V1 Battery Removal
Manual Config Phones

Advanced
Troubleshooting
Reliability
Switching Loops
Email Notes

Policies
Payment Policy
Cancellation

System Variants
System & Hardware Variants

Required
Terms and Conditions
Software Licensing

Useful
Blog and Rants
HIPAA
Recording Phone Calls & Conversations

Menu

blog:port_forwarding_geek_out

Port Forwarding Geek Out

This is the version of an email sent out about once a week it seems. It was the reason I started the Blog portion of the wiki. It's less formal but a much more conversational mode of information exchange. I hope it helps answer some questions.

The email

Eric, Brad,

I'm the “chief geek” at ring-u, figured I'd jump in directly and help. I'm apologizing in advance for the “geek-out”…

Just to make sure this is needed: External Port Forwarding is only needed if you are trying to use external phones (phones outside of your internal network).

For our typical customers, a simple port forward is “reaching for the stars” and solves their needs with a minimal security risk. The Hello Hub itself has a good adaptive firewall that blocks IP's on failed login and communications attempts. If you are curious, a list of these is maintained and updated in real time: https://portal.ring-u.com/portal/dashboard/noc - You may notice most of this is ipV4 addresses, we do see scans from and block IPv6, but they rarely make the hit list you'll see there.

It's possible to limit the external IP for ports 5060 and 5061, but you may have to change those if the upstream VoIP servers change (happens rarely but possible). Ports 10,000-20,000 source addresses change for almost every call. You (and us) would have to maintain a “whitelist” of every VoIP/Telecom provider endpoint. It's a big list.

When using external phones (a mobile phone with an “App” on it or a physical phone) they may connect from just about anywhere on the planet. We have customers using remote phones on other continents. Even locally, this is a wide range of addresses.

Lets go to serious paranoid geek mode:

Option #1: VPN

Use a VPN. OpenVPN specifically (I use it a lot) works very well. The office Hello Hub will not need ports forwarded to it. The fun part is: Now you have a VPN to manage, all endpoints will need a VPN client, and you need a VPN Server, probably a part of your firewall. That's a decent amount of work, unless you need it for other things as well. This solution also works well for remote offices with multiple phones.

Option #2: Hybrid

We setup a hybrid cloud system. the Hello Hub on-site manages the local phones, and the main PBX is hosted. We charge $25 per month for that hosted PBX, but we don't charge per phone connected to it. All phones, even the external ones, use the hosted PBX for VoIP traffic, no port forwarding is required. Caveat: like all hosted system each phone is constantly communicating to the cloud system and there may be noticeable (but extremely minor) differences.

Option #3: 2nd Net

Consider the phone network “untrusted” (not a bad idea anyway) and put it on it's own internal network. We have a lot of customers that do this using the “Opt” or “DMZ” or other assignable ports on their firewall/gateway.

Option #4: Why?

Re-assess the need for full on VoIP external phones instead of just call forwards to cell phones.

blog/port_forwarding_geek_out.txt · Last modified: 2022/06/10 17:00 by mike