Port Forwarding Geek Out

This is the version of an email sent out about once a week it seems. It was the reason I started the Blog portion of the wiki. It's less formal but a much more conversational mode of information exchange. I hope it helps answer some questions.

The email

Eric, Brad,

I'm the “chief geek” at ring-u, figured I'd jump in directly and help. I'm apologizing in advance for the “geek-out”…

Just to make sure this is needed: External Port Forwarding is only needed if you are trying to use external phones (phones outside of your internal network).

For our typical customers, a simple port forward is “reaching for the stars” and solves their needs with a minimal security risk. The Hello Hub itself has a good adaptive firewall that blocks IP's on failed login and communications attempts. If you are curious, a list of these is maintained and updated in real time: https://portal.ring-u.com/portal/dashboard/noc - You may notice most of this is ipV4 addresses, we do see scans from and block IPv6, but they rarely make the hit list you'll see there.

It's possible to limit the external IP for ports 5060 and 5061, but you may have to change those if the upstream VoIP servers change (happens rarely but possible). Ports 10,000-20,000 source addresses change for almost every call. You (and us) would have to maintain a “whitelist” of every VoIP/Telecom provider endpoint. It's a big list.

When using external phones (a mobile phone with an “App” on it or a physical phone) they may connect from just about anywhere on the planet. We have customers using remote phones on other continents. Even locally, this is a wide range of addresses.

Lets go to serious paranoid geek mode:

Option #1: VPN

Use a VPN. OpenVPN specifically (I use it a lot) works very well. The office Hello Hub will not need ports forwarded to it. The fun part is: Now you have a VPN to manage, all endpoints will need a VPN client, and you need a VPN Server, probably a part of your firewall. That's a decent amount of work, unless you need it for other things as well. This solution also works well for remote offices with multiple phones.

Option #2: Hybrid

We setup a hybrid cloud system. the Hello Hub on-site manages the local phones, and the main PBX is hosted. We charge $25 per month for that hosted PBX, but we don't charge per phone connected to it. All phones, even the external ones, use the hosted PBX for VoIP traffic, no port forwarding is required. Caveat: like all hosted system each phone is constantly communicating to the cloud system and there may be noticeable (but extremely minor) differences.

Option #3: 2nd Net

Consider the phone network “untrusted” (not a bad idea anyway) and put it on it's own internal network. We have a lot of customers that do this using the “Opt” or “DMZ” or other assignable ports on their firewall/gateway.

Option #4: Why?

Re-assess the need for full on VoIP external phones instead of just call forwards to cell phones.

References: