support wiki

helpful humans at 423-456-6700

User Tools

Site Tools


blog:port_forwarding_geek_out

Differences

This shows you the differences between two versions of the page.


blog:port_forwarding_geek_out [2022/06/10 17:00] (current) – created mike
Line 1: Line 1:
 +====== Port Forwarding Geek Out ======
 +
 +
 +
 +
 +
 +This is the version of an email sent out about once a week it seems. It was the reason I started the Blog portion of the wiki. It's less formal but a much more conversational mode of information exchange. I hope it helps answer some questions. 
 +
 +=== The email ===
 +
 +Eric, Brad,
 +
 +I'm the "chief geek" at ring-u, figured I'd jump in directly and help.
 +I'm apologizing in advance for the "geek-out"...
 +
 +Just to make sure this is needed: External Port Forwarding is only
 +needed if you are trying to use external phones (phones outside of
 +your internal network).
 +
 +For our typical customers, a simple port forward is "reaching for the
 +stars" and solves their needs with a minimal security risk. The Hello
 +Hub itself has a good adaptive firewall that blocks IP's on failed
 +login and communications attempts. If you are curious, a list of these
 +is maintained and updated in real time:
 +https://portal.ring-u.com/portal/dashboard/noc - You may notice most of this is ipV4 addresses, we do see scans from and block IPv6, but they rarely make the hit list you'll see there.
 +
 +It's possible to limit the external IP for ports 5060 and 5061, but
 +you may have to change those if the upstream VoIP servers change
 +(happens rarely but possible). Ports 10,000-20,000 source addresses
 +change for almost every call. You (and us) would have to maintain a
 +"whitelist" of every VoIP/Telecom provider endpoint. It's a big list.
 +
 +When using external phones (a mobile phone with an "App" on it or a
 +physical phone) they may connect from just about anywhere on the
 +planet. We have customers using remote phones on other continents.
 +Even locally, this is a wide range of addresses.
 +
 +===Lets go to serious paranoid geek mode:===
 +
 +===Option #1: VPN===
 +Use a VPN. OpenVPN specifically (I use it a lot) works very well. The
 +office Hello Hub will not need ports forwarded to it. The fun part is:
 +Now you have a VPN to manage, all endpoints will need a VPN client,
 +and you need a VPN Server, probably a part of your firewall. That's a
 +decent amount of work, unless you need it for other things as well.
 +This solution also works well for remote offices with multiple phones.
 +
 +===Option #2: Hybrid===
 +We setup a hybrid cloud system. the Hello Hub on-site manages the
 +local phones, and the main PBX is hosted. We charge $25 per month for
 +that hosted PBX, but we don't charge per phone connected to it. All
 +phones, even the external ones, use the hosted PBX for VoIP traffic,
 +no port forwarding is required. Caveat: like all hosted system each
 +phone is constantly communicating to the cloud system and there may be
 +noticeable (but extremely minor) differences.
 +
 +===Option #3: 2nd Net===
 +Consider the phone network "untrusted" (not a bad idea anyway) and put
 +it on it's own internal network. We have a lot of customers that do
 +this using the "Opt" or "DMZ" or other assignable ports on their
 +firewall/gateway.
 +
 +===Option #4: Why?===
 +Re-assess the need for full on VoIP external phones instead of just
 +call forwards to cell phones.
 +
  

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki