cancel
Showing results for 
Search instead for 
Did you mean: 
1

Ask

2

Reply

3

Solution

Landline phone with own router on FTTP

bruce_miranda
4: Newbie

Just got FTTP and everything is working fine off the VF router. Phone lines are plugged into the VF router, VF router's WiFi is switched off. 3rd party Mesh has been switched to Bridge mode and plugged into the VF's ethernet port.

However I am shocked at how feature poor the VF router is. e.g. There are no Parental controls at all. I know I can get rid of the VF router and plug my own Mesh router into the Openreach ONT, but what about the Landline. 

Are there any 3rd party routers in the market that have a telephone socket at the back to allow the home phone to be plugged in? 

679 REPLIES 679

@Madmanmavs The main thing is that it’s working for you however I think there are some issues that may bite you later on.. Your WAN firewall rule as posted cannot be matching packets because packets with a source of WAN will not yet have the LAN IP of your VOIP Device in the Destination field.

Further, VOIP(SIP + RTP) uses three ports. The signalling port, one for the incoming audio and one for the outbound. You would only have one way audio if your firewall rule was matching as you have only included two ports.

Hence I was curious what you would find if you used the live view or logging to see if the rule was actually firing. You would certainly see that the rule is not working as you think it is.

However if you did poke a hole, exposing even only the SIP Signalling port of a single device to unsolicited traffic may be a big enough attack surface for some automated tool to find its way in some day. Your network your rules but I could never abide by that configuration and I’m surprised so many are willing to do so.

The NAT stuff sounds right to me.

If you read RFC3489 you will also notice that Full Cone is the least secure, because anytime an external host sends packets to a WANIP:PORT that is mapped to a LANIP:PORT it will forward the traffic, whereas Symmetric will only forward traffic resulting from internally initiated connections. It really is best to descope.

Ripshod
16: Advanced member
16: Advanced member

@Bigfluctuation do you have a working vodafone digital voice connection with a third party router? 

@RipshodYep, I have a Grandstream WP810 working with Vodafone digital voice running via an OPNSense router

Ripshod
16: Advanced member
16: Advanced member

OP Sense is a different beast to a standard router. Like comparing chicken wings to crispy duck.

Neither is superior though.

I do agree though. Messing with the firewall like that can be dangerous (I re-read). 

The whole situation is a huge mess but a very interesting one from a nerds perspective. On the one hand we're dealing with NAT - a bandaid fix for a lack of IPv4 address space that was supposed to be a stop gap until everyone was using IPv6. Well here we are in 2024, 34 years since address exhaustion was predicted, and 5 years since RIPE allocated it's last /22, and IPv6 is still far from a de facto standard. That's 34 years of exhaustive planning and implementation from netops for a shift in technologies that still hasn't taken hold. NAT breaks the end-to-end principle of the internet and everything we see in this thread stems from that fact. It doesn't help that NAT has essentially become a safety net, preventing people from accidentally exposing their devices to the wider internet.

On the other we're dealing with SIP, a protocol that was formalised in RFC2543 25 years ago, being scaled up to serve an entire nation. The fact that we are assigned a fixed proxy server hints at some really ugly compromises on the back end to ensure adequate load balancing and reliable functionality.

That we have to care about anything more than a server URL, username and password to use our own equipment is an abject failure in terms of end users. Especially considering that planning for 21CN started in 2004(!). Including a widget to transparently connect a PTSN phone to CPE is the icing on a very bitter tasting cake, robbing the majority of customers of the ability to choose their own hardware. The service providers network ends at the modem - everything beyond that should be entirely at the end users discretion.

In the intervening time, Apple, Skype and others have designed and iterated software that provides a network agnostic means to place audio and video calls on a *global* scale across billions of devices. Facetime even provides a layer to seamlessly connect people using their legacy phone numbers and it doesn't care if you're behind NAT.

Honestly it's like they just couldn't be bothered to do better. The current implementation is so half baked it's more like a token gesture, they know the idea of having a land line is dying and this is just a stop gap until it goes away entirely. They didn't even mandate feature parity with the old PTSN network. No voice mail service, really?

@Bigfluctuation  Meanwhile we see everyone (well perhaps not literally everyone) wanting WiFi-7, 2.5Gbps LAN ports on the router, VOIP on all the devices that they own as if they had a personal PABX, and the list goes on. For someone like me who remembers 300bps dial-up over an acoustic coupler I wonder if this dash for the fastest thing and not having the patience to wait for it to mature a bit is also part of the problem. Market forces and/or marketing drive makes each supplier try to be the first to provide the new thing and often without the support behind it.

Ironically all my internal network is 2.5Gbe , WiFi AP is 6AX not upgraded to a WiFi 7 AP (but thats just a matter of swapping the AP out , won't need to touch much in the router) and i only use WiFi for phones everything else is hardwired . @Bigfluctuation Just to clarify the rule I put in was a NAT forwarding rule and not a direct firewall rule , I appologise if there was confusion there.
I did try again today disabling the incoming nat rule and could no longer receive calls. I think vodo send all SIP masseges to port 10000 as a fixed port their end ? I re-enabled to NAT forward rule and could once more receive calls. Im thinking that any incoming calls are knocking on port 10K and without the rule these packets are deing denied as this port won't have been solicited by an outbound connection ?? As I said im no OPNsense guru , I can get by with it ok ,, i'd be lothe to return to a consumer grade solution now though as its such a powerfull firewall and the plugin ecosystem (unbound , haproxy , nginx , loadbalancing , wanfailover ) make it so customisable and for good or for ill you have total control, which is why I was determined to get it working. 

I don't think its much of a security compromise on just those 2 ports to only 1 specific IP ,, but it would be nice if I could find Vodafones full IP block allocation and then limit traffic only from IP's within that block for a bit extra. Ideally I suppose drop anything from any IP other than the proxy IP would be better again , but I expect they shuffle the IP to which it seems you can only resolve on their DNS anyway , so probably be a pain.

yorkshire79
2: Seeker
2: Seeker

Trying to setup my HT812 and have followed screenshot examples of others however I'm getting a "407 Proxy Authentication Error" or a "403 Forbidden" in the Grandstream SIP logs dependent on the SIP User ID and username combination I use.

I requested the details from Vodafone and was given the following:

username voi00*******
password **********
SIP proxy xbn.Z4.bbvoice.vodafone.co.uk
SIP registrar resvoip.vodafone.co.uk
SIP URI voi00********

The SIP URI and username are different by one character. Not sure if this is a typo however which one should go in the "SIP User Id" field and which one should go in the "Authenticate Id" field? Wondering if this will help with the errors I'm seeing. At the moment I'm still not registered.

Ripshod
16: Advanced member
16: Advanced member

Username and URI should be exactly the same, so use the longer one for both. 

yorkshire79
2: Seeker
2: Seeker

I'm not sure I'm getting anywhere trying to register my HT812. I copied the configuration from another user with a HT812 posted earlier and have tried resetting to factory and upgrading the firmware.

I requested my SIP details again and they were identical. The SIP URI and username are identical lengths but different by one digit. I've tried all combinations of SIP URI and username in the SIP User ID and Authenticate ID but either get a 403 forbidden or 407 error.

In the SIP logs I just see either a registration request following by a Trying response followed by either a 403 forbidden or 407 depending on the combination of user details I provide.

Traffic between my router and HT812 seems ok. I've opened ports as described and wouldn't expect any sip traffic hitting the HT812 if that was a problem. Not sure what to try next.