Helping people with computers... one answer at a time.

On a NAT router any unrequested outside connection is blocked. Using the DMZ is a good workaround.

It's a few months ago that I fell in love with Voice Over IP and IP phones. My old but solid Polycom 301 phone does not have a "Keep NAT Alive" option like regular ones do and after some time it seems like my router's NAT blocks ports. Phone rings or calls but no voice either way, just air. Then I need to restart the phone to punch another hole in the NAT for awhile. I was wondering if putting my Polycom 301 IP (I made it static then it does not change by each restart) in the routers DMZ can eliminate this problem and keep all the ports open for it forever. I know that you may have security issues but as much it is only about a phone and not my whole home network, I don't care. They can hack the phone and I can reconfigure it again. There's no credit on my VOIP account.

In this excerpt from Answercast #66, I look at the possibilities of using a router's DMZ to allow outbound VOIP calls through.

Setting up VOIP phone

Actually I think that's a pretty interesting and innovative solution to the problem.

To clarify for folks who are reading or listening to this, DMZ is an acronym for, "Demilitarized Zone." So, normally what happens on a NAT router is any unrequested, or unexpected, outside connection is blocked by the router. So if a server tries to connect to a computer in your home, and there's a NAT router in the way, it can't get through. The NAT router stops it cold from being able to get to any of the machines on your side of the network.

That's why I keep calling it such a great firewall because it prevents random access from outside agents. If you actually establish a connection from the computer to the server, then the connection can occur, because it was started by someone on your side of the router.

Demilitarized Zone

The DMZ is essentially an exception to that rule. What the DMZ is... is the router allows you to specify an IP address of a computer on your local network.

Your local network might be 192.168.0.1 through 25. You may have 25 different computers and they all have these 192.168 addresses. You can then assign, manually, an IP address. Maybe you'll do 192.168.0.254 so it's not something that's gonna ever really, reasonably, be approached by all the machines on your side of the network.

You can configure your device (in this case, the phone) to respond to only that IP address. You're basically giving it a static IP address of .254.

"Stop blocking outside connections"

In the router... you then configure the router by saying, "You know what? All these connections, these connection attempts that you've been blocking? The unrequested, unsolicited connection attempts that you've been blocking... don't. Instead, send them over to this IP address: 192.168.0.254 - whatever device is there, it will handle it, or it will know not to."

In a case like this when you've got Voice over IP, it's actually not that uncommon for some protocols to want to initiate a call from outside of your network. If someone using Voice over IP is somewhere else and tries to call you, that, by definition, may be an outside server trying to initiate a contact through your router: from the internet to the inside.

Rather than blocking it, we send it to the DMZ, or whatever's configured for the DMZ.

Should work...

So, I think it's a fairly innovative solution. I like it.

Like you said, the only real concern is that, you know, maybe someone could hack your phone, but you can reconfigure it. It depends on how smart the phone is, I suppose.

I actually don't see many downsides. The only downside I can think of (and it's a pretty small one) is if you ever actually, later, needed the DMZ for something else. In reality, as many years as I've been doing this, I've never once used a DMZ. I actually have no reason to propose it as a solution for anyone's problem - other than in a case like this where you've got a specific IP based device that wants to be able to receive outbound or incoming connections from the outside.

So, I say, "Go for it!" I say it's a pretty good solution. I don't really see a downside.

Article C5984 - November 1, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

1 Comment
AlizzA
November 1, 2012 2:56 PM

Thanks Leo! Thanks for answer. In fact since the day I sent my above question to you, I was deeply studying about all these VOIP and NAT stuff and I learned looots of things!
Now my Polycom phone works fine with great voice quality. It is connected to a 2Wire modem (AT&T provides them and they are somewhat basic). No computer in network. Just for this topics followers, 2Wire ADSL routers do Not have DMZ but they have DMZplus!!
They work same way but 2Wires proprietary DMZplus against regular DMZ, requires that device has a DHCP IP!! It refuses to work with Static IP. I realized they innovated this easy way then people do not need mess up with their IP settings just to use DMZ. I think DMZplus knows that device by MAC Address then whenever its dynamic DHCP IP changes, DMZplus still knows who is who!!
I learned one big concern about DMZ is we assign an static IP to that device "Out Of DHCP Range". Then we make sure no other machine in network with DHCP IP is going to grab that static IP and causes IP conflict. I made my DHCP range as wide as I need (192.168.1.2 to 192.168.1.99) then 192.168.1.1 for modem and 192.168.1.100 to .254 are left out of DHCP range for static IP adventures!
I understood that DMZ is a security risk but anyway if I would not do it, I needed to do Port Forwarding and for VOIP that is a wide range of ports then I did not see lots of difference (all over 65000 ports of one for example third of it).

Now I have another question:
I have a very good password for phone but I want to know can a hacker cause lots of bandwidth use to my connection thru geeky stuff like Brut Force attack or similar things? I pay per gigabyte then I have bandwidth cost concern.

PS. You were welcome to edit my not professionally written question to a correct english! :)

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.