[ previous ] [ next ] [ threads ]
 From:  JP Vossen <jp at jpsdomain dot org>
 To:  m0n0wall at lists dot m0n0 dot ch
 Cc:  Don Munyak <don dot munyak at gmail dot com>, walterpc at mchsi dot com
 Subject:  Re: [m0n0wall] VOIP setup
 Date:  Wed, 16 Aug 2006 23:52:55 -0400
On 8/16/06, Walter PC <walterpc at mchsi dot com> asked some stuff about VoIP, 
and Don Munyak wrote:
> IMHO...VOIP sucks, atleast with Vonage on a Comcast broadband
> connection. Then again maybe it was all the kids in my neighborhood. I
> could never get a good connection. Too many symptons to list. I tried
> different cable modems, firewall appliances and even tweaked the
> settings from the Vonage account manager. Then again maybe it's just
> me. So I dropped them . No regrets :)

For whatever it's worth, my Vonage over Comcast in SE PA has worked 
fine, except when I was running P2P crap.  When I had the Vonage adapter 
*outside* the M0n0wall, it was fine, since it could do its own traffic 
shaping.  However, that was unacceptable because every time they update 
the box they nuke the config, which then deletes my incoming rules and 
cuts off my network so I can't get in from the outside.  Not cool.

When I moved he adapter inside onto its own "OPT" interface all by 
itself, I had the issue with P2P.  I was not able to get the M0n0wall 
traffic shaper to help--it actually made it a lot worse.  I probably 
didn't have the bandwidth settings right and I never spent much time on 
it.  It bugs me that you have to know and set the pipe size.  What 
happens when they raise the speed without telling you (as they've done 
several times over the years)?  Have you locked yourself into the slower 
speed?  I don't know, and never got around to figuring it out.

If you can live with the drop-dead stock Vonage adapter config, and the 
double-NAT you'll get, leave it outside and it should be fine.  Like so:
LAN <--> [NAT;M0n0wall] <--> [NAT;Vonage] <--> [Broadband] -<--> 'Net

 > Either way you will need to allow inbound certain ports.

Only if you put it inside the fw.

> Your VOIP account should have these listed at the Support/KB
> web page.

That's a nice theory <g>.  In practice I found the stuff on the Vonage 
site to be utterly useless (though I'm otherwise reasonably happy). 
These work for me AFAICT:
		Since it's alone, anything it wants, but logged.
	Incoming (all logged):
		10000 - 20000/UDP --> Vonage adapter
		69/UDP --> Vonage adapter
		65535/UDP --> Vonage adapter

Note sure about that 65535 one.  I found it by looking at my logs, 
taking all the *outgoing* addresses and looking for incoming stuff from 
them that was blocked.  There were a few of those, so I figured what the 

I'm also not happy about that giant range of ports, but I guess they do 
that to make it harder to Comcast or Verizon to mess with them.  I 
dunno, <insert conspiracy theory here>.

> Back to your question. In a google serach box type: voip site|m0n0.ch
> This will post back all the information pertaining to voip but
> restricted to the monowall site.

Typo, I believe, try "voip site:m0n0.ch" (note : instead of |).

JP Vossen, CISSP            |:::======|        jp{at}jpsdomain{dot}org
My Account, My Opinions     |=========|      http://www.jpsdomain.org/
Microsoft has single-handedly nullified Moore's Law.
Innate design flaws of Windows make a personal firewall, anti-virus
and anti-malware software mandatory. The resulting software arms race
has effectively flattened Moore's Law on hardware running Windows.