SUGGESTIONS Hardware based firewalls... Is a home or small business router with built-in firewall acceptable ?

Pjbrown · Jan 25, 2014

Is a home or small business router with built-in firewall considered a hardware-based firewall that is acceptable for protecting PBX in a Flash (PIAF) from the internet?

I know that the recommendation is to place your PIAF behind a hardware based firewall, and don't open any incoming ports to the PIAF.

But I'm confused whether or not the firewalls built in to many of the consumer and small business routers is considered acceptable. For example, there are many wifi access points with built-in routers and firewalls that sell for about $200USD or less.

Is the recommendation that the firewalls built into most of the consumer oriented WIFI routers is NOT SUFFICIENT. For example, the Apple Airport Extreme, or one of the home-oriented D-Link, Netgear, Asus or DD-WRT based solutions? Are these even included in what you mean when you recommend a hardware-based firewall?

Or is the recommendation that these aren't acceptable, and we really need to buy a higher-end business class router with security (@ $300 - $500+ USD), or add a separate, dedicated security appliance such as some of the lower-end offerings ($200-$400USD) from companies such as Fortigate, sonicwall, and other brands?

Some Examples of lower-cost dedicated Security appliances I quickly found at newegg include:
NETGEAR FVS318 ProSafe VPN Firewall Switch ($235 USD)
ZyXEL ZyWALL USG50 Internet Security Firewall with Dual-WAN ($150 USD),
Fortinet FortiGate 20C Consolidated Security Appliance ($259 USD),
SonicWALL TZ 105 Network Security Appliance ($235 USD),
Cisco ASA5505-K8 Security Appliance with SW, 10 Users, 8 ports ($380 USD)

I'm confused on the topic, and don't want to spend money unnecessarily, but I will spend it in a heartbeat if that is the recommendation.

Thanks!

Sincerely,
-Philip

P.S. - I'm aware of QOS and VLANs as separate issues that can impact voice quality and performance... but that isn't my question. This post is strictly focused on securing the PBX from dangers of the big-bad internet.

wardmundy · Jan 25, 2014

Residential routers/firewalls should be fine as long as they are configured correctly and don't pass through data ports to your PIAF server, e.g. you wouldn't want to configure the router with the PIAF server in the DMZ.

atsak · Jan 25, 2014

The home routers are just fine, in fact better suited for small installs than the base models from the majors. I have had excellent results with DD-WRT based routers, or ones flashed with the DD-WRT firmware. The ASUS line is excellent. The Apple stuff doesn't play nice with SIP sometimes. The D-links and Netgears (recent ones) usually do. The Sonicwall TZ 105 isn't great with SIP BTW, unless they've fixed it in the last year or two. Their higher end models work fine - see the posts by hbonath for configuration.

Pjbrown · Jan 25, 2014

Thanks for the prompt replies.

I think I'll use whatever router my ISP gives me (I'm upgrading to dedicated Ethernet over Copper -- EoC) and configure their firewall appropriately, then put a managed switch directly behind it, use the switch to configure QOS and possibly a VLAN to prioritize my voip traffic through the switch, and dedicate one of the ethernet ports on the switch to my apple extreme WiFi access point in bridged-mode.

I'm not a networking guru, but I believe that should give me an acceptable solution both security-wise and QOS wise. Any thoughts or recommendations?

BTW, I plan to use PIAF and a SIP trunking service.

briankelly63 · Jan 25, 2014

find an older PC and you'd be able to use something like Pfsense.... one thing at a time though. Get your PBX up and running with a basic router first.

Hyksos · Jan 25, 2014

Pjbrown said:
[...]put a managed switch directly behind it, use the switch to configure QOS and possibly a VLAN to prioritize my voip traffic through the switch...
[...]I believe that should give me an acceptable solution both security-wise and QOS wise. Any thoughts or recommendations?...

There is a fundamental flaw here, but when researching networking and QoS you'll figure it out.
QoS up until the network edge with no QoS at the network edge can be an unfinished implementation and one that missed the most critical bottleneck where shaping should take place.
You're LAN switch is ill placed to make sure you stay below [60:95]% of your maximum upstream/downstream WAN throughput to minimize audio quality problems.
You're switch could be QoSing away neatly while your router is packing your WAN pipe to a 100% of its maximum throughput with both voice and data traffic, risking packet drop and latency issue that might affect voice quality.

To name only one example.

magna.vis · Jan 25, 2014

I'm always cautious of vendor provided hardware, and one interesting thing about some of the new EoC options are "hosted" firewalls. I know AT&T is providing it to small and mid-size businesses these days. I, personally, wouldn't trust that at all. If you forgo the offered "hosted" firewall, it's just like regular circuits (T1, T3, etc), where the ISP installs some Cisco router that manages the multiplexing (if you have other services broken off) and signal conversion, but not security or QoS. You'll get that device either way, just know that it's not running the actual security for your network.

The other answers here are great, but I just wanted to chime in with a word of caution to make sure you know what you're getting. The ISP is going to want to sell you all the things; they will try and convince you that because enterprise businesses have been using service x, y, and z, that are now available for you, you ought to use service x, y, and z as well.

wardmundy · Jan 25, 2014

Ditto on not using an ISP-hosted firewall.

Chris Sweeney · Jan 25, 2014

The plus side of a hosted firewall is it keeps the traffic off your last mile circuit and not wasting your bandwidth. I love Megapath's managed security for that reason, it keeps all the hacking away from me and not wasting my bandwidth that I am paying for.

Pjbrown · Jan 25, 2014

Thank you everyone for the advice thus far. I didn't even know that for good voice (and low packet loss) that you should keep your traffic below 60% of your upstream & 90% of your downstream speeds.
That tip alone will be a great help, and makes sense regarding the configuration I had in mind.

I had (rather naively) thought that I could use the managed switch to do all traffic shaping if I connected nothing to the router other than switch itself.
(See crude diagram below)

VOIP DATA WiFi_AP
v v v
v v v
Managed_Switch ---> Router ---> Wan

It sounds like that won't work... so I've got more to learn. I'm an IT guy, but I'm far from a networking guru.

I'm getting 20 Mbit down / 2 Mbit up EoC from Telnes. They are a smaller provider, but they come highly recommended, and apparently excellent, US based support.

I'll have to see what router they provide for my location, and whether or not I'll be able to program it myself, or if they'll lock it down. (Again... showing my naivete).

Also, I don't know what other services they might offer, but I'm not inclined to sign up for many if they try to upsell.
I'll use my ISP for the pipes only, and choose a VOIP provider who uses a data center
located in or near my location in Arlington, VA (Near DC, and Reston, VA).

I'll post more about my setup as I learn more. More advice is welcomed any time.

Sincerely,

-Phil

P.S. Question for Ward (or any of the guru's)... is it OK to use this same thread for updates of my config and suggestions, or is it more appropriate to start a new thread?

Hyksos · Jan 25, 2014

Pjbrown said:
should keep your traffic below 60% of your upstream & 90% of your downstream speeds.
I had (rather naively) thought that I could use the managed switch to do all traffic shaping if I connected nothing to the router other than switch itself.

The interval I suggested was to reflect the fact that different people on different connection speed and quality will opt to protect a different amount of bandwidth for voice.
It's not 60 up 90 down.

I'm also not saying it's impossible to do it all from the switch... Everything is possible depending on the switch, setup and config. It's less straight forward for sure.
Ill placed, for sure but you could achieve a workable config.

rossiv · Jan 25, 2014

I personally wouldn't use an ISP-provided router simply because I've always found them rather junky. But that's just me and my experience (cough Time Warner cough).

It would be preferable to open a new thread for each issue (unless they are all related issues) for future people's benefit. You are free to post an umbrella thread that's like "Configuration Suggestions for New PBX Install" with details inside, but I wouldn't put configuration and phone suggestions, and hardware suggestions, and provider suggestions etc. all in one thread.

Mango · Feb 9, 2014

Pjbrown said:
Is a home or small business router with built-in firewall considered a hardware-based firewall that is acceptable for protecting PBX in a Flash (PIAF) from the internet?

Maybe.

The answer to your question depends on how the manufacturer of the router has implemented NAT. If you configure your PBX to register to a service provider in order to receive calls, the router may route incoming traffic from any source to your PBX. This is known as full cone NAT, and is effectively a port forward.

On the other hand, the router may route incoming traffic only from your service provider to your PBX, and drop other traffic from unknown sources. This is known as restricted cone NAT and is more secure.

Like Atsak, I like Asus routers. For many years I used a $25 WL-520gU with Tomato firmware. Now I use an RT-N16.

You may use the utility at http://www.dslreports.com/forum/remark,22292023 to test the type of NAT that your router uses.

atsak · Feb 9, 2014

I want to add something I came across - The DD-WRT firmware sometimes runs into problems with one way audio as well - I couldn't figure out why; seems to happen when there are more than one SIP device behind them, though not always. I have never had a problem with a single ATA, but have had problems sometimes with multiple devices or multiple extensions on a single device. I changed them to a Tomato based firmware, and the issues went away. Probably was a way to figure out what was wrong with DD-WRT, but when something else works just as well, why not. So now I'm sort of suggesting people suggest doing a Tomato flash if you're comfortable doing so, since it seems to work when other things don't. The RT-N16 can be flashed with Tomato, as can many others.

Hyksos · Feb 10, 2014

Like when multiple endpoint compete for the same network flow? Static source port NAT can cause stuff like that in theory.
But you say sometimes, so if it's intermittent it's weirder a bit.

wardmundy · Feb 10, 2014

Thanks, Mango. That's the best explanation of routers, NAT, STUN, and ALG that I've seen.

Mango · Feb 10, 2014

That guy knows his stuff; unfortunately he hasn't been around the forums in a while.

GomezAddams · Feb 10, 2014

PJBrown, as others have mentioned, your QoS plan isn't going to work. Additionally, you may run into another problem - buffer bloat (http://en.wikipedia.org/wiki/Bufferbloat).

How can you tell if you have buffer bloat? Easy - Start an upload of a video to YouTube. Browse the web. Do web pages start taking forever to load? If yes, then you likely have buffer bloat.

In your router, you need to be able to do two things:
1. Throttle your outbound traffic so that you can make absolutely sure your router is doing the queueing instead of anything upstream.
2. Provide prioritization of your data in the queue.

Pfsense does both of these things and is fairly easy to set up. It even has a wizard to set up traffic shaping for you. Keep in mind that in order for traffic shaping to work, you absolutely MUST tell the wizard a bandwidth value that is a little below your ACTUAL bandwidth (measure it).

That said, I've been fighting what I think is a bug in pfsense where it gets confused about the NAT states used by asterisk registrations to the VoIP provider.

atsak · Feb 10, 2014

wardmundy said:
Thanks, Mango. That's the best explanation of routers, NAT, STUN, and ALG that I've seen.

Is it ever.

Pjbrown · Mar 2, 2014

Thank you, Mango, atsak, ward, rossiv and everyone else.

I've got a few routers that are decent and can run alternate distributions of firmware. One is an asus router, and the
other is a buffalo router that I loaded with Gargoyle firmware. More importantly, the ISP provided a nice samsung obigate router,
which from what I can tell is high quality and high throughput. So I'm hoping that their tech support with give me access to the configuration
if I ask them nicely. The router's certainly up to the task.

Mango, thanks for explaining about the different types of nat implementations, and providing a test link too.

This effort is taking on a larger scale than I first envisioned, but it sure is a fun journey!

-Philip

SUGGESTIONS Hardware based firewalls... Is a home or small business router with built-in firewall acceptable ?

New Member

Nerd Uno

Guru

New Member

Guru

Guru

Guru

Nerd Uno

Guru

New Member

Guru

Guru

www.toao.net

Guru

Guru

Nerd Uno

www.toao.net

Guru

Guru

New Member

Forum statistics