One of our home users has cable Internet with SHAW and their modem is not compatible with VoIP. Even after port forwarding tinkering they still complain constantly. They are also not tech savy so debugging this issue has become a bit of a nightmare. The only thing that seems to work is putting the VoIP phone in the DMZ and I need to know how dangerous this is for us.
The phone GUI is visible on the public and open to potential hackers. We put a 30 character user and admin passcode on the phone to protect it but I am still a bit worried. If hackers were to breach the phone they could probably make calls in this account but that’s about it. No?
it’s not a Shaw or bandwidth issue.
The problem is the router. The firewall is causing all sorts of issues, and we can’t turn off SIP ALG unless we switch it to bridge mode (which the end user does not allow). The DMZ seems to do the trick but like you said it could come back to bite us in the …
Depending on the phone, you should be able to disable the management interface, or at least lock the phone’s management port down to a specific address.
If you are using a reasonably large and complex management password on the web interface, you should be able to get by with this relatively safely.
If the customer has a static IP address, you can limit the extension’s allowed IP address to the specific range that the DMZ is coming from. That way, your list of perpetrators can be narrowed considerably.
A consumer router definition of a DMZ, ie not a real DMZ?
It is visible because the ports that are not forwarded elsewhere are forwarded to the phone (ie a consumer router fake DMZ)?
If so, couldn’t you forward port 80 and 443 to an unused IP so that it is not forwarded by the “DMZ” to the phone?
(Hopefully that’s doable…)
Good luck and have a nice day!
Great idea. I’ll try that.