Hi

I thought it would be useful for people if we started to compile a list of home routers that were H323 aware so allowed H323 calls to be made from the private side of home networks with endpoints (such as netmeeting) that do not have special NAT settings.

I have a Speedtouch 510v4 adsl modem router at home that works well. Apparently QOS has also been added to the latest firmware - but I have not had a chance to try it. The downsides to this router are that it has a soft power switch, so does not come back on after a powercut, and to get to its powerful features such as its firewall and QOS you have to use its command line interface, rather than its web interface, which is rather cumbersome.

Anyone else know of h323 aware home modems and routers?

I played with another couple of home routers with varying degrees of success:

Solwise SAR715 - with some effort managed to get this to work fully - you can call in and out, only needing to forward port 1720 to the unit

Linksys BEFSR41 v3 - It seems with no configuration you can make calls out, but, even when forwarding port 1720 to the codec behind it, one is unable to receive incoming calls. Maybe with some more tweaking I'll get this to work.

Is there anyone else out there who has been using Video codecs from behind NAT, on home routers, without forwarding lots of ports or using a DMZ?

Kevin,
I’ve setup several Linksys routers to work with the Polycom endpoints and typically I’ve just set the endpoint in NAT mode with fixed ports. After doing that you forward the appropriate media ports (from the Polycom firewall screen) and port 1720 to the ip of the endpoint and all should be well. I haven’t had much luck with using the codec and the DMZ option but port forwarding works almost every time. BTW I’ve also seen pretty impressive results from the UPNP feature in the 7.0 VSX release. Basically with a compatible router the codec can dynamically open up the ports as needed.
Hope this helps,

I have a Linksys BEFSR41 ver2 and would like to setup it up for videconferencing but I am unsure as to how to set it up. Can either of you supply me some tips on how to do this. Currently I am bipassing the router to connect.

Thanks,
Sean

Basically you need to set the endpoint up to work with a firewall, this varies by vendor but normally there is a setup page for this. In that page you should have the option to fix the media stream ports. Then in the router you just forward the media stream ports and port 1720 to the internal IP address of the codec. You can forward additional ports for telnet and web access but those are only needed for remote management purposes. For receiving calls you just need port 1720 and the media ports. BTW it generally makes sense to hard code the IP address of the codec.

To all:
I am using a Buffalo Wireless router in my home network and have a Polycom VS sitting on it. No problems with in/out calls. I also tried a Tandberg 880 and a VCON unit and they both worked fine.
Paul

Hi Paul

What model Buffalo?

Thanks!
Kevin

I have a Linksys BEFSR41 providing network access through my Comcast cable modem. One of my PC's has a Polycom ViaVideo which I use for testing. This PC also has VNC for remote access which I use to access my home PC from the office and launch video test calls from the internet. I've attached a snapshot of my Linksys configuration for the port forwarding.

Joe

Hey Joe,


What version of software on the Linksys ????


Gary Miyakawa

My Linksys router firmware version is 1.42.7 April 2 2002.

Joe

Good, don't upgrade it or it will stop working (making calls at least)...


Gary Miyakawa

Hi Guys

Gary - which versions work and which don't? Also - does it have anything to do with the version of the routers hardware? The one I have been struggling to get working is a BEFSR41 vesion 3.

Joe - if newer firmware verions don't work you have a tough choice to make....

These routers (and many other Linksys devices) have a serious security flaw that allows people outside your network to snoop all traffic on your network (NASTY!!). See this link:

http://www.theinquirer.net/?article=16298

As of the latest linksys firmware this is apparently now fixed - though I cannot tell you how this will affect H323 performance.

Let us know how you get on!
Kevin

Then in the router you just forward the media stream ports and port 1720 to the internal IP address of the codec. You can forward additional ports for telnet and web access but those are only needed for remote management purposes. For receiving calls you just need port 1720 and the media ports. BTW it generally makes sense to hard code the IP address of the codec.

Tom,

You also need to forward the H.245 ports as well. This means you should forward:

Q.931 (TCP)
H.245 (TCP)
Video (UDP)
Audio (UDP)
FECC (UDP) *optional
RAS (UDP) * optional if using a GK

Also keep in mind some vendors have different souce ports than destination ports for a function. For example, TANDBERG initiates Q.931 on 5555 but listens on 1720 for incoming Q.931.

Sean

These routers (and many other Linksys devices) have a serious security flaw that allows people outside your network to snoop all traffic on your network (NASTY!!). See this link:

ehh.. no. That exploit only works on how it returns BOOTP packets from its DHCP server.. which only listens on the internal interface, not external or 'outside' your network. Plus, all it does is dump out memory, not a very elegant or easily exploitable problem as it would require alot of brute force and someone piecing all the data together and making something of it.

Given most of these devices are SOHO, having to worry as much about someone exploiting this is so tiny. Besides, that means they've already compromised your host computer, which is where all the goodies are anyways.

I see the new firmware of 1.5xx out there on the Linksys website... The only problem is, if you upgrade and it doesn't work... There is no way to go back to the previous version... :(

Who wants to be a tester for this ?

Gary Miyakawa

I've had good luck with the D-Link DI-604 running firmware 3.20 (July 2003).
Right now, I just put the unit into the DMZ. I'm running both the PVX software+Logitec Omni camera, and the D-Link DVC-1000 I2Eye. I've tested the router also with opening the ports, and that seems to work Ok as well. It supposedly comes configured for the DVC-1000 out of the box.

For Wireless, the DI-624 router works, with the DVC-1100 I2Eye. One issue is that I had to cut back the router transmit rate to 11mbs to allow the DVC-1000 to connect to the router.

I am using Smoothwall Express 2.0 and have no problems with point to point video conferencing. I only port forward 1720. This makes me believe it is h.323 aware.
However, I am trying to introduce a Radvision Gatekeeper (ECS) into the equation and having no luck.
If my endpoint has an external address, I seem to have no problem registering to the gatekeeper and making calls.
However if my endpoint is behind a smoothwall and I open up udp 1719, tcp 1720, I get registration, however a call cannot be completed.
I even tried using Nat awareness on the Endpoint. (Sony PCS1 and Polycom EX). I also tried opening up all ports 1024-65535 to see if that worked without success.
What am I missing?
Thanks

A Cisco Bug Report (http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCeg11026) shows that Cisco routers can't do NAT with videoconferencing right!
I found that every time I tried to call another system, the Cisco would crash and reboot itself. This was with a Cisco 1721, with a Tandberg 880MXP, but the same thing happens with NetMeeting. I called Cisco, and it's a known bug! This is a thousand dollar router!
:disappoin :( :hurt:

Another bug was opened for this issue: CSCsa67298 (http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsa67298)
You'll need a Cisco login to see it, but anyone can get a basic Cisco login. I dunno why, but they consider there to be two issues.

Just bought a Dlink DI-524 router for my sister - it seems to be H.323 aware. It is running firmware version 1.21 (interestingly only version 1.20 is available on the D-Link website).

I guess that as D-Link have some H.323 devices they are putting some effort into getting their routers H.323 aware.

Kevin

yeah.. awareness you can't disable :(

most of these devices would be better off just letting the endpoint doing the nat stuff.. they ALL seem to screw it up. They don't understand h323 for the life of them

yeah.. awareness you can't disable :(

most of these devices would be better off just letting the endpoint doing the nat stuff.. they ALL seem to screw it up. They don't understand h323 for the life of them

Yeah - good point! When I purchased this router I was assuming I'd need to use NAT - I only noticed the 323 abilities because NAT was not working! You really should be able to turn off the 323 awareness.

However - With the testing I did this router did seem to work far better than any home router I have used - but didn't get a chance to test out features with gatekeepers or H.239 for example.

Unfortunately it seems impossible to get much information about home routers capibilities before you buy them - so you just have to try them out and see what happens - there tends to be no mention of H.323 on the manufacturers websites at all.


Kevin

I have a Linksys WRT54G V1.1 with firmware version: v3.03.6 - HyperWRT 2.1b1 variation. I have a Polycom Viewstation 512k configured with the NAT settings, and my ports forwarded to it's static IP. Currently, I am forwarding ports:all set (TCP & UDP)-1719-1720, 2048-2049,5555-5572. I also have a DNS host name for the router set up in the DynDNS configuration so that it updates to the DNS everytime my DHCP address of the cable modem changes. Very nice to just dial using my DNS address.

Tom suggesteed I post this. I have spent about a year (I know slow learner) now trying to configure a Linksys BEFW11S4 Router to work with a Polycom EX Viewstation. I was able to dial out, but people were not able to dial me.
Here are the configurations that I finally was able to get to work:
Linksys:
1. Update the firmware
2. Set a static ip for the polycom (I have static for my entire network)
3. In Advanced Routing enable NAT and disable Dynamic Routing
4. In application and Gaming choose DMZ and set to the Static Ip of the Polycom (If you do not wish to use DMZ I THINK that you can use UPNP) See bottom for copied article from Polycom Support.
5. Go to Security and look at the bottom under Filter Mac Address.
6. Set your internet to NOT block anonymous requests. (Though frightening thing here, I was not able to even be pinged unless this was switched)
5. Write Down your external Ip
6. Go to your Polycom and head to the admin settings.
7. Go to LAN H.323 and choose H.323 and set Static Ip (input Ip and all other network info)
8. Go to firewall/lan and set fixed TCP ports 3230 to 3231 and UDP Ports 3230-3235
9. Choose behind NAT and then Enter in the external IP. (DO NOT choose auto detect)
That's it
Hope this helps somebody else struggling.

Polycom Support Port Information

H.323 uses a single fixed TCP port (1720) to start a call using the H.225 protocol (defined by H.323 spec) for call control. Once that protocol is complete, it then uses a dynamic TCP port for the H.245 protocol (also defined by the H.323 spec) for caps and channel control. Finally, it opens up 2 dynamic UDP ports for each type of media that was negotiated for the call (audio, video, far-end camera control). This first port carries the RTP protocol data (defined by the H.225 spec) and the second one carries the RTCP data (defined by the H.225 spec).

So, a typical H.323 ViewStation call would use 2 TCP fixed ports (3230-3231) and 6 UDP fixed ports (3230-3235).

As per TCP/IP standards, ports are divided into 3 sections: 0-1023 (privileged ports), 1024-49151 (registered ports) and 49152-65535 (dynamic ports). H.323 specifies the dynamic ports in the dynamic range are open. Polycom has added a feature to its product line that allows the ports to use a fixed ports (instead of dynamic ports) so that it can more easily traverse a firewall. Only the system behind the firewall need to turn on this feature, since the firewall will prevent the audio/video/FECC from the outside to come in unless this is enabled.

In addition, the user must "punch holes" in the firewall using the previously mentioned exact port numbers and exact protocol types for outgoing calls. To receive incoming calls, the user must also punch a hole using the 1720 TCP port.

The only way I could see video working perfectly would be to use the fixed port configuration and leave all the NAT stuff alone NAT doesn't work very well for inbound calls you need something that is really h.323 aware like a polycom V2IU however they dont come cheap.

Good Luck

Chum, that is a great post. It has a lot or great information in it. The problem is that Firewall manaufacturers are still trying to catch up to allow video conferecing through their systems. Their are a few companies that do it very well. Obviously the V2IU works great, but Cisco PIX version 6.3.3 and up with Fix Up protocal works really good to. Juniper Netscreen with newer IOS works good as well. The ones that do not work are Check Point, Microsoft ISA, Sonic wall, Watchgaurd and some others. Most of the problem is that the ones the do not work well use IP Stack version 2 and most VTC systems use IP Stack version 4.

As for home firewall/routers there are a bunch that work. The problem is that I have never had 2 firewall/routers that I have configured the same! If I have 2 of the same routers at 2 different homes thay always seem to configure differently!!! It makes troubleshooting and configuring them a nightmare sometimes.

It is a trial by fire system with a lot of home firewall/routers. Once you get the basics open up like the 1720 TCP bidirectional and the mid range TCP-UDP ports 3230-3253 (or others depending on the product) it is a click and try after that. Try a call and if it does not work click something else like UPNP. Or Use fixed ports, or system is behind a NAT, It is frustrating sometimes to support the VTC products because even though each manufacturer has thier port lists posted everywhere endusers call into support of the VTC to troublshoot their firewall when for the most part their firewall just does not support H.323 traffic! It still in a strang way makes it fun at the same time!

It might be of interest to the community here that UPnP NAT Support has been added to the Open Source OpenH323 project. This allows the NATed H.323 client to negotiate the opening/closing of ports as required with the router. I submitted the code to the project and have fully tested it on the Linksys BEFSR41 here in my office and it works fine.

The NATed H.323 client, if detecting itself on a LAN and the Gatekeeper is not, will broadcast on the network to detect an UPnP enabled router and request the opening and port forwarding of TCP 1720 and obtain the external IP address of the router. It will also open 2 consecutive UDP port forwards ready for receiving RTP and RTCP. The Endpoint will masquarade all signalling addresses as being on the outside of the router so to the gatekeeper it is on the public internet.

When a call is received it will open 2 more UDP ports ready for the next call. At the end of the call the UDP ports are closed and on closing the application all port forwards are closed.

Native Nat Traversal is also possible when using the Open Source Gatekeeper GNUGK as it has the ability to detect NATed EP's and provide assistance to traverse the NAT. It does this by being a receptor to a keep-alive TCP socket orginating from the EP behind the NAT (to open a pin hole through the NAT) and proxying all signalling and media. When a call is received by the gatekeeper the signalling is sent down the keep alive socket (through the pinhole) to the NATed EP. The NATed EP will then open 2 UDP sockets to the Gatekeeper (again opening pinholes in the NAT) for media traversal.

Both methods have been tested and there are softphones around that support both.

I am using Kerio winroute on a dual PIII 1.4G /2G RAM as a firewall, with an ECS 3.2.2.2 on it.

Winroute has a RAS and H.225 filter,works great with Lucent's MVWC(elemedia H.323 stack), it also has SIP filter,works smoothly with Yahoo messenger.

Just set up a SonicWall Tele3 with firmware 6.6.0.6 , seems to support both H.323 and SIP.
----------------------------------------------------
2006-9-14

If there is a gatekeeper in local subnet,a DMZ function firewall is recommended.if just a terminal(s) or gateway(s),the DMZ port is not necessary.