Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Can I use my router’s DMZ to attach my IP-based phone to the internet?

Question:

It’s a few months ago that I fell in love with Voice Over IP and IP phones.
My old but solid Polycom 301 phone does not have a “Keep NAT Alive” option like
regular ones do and after some time it seems like my router’s NAT blocks ports.
Phone rings or calls but no voice either way, just air. Then I need to restart
the phone to punch another hole in the NAT for awhile. I was wondering if
putting my Polycom 301 IP (I made it static then it does not change by each
restart) in the routers DMZ can eliminate this problem and keep all the ports
open for it forever. I know that you may have security issues but as much it is
only about a phone and not my whole home network, I don’t care. They can hack
the phone and I can reconfigure it again. There’s no credit on my VOIP
account.

In this excerpt from
Answercast #66
, I look at the possibilities of using a router’s DMZ to allow
outbound VOIP calls through.

Become a Patron of Ask Leo! and go ad-free!

Setting up VOIP phone

Actually I think that’s a pretty interesting and innovative solution to the
problem.

To clarify for folks who are reading or listening to this, DMZ is an acronym
for, “Demilitarized Zone.” So, normally what happens on a NAT router is any
unrequested, or unexpected, outside connection is blocked by the router. So if
a server tries to connect to a computer in your home, and there’s a NAT router
in the way, it can’t get through. The NAT router stops it cold from being able
to get to any of the machines on your side of the network.

That’s why I keep calling it such a great firewall because it prevents
random access from outside agents. If you actually establish a connection
from the computer to the server, then the connection can
occur, because it was started by someone on your side of the router.

Demilitarized Zone

The DMZ is essentially an exception to that rule. What the DMZ is… is the
router allows you to specify an IP address of a computer on your local
network.

Your local network might be 192.168.0.1 through 25. You may have 25
different computers and they all have these 192.168 addresses. You can then
assign, manually, an IP address. Maybe you’ll do 192.168.0.254 so it’s not
something that’s gonna ever really, reasonably, be approached by all the
machines on your side of the network.

You can configure your device (in this case, the phone) to respond to
only that IP address. You’re basically giving it a static IP address
of .254.

“Stop blocking outside connections”

In the router… you then configure the router by saying, “You know what?
All these connections, these connection attempts that you’ve been blocking? The
unrequested, unsolicited connection attempts that you’ve been blocking…
don’t. Instead, send them over to this IP address: 192.168.0.254 – whatever
device is there, it will handle it, or it will know not to.”

In a case like this when you’ve got Voice over IP, it’s actually not that
uncommon for some protocols to want to initiate a call from outside of your
network. If someone using Voice over IP is somewhere else and tries to call
you, that, by definition, may be an outside server trying to initiate a contact
through your router: from the internet to the inside.

Rather than blocking it, we send it to the DMZ, or whatever’s configured for
the DMZ.

Should work…

So, I think it’s a fairly innovative solution. I like it.

Like you said, the only real concern is that, you know, maybe someone could
hack your phone, but you can reconfigure it. It depends on how smart the phone
is, I suppose.

I actually don’t see many downsides. The only downside I can think of (and
it’s a pretty small one) is if you ever actually, later, needed the DMZ for
something else. In reality, as many years as I’ve been doing this, I’ve never
once used a DMZ. I actually have no reason to propose it as a solution for
anyone’s problem – other than in a case like this where you’ve got a specific
IP based device that wants to be able to receive outbound or incoming
connections from the outside.

So, I say, “Go for it!” I say it’s a pretty good solution. I don’t really
see a downside.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

1 thought on “Can I use my router’s DMZ to attach my IP-based phone to the internet?”

  1. Thanks Leo! Thanks for answer. In fact since the day I sent my above question to you, I was deeply studying about all these VOIP and NAT stuff and I learned looots of things!
    Now my Polycom phone works fine with great voice quality. It is connected to a 2Wire modem (AT&T provides them and they are somewhat basic). No computer in network. Just for this topics followers, 2Wire ADSL routers do Not have DMZ but they have DMZplus!!
    They work same way but 2Wires proprietary DMZplus against regular DMZ, requires that device has a DHCP IP!! It refuses to work with Static IP. I realized they innovated this easy way then people do not need mess up with their IP settings just to use DMZ. I think DMZplus knows that device by MAC Address then whenever its dynamic DHCP IP changes, DMZplus still knows who is who!!
    I learned one big concern about DMZ is we assign an static IP to that device “Out Of DHCP Range”. Then we make sure no other machine in network with DHCP IP is going to grab that static IP and causes IP conflict. I made my DHCP range as wide as I need (192.168.1.2 to 192.168.1.99) then 192.168.1.1 for modem and 192.168.1.100 to .254 are left out of DHCP range for static IP adventures!
    I understood that DMZ is a security risk but anyway if I would not do it, I needed to do Port Forwarding and for VOIP that is a wide range of ports then I did not see lots of difference (all over 65000 ports of one for example third of it).

    Now I have another question:
    I have a very good password for phone but I want to know can a hacker cause lots of bandwidth use to my connection thru geeky stuff like Brut Force attack or similar things? I pay per gigabyte then I have bandwidth cost concern.

    PS. You were welcome to edit my not professionally written question to a correct english! :)

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.