How does port triggering work?

GlowingBlueMist wrote:
> << snip >>
>> The Westell 327W has one feature that I really like. It allows me to
>> forward
>> a port to a hostname. I have one main computer plus a dozen or so
>> others for special purposes that are mostly off. Most of those have
>> swappable hard drives.
>> Forwarding to a hostname greatly simplifies talking to those machines,
>> independently of which wireless card or disk is currently installed.
>>
>> I tried to configure the firewall on the westell.
>> The syntax/semantics of the rules were confusing enough, but there
>> are complex interactions between the rules that appear to be
>> largely undocumented. And there doesn't appear to be any way to
>> tell if the router blocked something without logging into the router
>> and examining
>> logs.
>>
>> I gave up and turned it off. Comodo firewall on the computer lets me
>> make decisions on the fly and make them temporary or permanent. I
>> just have to have faith it's doing what I expect.
>>
>> Thanks for the inputs. Looks like the effort to make it better is
>> gonna be much greater than the benefit.
>>
>> mikr
>
> One last thought is to assign your second router a fixed IP on it's WAN side
> above the DHCP settings of your Westel and then tell the Westel to put the
> second router's IP address into the DMZ as if it was a computer server.

I think I did that once, but I didn't like the fact that the unsecured
subnet
was the same as my (formerly) secure subnet. I messed around with
subnet masks. I could
make the other subnet invisible, but IRRC, I could still access the other
subnet.
Using a different IP address range seems to have fixed that issue.
But I don't think the router will let me DMZ to a different IP
address range???
I'll have to try it again.
Thanks, mike

Let
> the second router do it's NAT, DHCP and what knot. With luck it's port
> handling and firewall is more friendly to devices attached to it. Having it
> as a DMZ device should eliminate the Westel as the port handling boss of the
> devices attached to the second router. Not sure if this would hurt your
> hostname use of the Westel as you have it configured.
>
> Oh well, another day and other problem... Good luck.
>
>

On Sat, 27 Feb 2010 14:28:24 -0800, mike <(E-Mail Removed)> wrote:

>GlowingBlueMist wrote:
>> One last thought is to assign your second router a fixed IP on it's WAN side
>> above the DHCP settings of your Westel and then tell the Westel to put the
>> second router's IP address into the DMZ as if it was a computer server.
>
>I think I did that once, but I didn't like the fact that the unsecured
>subnet
>was the same as my (formerly) secure subnet.

What GlowingBlueMist is suggesting won't have any effect on your
subnets. You can, and certainly should, continue to use different
subnets on the two sides of the second router.

>I messed around with
>subnet masks. I could
>make the other subnet invisible, but IRRC, I could still access the other
>subnet.
>Using a different IP address range seems to have fixed that issue.
>But I don't think the router will let me DMZ to a different IP
>address range???

The Westell router, (if it has the DMZ capability at all, I didn't
check), will allow you to set any valid LAN IP as the DMZ IP. You
can't specify an invalid IP as the DMZ IP because, well, it would be
invalid! I doubt that the Westell GUI will allow you to set an invalid
DMZ IP, but if they do, it will be the same as setting no DMZ IP at
all.

On Sat, 27 Feb 2010 07:24:25 -0600, "GlowingBlueMist"
<(E-Mail Removed)> wrote:

>I'm sure others will tell you if I'm wrong (and I admit to being long
>winded) but here is my take on your problem.

Since you dared...

>Since your DSL ISP actively tries to sell VOIP service, I don't expect them
>to admit a problem exists with their router or assist you in fixing this
>problem. I would not put it past some ISP's to actually cripple the
>software in the routers just to cause users to give up on a freeware or 3rd
>party VOIP application., especially after trying to fight your way through
>their first 3 levels of tech support hell.

That sounds plausible, unfortunately.

>For most personal routers, the 4 or so physical ports , and wireless if it
>exists, are nothing more than a (dumb) bridge wired directly to the built in
>one port router or DSL modem/router. Inbound data from the router is copied
>to all 4 ports via the bridge. Only the PC that is looking for the inbound
>data in question is expected to respond. Your CQPhone application is
>listening to port 24960 for inbound calls. When the program hears the
>inbound "call" it then goes through the necessary procedures to verify the
>inbound call. Then the program starts to use 46960-25962 according to the
>call requirements.

Actually, the 4-port NAT routers that I'm familiar with contain a
single 5-port switch. Using VLAN tags internally, the WAN port is on
one VLAN while the 4 LAN ports are on a different VLAN. Since there is
indeed a switch involved, I can't think of a scenario where a data
packet arriving on the WAN interface would be copied to all 4 LAN
ports. Instead, if the router's routing table has no entry in its
routing table matching that packet's tuple, it will simply discard the
packet. And if it does have a matching entry in the routing table, it
will forward the packet to the single node listed in the table.

>One thing that can confuse things is if you have the CQPhone program
>actually running on more than one computer at a time with this type of
>router. The programs all hear the inbound call and all try to answer. The
>problem is only the first that makes it to through the router stakes it's
>claim on the needed outbound ports, which the router's firewall then later
>refuses to properly release.

If it's running on multiple computers on the LAN, only one (or none)
of the computers will see the incoming call, depending on how the port
forwarding is set up. I can't think of a scenario where more than one
computer would see the incoming call, assuming a switched network
rather than a hub, but these days hubs are rare.

>After switching the Westel to bridging mode (turning off the built in
>firewall among other things) or replacing it with another DSL modem/router
>that has the more user friendly firewall will you be able to accept or make
>individual outbound calls on more than one computer with out the reboot
>issue. As for which router models have firewalls that actually release
>ports after use is anyone's guess. I'd go on the CQPhone forums and ask
>other users which exact model router (and software release) they are using
>that is allowing consecutive calls be made on individual PC's of attached to
>the router. Note I said consecutive and not simultaneous. With out an
>actual industrial style router with true individual Ethernet ports (and
>increased complexity of configuration) you only have one set of ports for
>use at a time regardless of the IP address on the PC handling the call. It
>would be up to the application program to determine the ports were already
>in use and to switch to alternate ports, which CQPhone appears not to be
>setup to do.

I believe your references to "industrial" versus non-industrial are
really references to NAT routers versus non-NAT. It's a moot point,
however, since it's quite unlikely that the OP is able to turn off NAT
and acquire a routed IP for each computer. If he could, though, his
CQPhone problems would be completely solved, including the ability to
make multiple simultaneous calls.