Firewall Requirements

Prof. Google and posts here tell me that Republic requires UDP ports 6000:29999 to be open for a WiFi connection. Is it possible to tell the software to use a more reasonable (and less dangerous) chunk of ports, perhaps the slightly less outrageous Skype ports at 50000:60000?

One can not change anything to do with how the internal VOIP based software works, it is proprietary.

More information under " Required Ports & Protocol used for VoIP" in this page Router Tweaks - Keep WiFi 1st - a Community Guide

Hi @johnb.jlf4rs,

As indicated in the topic that @speedingcheetah linked, we do not require that those ports be “open,” only that they do not block outbound traffic. Our servers do not send anything unsolicited. The phone initiates and the servers respond, and the phone will maintain the session.

The language of my question was imprecise: Of course none of the required ports need be “open” to incoming traffic… But the whole notion of the whitelist is to not allow anything in OR out that is not required for proper functioning of the system.

Republic says it needs ports 6000:29999 outgoing. If the firewall allows that, it creates a huge opportunity for mischief if something nasty gets into my machine.

The entire Internet makes do with two ports, 80 and 443 (and sometimes 8080); why does Republic need 11,999 (or 7,999, if we count 8080) times as many?

I would think that the ports are only used and open when needed to be via UPNP. They open on demand as needed during a call. (That being said, it still works even with UPNP disabled)
SIP signaling ports (typically UDP ports 5060 and 5061 with some providers) are was is used to setup the call. Blocking these ports does result in no wifi calling at all on that network.
The other ports, handle the raw call data i gather.

I have not had to “open” any ports in my router, or set port forwarding of anykind.
Wifi calling works on most anyway network you will find, so, having those ports to use is a industry standard thing it appears.
If you have a enterprise or special locked down network, that restricts use of many things that are normal consumer standard, like P2P, or POP, or other sites/services, then you may need to allow those ports and VOIP service to that specific device based on IP whitelist (set phone to static IP) or MAC address of that device.

Very wrong…there is a huge list of ports used by protocols here: the 2 u mention is only for http and https protocols, which is only a portion of the internet, specifically, the World Wide Web portion.

I don’t see an issue here. If malware got onto your computer, it would not come from an open outgoing port only. It woudl come from an incomming port, most likely via some user interactions, like clicking a .exe or bad link (which would be from something fron port 80/443 a website etc) Also, this is a smartphone, malware is rare for smartphones, unless u are one to just install any and all random free app. Second, as linked to, there are many thousands of other ports to be used that are industry standard reserved and ready for use. Malware could just fake it self as one of the many popular game servers, and presto, most routers would open up for it.

You can setup a whitelist so that only trusted devices, based on mac address have open access while preserving yor desire to block those ports/services in and out for all other devices. (I have a Ubiquiti EdgeRouter 4 and the firewall rules setup can get quite complex, as it is all CLI and enterprise based config. Your typical consumer would have no idea how to manage such hardware)

Hi @johnb.jlf4rs

@SpeedingCheetah has done a good job of explaining, and his suggestion of allowing only trusted devices to reach any IP and maintain the session is the suggestion we have given to other network administrators, and is how we configure our guest network at our corporate office.

2 Likes
Message an
Expert customer