To give you perspective how bad my VoIP box is: Even a LAN DNS server change can cause the device to fail, since you CANNOT change the box to Static IP or tweak it’s DHCP settings in it’s GUI, because it’s lost on reboot.
The VoIP box is remotely managed, and pulls a config to overwrite the config on the device itself each time it boots and reaches WAN. Local changes only commit if you talk to the ISP’s Mandarin language tech support in China and they open up the config for local upload. So I cannot configure the box…
“Auto Firewall” checkbox or config option adds the “-j ACCEPT” rules. “Hairpin” option adds the SNAT rules.
That’s exactly the opposite of what a good idea would be.
It’s likely just a tr-069 based config. You can probably mitm it somehow if you’re feeling adventurous, but you should get it working first.
Pretty sure you can ask edgerouter-x over ssh to tcpdump the traffic going to/from the grandstream into Wireshark on your workstation where you can capture. You can then compare two captures (on native vlan aka switch 0 and on a separate vlan) … Might even satisfy your curiosity regarding what kind of config it’s asking for or getting.
Yeah, that’s too far down the rabbit hole. It isn’t worth it to Wireshark to troubleshoot something that’s clearly the Grandstream’s fault. Currently the Grandstream on the Native VLAN works, so my EdgeRouter will have to be untrusted to have the box actually work. Then I separate downstream devices in separate VLANs.
Remember, even over PPPoE, I don’t trust the FTTB endpoint at the ISP, could have Huawei equipment for all we know… (and yes, the ISP sends DOCSIS customers Huawel DOCSIS modems)
As long as downstream is separate from untrusted networks, (with the exception of the Grandstream because it’s just gonna be like that) and I don’t have to further manage it, it should be fine for this home network scenario.