It does not appear possible to configure the F@ast 3864 into Bridge Mode, i.e. where all incoming WAN traffic is passed through to another router without the 3864 also performing routing. BTW if this were possible it would disable the SIP (landline phone) functionality on the modem. However, it is possible to configure an approximation of bridging. This lengthy post describes why you would want to do this and how.
I run an IT focussed, home-based business with many devices (OSX, Windows, iOS, Linux, Android) on a LAN. I also have a publicly accessible Mail and Web server. Security is paramount for my operations and therefore I have a commercial grade firewall-router that protects the LAN from attack, of which there are hundreds of attempts each day. I am not convinced that the Optus supplied F@ast 3864 has sufficiently robust security for my needs, but I cannot use a third-party modem-router because Optus will not provide the SIP settings (NBN VoIP) for such a device in order to provide phone functionality. Optus claims (probably reasonably) that this is because of security concerns, i.e. avoiding hacking of their complete VoIP network. A static IP address, only available on Optus business plans, is required in order to reliably run a mail/web server.
My current solution and the steps I took are:
The disadvantages of this setup (so far!) are that:
1. the WAN IP addresses of incoming packets passed to my firewall are always 192.168.1.1, not the originating, public IP addresses. This has potential problems in terms of blocking specific IP Addresses on the firewall;
2. there is a slight degradation in throughput of WAN packets because of the “double” routing;
3. I’m not sure what other performance and/or security implications there might be for my firewall, although so far the firewall is performing as expected, e.g. blocking TCP/UDP port probes.
There are some advantages of this setup in a home-business environment:
1. The Optus phone functionality remains intact, without any need for reconfiguration.
2. the 3864’s subnet (192.168.1.2…..) can be used as a (less secure) home or guest network, segregated from the business subnets. Devices on the firewall’s subnets cannot access the 3864 subnet and vice versa (except via the WAN interface to/from the web & mail servers).
Hmm, how about a Business Account instead of a Home internet account?
BYO modem with better security? Or
BYO modem run it to a sercurity server/firewall ETC. Once the traffic is clean -> internal network. Open port on the firewall/virtural service to allow optus VOIP, i think its 5060. Connect the Lan to Sagem WAN port. The phone1 is now working. You can then connect the phone line to your own private phone router if needed.
This way you will have full control of the traffic coming in will full sercurity, the Sagem modem is in your private network for phone one.
If you are running a full time business from the interent connection, then might consister a Business connection, both for stability and optus fair use policy.
Thanks for that.
Mine is a Business Connection (Account), which is why I have a static IP Address.
Also, I did try putting the SageMCom behind another modem and my Checkpoint firewall and opening UDP ports 5060-5065, but the phone did not work. I suspect it's the security within the firewall that's the problem for the phone, athough not sure (security log showed nothing untoward) and the current solution works fine anyway.
Looks like you have everything in order. Have you set up these rules in your firewall?
Ports 5060-5070 UDP/TCP.
RTP Ports 16384-16482 UDP.
To be honest, in moving from Telstra ADSL2 to Optus NBN, my imperative was to find a working solution as quickly as possible that preverved the integrity and settings of my firewall, which is a very complex, but effective, piece of kit. The solution I posted has done that, but with some reservations as discussed. Putting the SageMCom behind my firewall is an interesting possibility (but adds another device) and one that I didn't pursue after the initial failure and having found an alternative, working solution.
The firewall has a predefined service group for VoIP, which includes SIP and RTP ports, which I'd enabled (i.e. the group) in one of my attempts when identifying the SageMCom on the LAN as an object for VoIP. I was, and still am, nervous of manually opening port ranges because, with a public-facing server (on a DMZ), I get a lot of port probing from "interesting" locations. I think it's telling that Optus has locked down the VoIP services on the SageMcom on the basis of security concerns.
But all that said, one of these days with a bit of spare time, I'll have another go and see if I can get the SageMCom phone working behind my firewall.
The SIP settings are stored in the Sagecom after the first time you connect the modem to the FTTN network, they can be quite easily extracted (there are a number of whirlpool and other posts showing how this is possible) .
I have tested this with a number of voip phones and ATA and it works successfully, although Transport for SIP appears to require you to use TCP rather than UDP which will cause there to be slighly more SIP traffic then normal. UDP works but registration seems to timeout (says registered but incoming calls will fail until an outbound call is attempted forcing a reregistration. TCP works faultlessly with a lower registration timeout than standard.
Like you I found no Bridge Mode for the Sagecom