How to disable SPI

Discussion in 'Tomato Firmware' started by RobNC, Jan 18, 2007.

  1. RobNC

    RobNC Network Guru Member

    Hello, I am having some VoIP issues with my BHR-HP-WRT. I am confident that it is not router-related. However, my VoIP provider (nameless for now to protect their possible innocence in case I am wrong) says that SPI is causing dropped packets because of requiring every packet to be inspected (thus adding latency, etc.)

    Here is what they said:
    The issue you are experiencing is related to your SPI Firewall. This additional firewall inspects each incoming packet, with TCP packets you would not really notice any delays. However, with streaming UDP if there is any delay with the inspection of those packets the adapter will either send the incomplete call to voicemail, or you will have dropped audio in an active call.

    This type of security simply controls incoming traffic, and wouldn’t be able to prevent attacks from innocuous web browsing, spyware, adware, trojans etc.

    The specific problem I am having is that the failover number is being used and the ATA is not ringing the phone. Calling back, sometimes the ATA phone works. The Timeouts are now set (on the VoIP provider) to 15 seconds (i.e., NAT keepalive) and re-registration of 300 seconds. I have the TCP and UDP timeouts in Tomato set to 610 seconds (can't recall which one). I have the ATA MAC address set to highest priority, and egress 83-106kbps, ingress 250kbps so shouldn't have any problem with lack of bandwidth. I turned off prioritize ACK and ICMP and obviously enabled QoS.

    I have even gone as far as put the ATA in the DMZ but the same thing happens. Periodically, the phone will not ring, I'll get the ring on my cellphone. Then immediately (from work land line) I'll call my house, and either it goes right to voicemail (home) or my cellphone will call. About 10 minutes later, it clears up and I can call into my house (where my wife says the phone never rang except this one time).

    So, to summarize, is there a way to turn off SPI so that I can check the "tried this" box on the VoIP tier-1 support system?? :)

  2. ifican

    ifican Network Guru Member

    Thats a sack of hooie, though it is true that delay is the single biggest enemy of VoIP. Now since i dont use tomato i cant say that it is or is not causing the delay, but i use Vonage sitting behing 2 and sometimes 3 routers without issue. Most VoIP adapters have an lan and internet port. You can connect it that way, or simply use the router as a switch to bypass the firewall. Plug your modem into a switchport and leave the internet port open. If your adapter still does not work then its not the firewall causing your issue.
  3. RobNC

    RobNC Network Guru Member

    Yes I do agree with you whole-heartedly. That's why I said "tier-1 support" as I don't want to lie to them and say that I have SPI disabled when I do not.

    My ATA is the Linksys PAP2T.

    The real issue here is that it doesn't always happen. And it's not a cablemodem issue. How about this - is there a way to run some kind of "keepalive test" on the Tomato v1.02? Something that pings multiple sites and whose log data is stored (i.e., %dropped packets to each destination). I'm thinking perhaps testing the cablemodem IP, then the next hop up the chain (in the NOC - it's a 10.XX.YY.ZZ address) and then a real IP address (i.e., my ISP's web server).

    I even did a "" and during some NNTP traffic I got MOS 3.7 and 4.4, for upstream and downstream, respectively. MOS 4.4 ingress indicates a pretty clean line!
  4. ifican

    ifican Network Guru Member

    The private ip you see is no big deal its your isp's internal network and they do that for management purposes. Send me an offline message with your IP and ill run several tests and tell you what i see and think. Other then that run a trace route to your voip provider and see if you have much inconsistency anywhere along the way.
  5. GeeTek

    GeeTek Guest

    In a dos prompt on the PC enter C:>ping -t >c:\google.txt

    This will create a perpetual text file of replies from google until you stop it. Open as many dos windows and ping all the hosts you please !
  6. RobNC

    RobNC Network Guru Member

    Yup, gotcha obviously, but I would rather do this from the WAN port on the router. But after thinking about this, perhaps it's better to do this from my linux machine. There has to be a better way to do this, like some sort of graphical ping test like:
    It would be better if I could do this from a linux machine, because its tcp stack actually gives sub-ms times. But I would need it to run for days and/or weeks, and a quick way to determine variances instead of saving to a file, importing into excel (or oOo's Calc), yada yada.

    Ideally, it would be better to do http response tests, because I hear some ISPs throttle ICMP during times of network congestion.
  7. Reiper

    Reiper LI Guru Member

    I was just wondering if you got this figured out??? I'm running a PAP2 behind a WRT54GL running Tomato (of course!) and I'm not seeing this issue. Have you tried putting the PAP2T in DMZ mode as a check? Have you tried to forward UDP Ports 5060-5061 (or whatever your SIP Ports are) and UDP Ports 10,000-20,000 to the PAP2T?
  8. der_Kief

    der_Kief Super Moderator Staff Member Member


    i know this is no solution for thread starter, but fyi here is the official statement about disabling the SPI firewall. :wink:

  9. ifican

    ifican Network Guru Member

    That can be very misleading, when you "Block anonymous Internet requests" it basically blocks or is suppose to block everything that is not first asked for from the inside out. However unchecking that box does not shut off the firewall it only allows icmp and other basic stuff through, you cannot by default completely disable the firewall, not even putting a host in the DMZ will do that. Have to run at the moment but can elaborate more later if there is a need
  10. der_Kief

    der_Kief Super Moderator Staff Member Member

    Sorry if this maybe misleading but i meant the first part of statement:

    * Firewall Protection -- Firewall is always enabled in Tomato.

    This just for correction :biggrin:

  11. RobNC

    RobNC Network Guru Member

    SPI - not needed to disable

    FYI, the problem had everything to do with ViaTalk and nothing to do with the router or the cablemodem service. I have since switched back to Vonage, and go figure, no more VoIP problems (keeping the same high-speed internet provider). HMM... talk about (ViaTalk) grasping at straws.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice