@Versailles what router did you use before the upgrade ? if it was the 2860 , I assume you were using the VDSL port which IIRC is WAN1. You are now connected to the ONT using the WAN port on the 2860 which is WAN2 ?

Do you need to modify the firewall rules to be active from WAN2 rather than WAN1 ?

@Versailles AIUI the port will show as closed unless the NAS is actually running the Lets encrypt script. Only then will it (the NAS) be listening.

Although if this all worked previously on an FTTC(VDSL) connection and you've changed the NAT rules to WAN2 , the same rules should still work. Is there any useful info in the draytek log ?

TBH its a while since I've used a Draytek router. I used to have a 2830 but when I moved to FF it couldn't handle the throughput!

could it be a conflict between an "Open Port rule" and my VOIP Firewall rules

@Versailles i wouldn't have thought so, voip (SIP I assume?) would normally use port 5060 as the sip port and any rtp ports would be much higher.

Although I'm not quite sure why you would need rules for voip anyway. Normally its just a matter of ensuring the your voip equipment is configured for 'NAT keep alive' and then the router will keep the NAT pinhole open. I use voip myself and have not needed to add any firewall rules.

@Versailles 

Do not confuse inbound and outbound ports. 

For most routers used for domestic internet all outbound ports are open, you would have to open inbound ports as required using port forwarding rules.

Edit: there are some exceptions for some inbound ports but they are not used by all applications

@MisterW -  I just followed the instructions & recommendations from my provider Andrews and  Arnold, basically so only data/connections linked to their IP addresses would get through to my phone - it works so I don't really want to adjust too much on those settings

@mystreet1 -  Cheers for the info.

@Dan_the_Van -  Yes only trying to set inbound ports to get this Alexa Skill to work.


I think I'm going to have a deep dive into my VOIP firewall rules to see what being block and not. -If, no when I get it sorted I will add a final post just in case someone else has the same problem(s).

@Versailles yes I'm aware of the suggestion by A & A to restrict incoming connections to only their servers. In reality it's not needed unless you are running a PBX and using SRV records. If you are using normal VoIP equipment which  registers a connection with A  & A then any incoming connections will only come from the server you are registered to. So the normal NAT firewall will handle it and open a pinhole to just the a & a server thus blocking any unwanted connection. Just make sure you have keep-alive set to keep the pinhole open .

I use a & a at home with a gigaset n300 dect base , and know at least two other people who use it without needing any firewall rules.

@Versailles they no longer suggest a need for a Firewall if you are using NAT https://support.aa.net.uk/VoIP_Firewall

 I have Groundstream 802 as VOIP to phone interface, Gigaset base station, so that sounds very similar to you

Not quite the same as mine, I just have a Gigaset N300 VOIP Dect unit and so don't need the Grandstream ATA. However I know others who are using the Grandstream ATA sucessfully with A & A. Just make sure that SIP keep alive is enabled.

@Versailles 

I think it would be helpful if you described your home network, is everything connecting to the Draytek 2860ac or is there another device involved?

Having back to back routers causes double NAT and issue with port forward rules.