I was hit with someone making calls through one of the extensions on my Quadro 2X, and think I have fixed it using option 1 outlined above.

If I understand this well enough (I'm not a VoIP expert but have reasonable technical skills) I suspect my problem was that I had opened SIP access to allow me to use two IP soft phones as extensions in my home office. I am running two networks - one for data (computers, etc) and the other for VoIP phone. My data network connects directly to my ADSL router and the Quadro is attached to the local network on the WAN side, and all my IP phones are attached on their own network on the LAN side of the Quadro… except for the two soft phones that are attached to the Quadro on the way inside, hence me enabling SIP access. I have, of course, forwarded SIP and RTP ports to the Quadro in my (Draytek 2820) router. My problem now using this configuration is that the two soft phones no longer work.

What is my best approach to fix this? Should I put a second ethernet card in each of the computers that use the soft phones and connect the second card to the LAN side of the Quadro? Should I enable Remote extensions on the two extensions I have set up and connect to those extensions as if I am out of the office?

This has spooked me a bit. Fortunately my VoIP provider picked up on the irregular calls before it cost me too much (to mobiles in Macedonia… why did whoever hacked in have to choose one of the most expensive places to call? Don't answer that!). However, it's not at all clear to me how someone managed to logon to one of my extensions (and why just that one and not the others), and without understanding that I'm now wondering if I am now safe.

I have also changed the passwords in the SIP configuration for all of my extensions (can anyone explain to me the difference between the "General Settings" password and the "SIP Settings" password? It has never been quite clear to me which of those two passwords is the one that needs to be configured in the phone itself, although it seems I've been able to get it to work). Is there anything else I need to do to be bullet-proof?

If anybody could point me at an idiot's guide to this stuff, that would also be much appreciated.