Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Open Specific Inbounc Ports from Specific Server Addresses to LAN

    Scheduled Pinned Locked Moved NAT
    4 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      axonconet
      last edited by

      Hi All,

      A customer of mine, running pfSense, is also using the RingCentral phone system. They've been having some QoS issues.

      Ring Central wants us to open ports, inbound, from a specific range of IP addresses to the internal network. Not to one specific Phone, but for all the phones.

      How can this be accomplished? I am not savvy enough with pfSense to configure it properly. Any walk-throughs on this configuration?

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        That's not possible with any firewall assuming they're all NATed to the same public IP. It would only be possible if each phone has its own public IP. A specific port on a given public IP can only be forwarded to one internal IP.

        It's also not necessary for phones, their traffic in from the Internet is all in response to traffic they initiate outbound.

        I'd get clarification on what exactly they're looking to accomplish.

        1 Reply Last reply Reply Quote 0
        • A
          axonconet
          last edited by

          This is what they've asked us to do. Am I reading it correctly?:::

          Kindly forward the following information to your IT Personnel so that the Router can be Configured with RingCentral Ports and Firewalls:

          80 TCP (Registration)
          443 TCP (Registration and TLS)
          5060-6000 UDP –AND- TCP (Phone registration ports)
          16384-16482 UDP (RTP and SRTP Desk phone)

          If your router has ACL (Access Control List) capabilities, you can lock down these port ranges to our server IP ranges below:
          Range 199.255.120.0 199.255.123.255
          Range 199.68.212.0 199.68.215.255

          Disable SIP ALG and DPI:
          In addition to these port ranges, it is also important to make sure that SIP ALG (Application Layer Gateway) as well as any DPI (Deep Packet Inspection) is disabled on all of your network equipment including your ISP modem.

          Disable Green Ethernet:
          If your network switches are managed units, please confirm that the feature known as “Green Ethernet” (AKA Energy Efficient Ethernet) is disabled. If they are unmanaged switches, verify that this feature is NOT part of their default configuration. The “Green Ethernet” feature affects the performance of VOIP phones.

          QOS:
          If your router supports QOS, configure QOS rules on your router / firewall to prioritize the traffic on these port ranges so the voice traffic is processed ahead of the data traffic:
          5060-6000 UDP –AND- TCP
          Range  199.255.120.0    199.255.123.255
          Range  199.68.212.0    199.68.215.255

          If your router supports bandwidth reservations, reserve bandwidth for these ranges as well to ensure that bandwidth is available for the VOIP traffic. Keep in mind that each live conversation takes up to 100k in both the up and down directions for a standard G711 call.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Ok, that would be if you had some kind of stateless ACL filtering in place on a routing device of some sort that isn't doing NAT. If you have the default LAN rule in place, that suffices for what they're asking for in the NAT context.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.