Open Specific Inbounc Ports from Specific Server Addresses to LAN



  • Hi All,

    A customer of mine, running pfSense, is also using the RingCentral phone system. They've been having some QoS issues.

    Ring Central wants us to open ports, inbound, from a specific range of IP addresses to the internal network. Not to one specific Phone, but for all the phones.

    How can this be accomplished? I am not savvy enough with pfSense to configure it properly. Any walk-throughs on this configuration?



  • That's not possible with any firewall assuming they're all NATed to the same public IP. It would only be possible if each phone has its own public IP. A specific port on a given public IP can only be forwarded to one internal IP.

    It's also not necessary for phones, their traffic in from the Internet is all in response to traffic they initiate outbound.

    I'd get clarification on what exactly they're looking to accomplish.



  • This is what they've asked us to do. Am I reading it correctly?:::

    Kindly forward the following information to your IT Personnel so that the Router can be Configured with RingCentral Ports and Firewalls:

    80 TCP (Registration)
    443 TCP (Registration and TLS)
    5060-6000 UDP –AND- TCP (Phone registration ports)
    16384-16482 UDP (RTP and SRTP Desk phone)

    If your router has ACL (Access Control List) capabilities, you can lock down these port ranges to our server IP ranges below:
    Range 199.255.120.0 199.255.123.255
    Range 199.68.212.0 199.68.215.255

    Disable SIP ALG and DPI:
    In addition to these port ranges, it is also important to make sure that SIP ALG (Application Layer Gateway) as well as any DPI (Deep Packet Inspection) is disabled on all of your network equipment including your ISP modem.

    Disable Green Ethernet:
    If your network switches are managed units, please confirm that the feature known as “Green Ethernet” (AKA Energy Efficient Ethernet) is disabled. If they are unmanaged switches, verify that this feature is NOT part of their default configuration. The “Green Ethernet” feature affects the performance of VOIP phones.

    QOS:
    If your router supports QOS, configure QOS rules on your router / firewall to prioritize the traffic on these port ranges so the voice traffic is processed ahead of the data traffic:
    5060-6000 UDP –AND- TCP
    Range  199.255.120.0    199.255.123.255
    Range  199.68.212.0    199.68.215.255

    If your router supports bandwidth reservations, reserve bandwidth for these ranges as well to ensure that bandwidth is available for the VOIP traffic. Keep in mind that each live conversation takes up to 100k in both the up and down directions for a standard G711 call.



  • Ok, that would be if you had some kind of stateless ACL filtering in place on a routing device of some sort that isn't doing NAT. If you have the default LAN rule in place, that suffices for what they're asking for in the NAT context.


Log in to reply