VOIP and Firewall Rules
-
For the last several months, we have had issues connecting to, and staying connected to FreeConferenceCall.com (FCC). A call drop happened again today, we were unable to reconnect to their service, and I'm really at a loss of how to correct this. We have no issues with any other service or call received / sent to any other number.
I've had numerous discussions with FCC and with VirtualPBX (our hosted PBX provider) as to the nature of the problem, and of course, they point fingers at each other. I've also had a service tech from TimeWarnerSpectrum (whatever they call themselves this week), come out here and test taps and equipment at the pole. As you can see in the attached chart from the last hour (where we had a call drop at 14:50 PM) there is 0 packet loss, and that time frame of the call drop the graph is showing normal.
Before I circle back around to VPBX and FCC (again), I want to make sure that the firewall is correctly configured. The second attachment image shows what I have set now. I did reboot the router after placing these settings, and before our latest call where we had problems.
The specs for FCC are (from their docs): (admittedly I don't know how to set hosts as prescribed here).
"allow firewall access to the following addresses: host: 12.7.192.0/23, 67.55.209.0/24, 162.251.180.0/23, ports UDP 6000-65534 and TCP 443, and TCP 5040-5060."
The specs from vPBX (from their docs): (pfSense does not have SIP ALG that I can find; pnp is disabled; I only have one router).
Router Settings:
There are settings that should be adjusted on all routers in order to perform correctly regardless of your ISP:
• DISABLE SIP ALG – if it is enabled (not all routers have this setting, if setting is not found, it may be enabled by
default and unable to change, you may need to replace the router with one that can be disabled)
• Make sure NAT is enabled – please be aware that if there is more than one router in the path, there could be
‘DUAL NATTING.’ If this is the case, you may need to put the second router in BRIDGE mode. You may need to
contact your Internet Service Provider to assist.
• DISABLE Universal Plug’N’Play (UPnP)
• Enable QoS (Quality of Service) if available
• You may also need to open the following ports on your router/firewall:
• Port 5060 TCP and UDP (this is for the SIP call messaging)
• Ports 16348-32768 UDP (this is for all RTP and audio streams)Any advice or help you can provide is greatly appreciated.
Thanks, Mark
-
I actually never use port forwarding for any of my VOIP systems.. In fact I don't recommend it. Your SIP client (ATA, SIP phone, software program ect..) already knows how to direct the server back its direction (for lack of a better description..)
But firewall rules are paramount. You need to read the logs and figure out whats being blocked.
In my case my provider provides the SIP but the RTP (actual audio streams) come direct from the carrier. Since there's a firewall involved you have to remember that unsolicited traffic is blocked. While my SIP client directs the traffic the RTP stream comes from a different IP address out there and is seen by the firewall as unsolicited and therefore blocks it.
VOIP is generally UDP traffic. Unless your provider tells you otherwise.
Rules-
SIP allow from your SIP server to the SIP client device.
RTP allow from the carrier (Maybe same as SIP maybe not) to your SIP client device.Make a call and watch your firewall rules carefully. My customers example- 5004 to 5059 RTP 5078-5079 SIP.
-
I actually never use port forwarding for any of my VOIP systems.. In fact I don't recommend it.
But firewall rules are paramount.
I'm confused, what's the difference? How do we do a port forward if not with a rule?
You have ports defined in your rules…
-
You can't port forward one port to more than one IP address. Your rule has 2 different internal IPs on port 5060. How can if know which one to choose?
-
@P3R:
I'm confused, what's the difference? How do we do a port forward if not with a rule?
You have ports defined in your rules…
This is kinda networking 101.. You really need to understand the basics before you go in changing things.. But-
Kill off any port forwarding you have.
Go to your firewall rules and build a rule on your WAN pointing to your LAN address of your voip devices.
-
This is kinda networking 101.. You really need to understand the basics before you go in changing things..
-
I'm not the OP.
-
You didn't try to answer any of my questions.
-
I've had my SIP working for years and I know what port forwarding is.
-
I was only trying to help you to be a bit more pedagogical but that attempt obviously fell flat on the face as you only repeat the same thing you said previously.
Since I asked my question awebster started to address the problem the OP have in a different way and since the OP didn't come back, I suppose the issue is solved by now.
-
-
@P3R:
This is kinda networking 101.. You really need to understand the basics before you go in changing things..
- I'm not the OP.
Sorry- I seriously needed sleep when I posted this.. :o
Sometimes (in fact these days more often than not) your SIP server and RTP server are different. If so RTP traffic will be blocked as the firewall believes it is unsolicited. Services like Vonage generally use the same server IP for both SIP and RTP so not so much an issue. The service Im on will do that if a particular customer is having problems. But otherwise allowing the RTP streams direct from the carrier servers knocks a few hops and a bunch of latency out of the equation.
But to answer- Your ATA's LAN address is in its SIP header. The SIP server already knows how to find it. Simply allowing the traffic via firewall rules will allow the two devices to keep in communication with each other.
Like awebster mentioned- you can only port forward a certain port to one device. If you need to use 10 phones behind your firewall port forwarding will not allow this without allowing different ports for each phone.
We've found that using port forwarding on a single device seems to cause intermittent issues when we first started with VOIP a while back.
Thats my reason. But -
I'm confused, what's the difference? How do we do a port forward if not with a rule?
A port forward is a port forward and a firewall rule is a rule on the actual firewall portion of pfSense. Port forwards direct, and firewall rules allow or block traffic. You can build a port forward rule and then control access with a firewall rule.