Secure VoIP with IP restriction



  • Hello

    i have to open and forward to internal lan ip port 5060 and 9000 to 9049 for my 3CX phone system. Im reading alot of articles about voip accounts scams. There is any way to secure these ports, possibly forcing only communication with the IP of the SIP server of my ISP. I mean force just my ip <–> voip isp IP comunication on that ports?

    Maybe some MAC address check too... in this way if i have to connect some external phone i can force mac address + ip range check. And for voip ISP i can force ip address of the IPS and/or MAC address... some help please?



  • Yes, you can certainly only allow connections to your VoIP ISP with a simple firewall rule, however if you want to connect SIP clients from your WAN side then that rule will interfere with those.

    You can't check a MAC address over the internet, and even if you could they can be faked. Your best bet for SIP security is to use strong passwords (completely random and long) and encrypt the SIP traffic if your clients and server support it.

    You can also firewall by country so as to only allow SIP connections from your own country which should cut down on malicious connections. It takes a little work to do this but isn't that hard



  • Thanks Wendo for your reply. I have secured our VoiP ports using ALIAS and putting as source the ip of our voip providers. From my external phone would be cool to put a rule for allow just the range of my mobilephone provider ip range. Do you know how to do that? (i mean insert an ip class range)

    Im interested also in this:

    You can also firewall by country so as to only allow SIP connections from your own country which should cut down on malicious connections. It takes a little work to do this but isn't that hard

    How i can do that? In the alias it seem that i can insert just single hosts, not ranges…

    Thanks!


Log in to reply