Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SIP Protocol

    Scheduled Pinned Locked Moved NAT
    6 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jamerson
      last edited by

      Hi guys,
      we have one VOIP Phone needs to have SIP Protocol NAT
      looked on the internet and saw the SIP protocol uses the below ports

      udp.port == 5060 or udp.port == 5061
      tcp.port == 5060 or tcp.port == 5061

      on the protocol i see Pfsense uses just port 5060 as SIP protocol.
      is port 5061 really needed ?
      allowing those ports from the WAN side won't have any security leak ?

      thank yo u

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Both 5060 and 5061 are commonly used.  pfSense is a stateful firewall and therefore incoming WAN rules for your phones are not required.  Your phones will talk to their provisioning server and stay alive forever.  The return traffic will automatically be allowed.  We use VoIP phones here and I don't have to have any special rules in pfSense to handle them (other than floating rules for traffic shaping, but that's a different kettle of fish altogether.)

        1 Reply Last reply Reply Quote 0
        • J
          Jamerson
          last edited by

          @KOM:

          Both 5060 and 5061 are commonly used.  pfSense is a stateful firewall and therefore incoming WAN rules for your phones are not required.  Your phones will talk to their provisioning server and stay alive forever.  The return traffic will automatically be allowed.  We use VoIP phones here and I don't have to have any special rules in pfSense to handle them (other than floating rules for traffic shaping, but that's a different kettle of fish altogether.)

          Thank you Kom for your answer,
          according to the phone company, the VOIP server is offsite which required a incoming connection over the WAN,
          i just allowed the SIP on the WAN side,
          they are closed now , tomorrow we will check with them.
          will report back
          much appreciate it

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            i just allowed the SIP on the WAN side

            But I explained how you probably don't need this.  When the phone is powered up, it will talk to its provisioning server.  This sets up the initial state between the phone and the server.  The phone pings the server every so often to keep the state open.  When there is an incoming call, it just goes to the phone over the already-existing active state.  Adding a WAN rule to allow this traffic may not be required and so should be closed if it isn't used.  Older-style firewalls had to be manually configured for all incoming as well as outgoing traffic.  Stateful firewalls like pfSense track the outgoing traffic and automatically allow the incoming replies, so you only need rules on WAN to allow unsolicited incoming connections via NAT to a server like www or ftp.

            1 Reply Last reply Reply Quote 0
            • J
              Jamerson
              last edited by

              @KOM:

              i just allowed the SIP on the WAN side

              But I explained how you probably don't need this.  When the phone is powered up, it will talk to its provisioning server.  This sets up the initial state between the phone and the server.  The phone pings the server every so often to keep the state open.  When there is an incoming call, it just goes to the phone over the already-existing active state.  Adding a WAN rule to allow this traffic may not be required and so should be closed if it isn't used.  Older-style firewalls had to be manually configured for all incoming as well as outgoing traffic.  Stateful firewalls like pfSense track the outgoing traffic and automatically allow the incoming replies, so you only need rules on WAN to allow unsolicited incoming connections via NAT to a server like www or ftp.

              great explanation.
              thank you so much
              the what i understand now is only if the LAN allows all rule is active the phone should contact the server without any NATING on the WAN side ?

              thank you

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                the phone should contact the server without any NATING on the WAN side ?

                No, NAT is happening regardless.  The server talks to the phone via the WAN IP address, and pfSense tracks and translates that to the LAN IP address of the device.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.