SIP Protocol



  • Hi guys,
    we have one VOIP Phone needs to have SIP Protocol NAT
    looked on the internet and saw the SIP protocol uses the below ports

    udp.port == 5060 or udp.port == 5061
    tcp.port == 5060 or tcp.port == 5061

    on the protocol i see Pfsense uses just port 5060 as SIP protocol.
    is port 5061 really needed ?
    allowing those ports from the WAN side won't have any security leak ?

    thank yo u



  • Both 5060 and 5061 are commonly used.  pfSense is a stateful firewall and therefore incoming WAN rules for your phones are not required.  Your phones will talk to their provisioning server and stay alive forever.  The return traffic will automatically be allowed.  We use VoIP phones here and I don't have to have any special rules in pfSense to handle them (other than floating rules for traffic shaping, but that's a different kettle of fish altogether.)



  • @KOM:

    Both 5060 and 5061 are commonly used.  pfSense is a stateful firewall and therefore incoming WAN rules for your phones are not required.  Your phones will talk to their provisioning server and stay alive forever.  The return traffic will automatically be allowed.  We use VoIP phones here and I don't have to have any special rules in pfSense to handle them (other than floating rules for traffic shaping, but that's a different kettle of fish altogether.)

    Thank you Kom for your answer,
    according to the phone company, the VOIP server is offsite which required a incoming connection over the WAN,
    i just allowed the SIP on the WAN side,
    they are closed now , tomorrow we will check with them.
    will report back
    much appreciate it



  • i just allowed the SIP on the WAN side

    But I explained how you probably don't need this.  When the phone is powered up, it will talk to its provisioning server.  This sets up the initial state between the phone and the server.  The phone pings the server every so often to keep the state open.  When there is an incoming call, it just goes to the phone over the already-existing active state.  Adding a WAN rule to allow this traffic may not be required and so should be closed if it isn't used.  Older-style firewalls had to be manually configured for all incoming as well as outgoing traffic.  Stateful firewalls like pfSense track the outgoing traffic and automatically allow the incoming replies, so you only need rules on WAN to allow unsolicited incoming connections via NAT to a server like www or ftp.



  • @KOM:

    i just allowed the SIP on the WAN side

    But I explained how you probably don't need this.  When the phone is powered up, it will talk to its provisioning server.  This sets up the initial state between the phone and the server.  The phone pings the server every so often to keep the state open.  When there is an incoming call, it just goes to the phone over the already-existing active state.  Adding a WAN rule to allow this traffic may not be required and so should be closed if it isn't used.  Older-style firewalls had to be manually configured for all incoming as well as outgoing traffic.  Stateful firewalls like pfSense track the outgoing traffic and automatically allow the incoming replies, so you only need rules on WAN to allow unsolicited incoming connections via NAT to a server like www or ftp.

    great explanation.
    thank you so much
    the what i understand now is only if the LAN allows all rule is active the phone should contact the server without any NATING on the WAN side ?

    thank you



  • the phone should contact the server without any NATING on the WAN side ?

    No, NAT is happening regardless.  The server talks to the phone via the WAN IP address, and pfSense tracks and translates that to the LAN IP address of the device.


Log in to reply