Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    VoiP SIP Trunking question

    Firewalling
    3
    11
    1741
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jsaad last edited by

      We have an IP PBX with a static public ip facing the internet. We get hacked. Repeatedly. This is a poor setup done by others using Avaya IP office.

      We want to use an SG-2440 that I bought as a firewall between the pbx the internet and allow only SIP and RTP traffic only from the IP of the voip provider (verizon).

      Would this work for SIP trunking? Are there any other considerations and will this be secure?

      Many thanks!

      1 Reply Last reply Reply Quote 0
      • M
        muswellhillbilly last edited by

        We've run a Polycom SIP phone system through a PFS ourselves without any trouble at all and zero hacks. As you've suggested, just limit SIP traffic to your provider on the WAN side.

        1 Reply Last reply Reply Quote 0
        • luckman212
          luckman212 last edited by

          As long as you aren't going to NAT the connections between your PBX and the public internet through the pfSense then simple firewall rules should work great. If you are going to NAT then there are some additional gotchas. I am not as familiar with Avaya but with my Asterisk based setups I have had to set SIP to a static port on the Advanced Outbound NAT page. There are details here:
          https://doc.pfsense.org/index.php/PBX_VoIP_NAT_How-to

          1 Reply Last reply Reply Quote 0
          • J
            jsaad last edited by

            This is great advice. thanks.

            I was planning to make the PBX a private IP and NAT the connection.

            We do have, luckily, a /29 address.

            So then it would make total sense to leave the public IP alone, put it behind Pfsense and then only allow ports I need through (5060, 5062 5562 and UDP 45000-52000)??

            1 Reply Last reply Reply Quote 0
            • J
              jsaad last edited by

              I've followed these guidelines. I was able to connect incoming and outgoing calls but could not get any audio or UDP / RTP traffic. The phone rings but no sound.

              What's frustrating is there's no incoming / outgoing calls while we try to get this to work.

              Any other tips, please?

              1 Reply Last reply Reply Quote 0
              • luckman212
                luckman212 last edited by

                Again I don't have much Avaya experience but you need to also forward the ports used for RTP traffic.  This could vary but might be something like 40750-50750 or 46750-50750. I found a document that might be helpful but you may need to do some research into the exact portrange used.
                https://downloads.avaya.com/css/P8/documents/101008914

                1 Reply Last reply Reply Quote 0
                • J
                  jsaad last edited by

                  Yes, thanks, I've used the NAT page to forward those ports to the pbx.  I used aliases for those ports, the pbx and the IPs of the sip trunk provider.

                  I also did  the manual outbound nat settings.  no workie.

                  1 Reply Last reply Reply Quote 0
                  • luckman212
                    luckman212 last edited by

                    In that case, might be a good time to break out the packet capture and use Wireshark to see what is going on.

                    1 Reply Last reply Reply Quote 0
                    • J
                      jsaad last edited by

                      thanks!

                      1 Reply Last reply Reply Quote 0
                      • J
                        jsaad last edited by

                        a packet capture on the wan port shows the pbx sending its internal IP to the sip trunk provider, not the public ip. the result is one way speech.  I thought pfsense might solve it but seems to be a pbx issue.  we can't figure it out!

                        1 Reply Last reply Reply Quote 0
                        • luckman212
                          luckman212 last edited by

                          If you can't fix it from the PBX side you could try installing the sipproxd package but usually that causes more problems than it solves. Might be worth a try though if you can't adjust the settings on the PBX

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post

                          Products

                          • Platform Overview
                          • TNSR
                          • pfSense
                          • Appliances

                          Services

                          • Training
                          • Professional Services

                          Support

                          • Subscription Plans
                          • Contact Support
                          • Product Lifecycle
                          • Documentation

                          News

                          • Media Coverage
                          • Press
                          • Events

                          Resources

                          • Blog
                          • FAQ
                          • Find a Partner
                          • Resource Library
                          • Security Information

                          Company

                          • About Us
                          • Careers
                          • Partners
                          • Contact Us
                          • Legal
                          Our Mission

                          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                          Subscribe to our Newsletter

                          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                          © 2021 Rubicon Communications, LLC | Privacy Policy