VoiP SIP Trunking question
We have an IP PBX with a static public ip facing the internet. We get hacked. Repeatedly. This is a poor setup done by others using Avaya IP office.
We want to use an SG-2440 that I bought as a firewall between the pbx the internet and allow only SIP and RTP traffic only from the IP of the voip provider (verizon).
Would this work for SIP trunking? Are there any other considerations and will this be secure?
We've run a Polycom SIP phone system through a PFS ourselves without any trouble at all and zero hacks. As you've suggested, just limit SIP traffic to your provider on the WAN side.
As long as you aren't going to NAT the connections between your PBX and the public internet through the pfSense then simple firewall rules should work great. If you are going to NAT then there are some additional gotchas. I am not as familiar with Avaya but with my Asterisk based setups I have had to set SIP to a static port on the Advanced Outbound NAT page. There are details here:
This is great advice. thanks.
I was planning to make the PBX a private IP and NAT the connection.
We do have, luckily, a /29 address.
So then it would make total sense to leave the public IP alone, put it behind Pfsense and then only allow ports I need through (5060, 5062 5562 and UDP 45000-52000)??
I've followed these guidelines. I was able to connect incoming and outgoing calls but could not get any audio or UDP / RTP traffic. The phone rings but no sound.
What's frustrating is there's no incoming / outgoing calls while we try to get this to work.
Any other tips, please?
Again I don't have much Avaya experience but you need to also forward the ports used for RTP traffic. This could vary but might be something like 40750-50750 or 46750-50750. I found a document that might be helpful but you may need to do some research into the exact portrange used.
Yes, thanks, I've used the NAT page to forward those ports to the pbx. I used aliases for those ports, the pbx and the IPs of the sip trunk provider.
I also did the manual outbound nat settings. no workie.
In that case, might be a good time to break out the packet capture and use Wireshark to see what is going on.
a packet capture on the wan port shows the pbx sending its internal IP to the sip trunk provider, not the public ip. the result is one way speech. I thought pfsense might solve it but seems to be a pbx issue. we can't figure it out!
If you can't fix it from the PBX side you could try installing the sipproxd package but usually that causes more problems than it solves. Might be worth a try though if you can't adjust the settings on the PBX