12,271
edits
This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!
CrazyTeeka (talk | contribs) mNo edit summary |
mNo edit summary |
||
(22 intermediate revisions by 4 users not shown) | |||
[[
This is what we suggest firewall-wise for VoIP customers:
Avoid using NAT where possible. However, some NAT gateways provide an adequate SIP ALG (e.g. Technicolor TG582), and some devices provide NAT that works with the new call server (e.g. FireBrick FB2700 and many simple NAT routers). If NAT works, then well done, but if not we cannot guarantee to be able to make it work.
{| class="wikitable"
!colspan="3"|Firewall Requirements on
|-
|
!Target Ports
!Source IPs
|-
!SIP (IPv4)
|UDP 5060
|81.187.30.110 - 81.187.30.119
90.155.103.0/24
|-
!SIP ([[IPv6]])
|UDP 5060
|2001:8b0:0:30::5060:0/112
|-
!RTP (IPv4)
|UDP 1024-65535
|81.187.30.110 - 81.187.30.119
90.155.103.0/24
|-''
!RTP ([[IPv6]])
|UDP 1024-65535
|2001:8b0:0:30::5060:0/112
|}▼
{| class="wikitable"▼
!colspan="3"|Firewall Requirements on Legacy 'C' Platform▼
|-▼
|▼
|-▼
|UDP 5060▼
|81.187.30.110 - 81.187.30.119▼
|-▼
|}
Customers should add all IPs above to their firewall rules even if you don't see traffic from or to them. This is a fairly large number of addresses but it means we can expand our platform over time as well as accommodate hosting our equipment in diverse datacentres.
'''SIP''' is the call routing information that creates and manages calls. In practice if you allow port 5060 from the outside world you'll see attacks and possibly receive spam phone calls. We do not recommend leaving 5060 open unless you really know what you are doing. Phones rarely use ports as low as 5060 for media.
'''RTP''' is the actual media (
On routers which need one rule per IP address range you can halve the number of firewall rules needed as long as the source IP address ranges for SIP and RTP are the same and that the RTP port range you specify includes 5060.
In CIDR notation, the IPv4 range 81.187.30.110 - 81.187.30.119 needs two blocks:
81.187.30.110/31
81.187.30.112/29
=Example FireBrick Config=
Allow inbound calls to your VoIP Phone, if you register it with Voiceless:
<syntaxhighlight>
<rule name="SIP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="
<rule name="RTP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="
</syntaxhighlight>
Allow inbound calls to your Snom Phone, if you register it with Voiceless:
<syntaxhighlight>
<rule name="SIP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="
<rule name="RTP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="
</syntaxhighlight>
=Example consumer router config=
The following example is for an AAISP-supplied ZyXEL router. It assumes you have locked down the RTP port range on clients to ports 5000-5098. Because the Custom Destination Port range covers port 5060 we get away with half the rules - 6, rather than 12!
▲{| class="wikitable"
▲|-
!Filter name
!Source IP Address
!IP Type
!Protocol
!Custom Destination Port
!Policy
!Direction
▲|-
|VoIP6A
|2001:8b0:0:30::5060:0/112
|IPv6
|5000-5999
|ACCEPT
|WAN to LAN
▲|-
|VoIP6B
|2001:8b0:5060::/48
|IPv6
|UDP
|5000-5999
|ACCEPT
|WAN to LAN
▲|-
|VoIP4A
|IPv4
|UDP
|5000-5999
|ACCEPT
|WAN to LAN
|-
|VoIP4B
|81.187.30.112/29
|IPv4
|UDP
|5000-5999
|ACCEPT
|WAN to LAN
|-
|VoIP4C
|90.155.3.0/24
|IPv4
|UDP
|5000-5999
|ACCEPT
|WAN to LAN
|-
|VoIP4D
|90.155.103.0/24
|IPv4
|UDP
|5000-5999
|ACCEPT
|WAN to LAN
|-
▲|}
=Other things to Firewall=
*Please see our [[VoIP Security]] page for further information on securing your phones, accounts and VoIP systems.
[[Category:VoIP
|
edits