Jump to content

This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!

VoIP Firewall: Difference between revisions

← Older edit
Content deleted Content added
Adsb (talk | contribs)
editor
520 edits
m A few minor improvements
AA-Andrew (talk | contribs)
autoreview, Bureaucrats, editor, Interface administrators, reviewer, Administrators
12,625 edits
mNo edit summary
 
(11 intermediate revisions by 4 users not shown)
Line 1: Line 1:
<indicator name="VoIP">[[File:menu-voip.svg|link=:Category:VoIP|30px|Back up to the VoIP and SMS Category Page]]</indicator>

[[File:Snom710.png|link=:Category:VoIP|Go to the VoIP Category]]
[[File:Snom710.png|link=:Category:VoIP|Go to the VoIP Category]]


=== If you are not using public IP addresses (ie NAT): ===
Allowing appropriate SIP and RTP packets through a firewall is the key to reliable VoIP communication. This is what we suggest firewall-wise for VoIP customers:


If your phone on private IP addresses (eg 192.168.x.x, 10.x.x.x) then you won't need to set up the firewall as you're not using pubic IP addresses.
Avoid using NAT where possible. However, some NAT gateways provide an adequate SIP ALG (e.g. Technicolor TG582), and some devices provide NAT that works with the new call server (e.g. FireBrick FB2700 and many simple NAT routers). If NAT works, then well done, but if not we cannot guarantee to be able to make it work.

Avoid using NAT where possible. If using NAT, the options are to tell the phone what its public IP address is (either by explicit configuration, or by specifying a STUN server to use - e.g. ''stun.aa.net.uk''), or to use a SIP Application Layer Gateway to rewrite SIP packets on the fly. Some NAT gateways provide an adequate SIP ALG (e.g. Technicolor TG582), and some devices provide NAT that works with the new call server (e.g. FireBrick FB2900 and many simple NAT routers). If NAT works, then well done, but if not we cannot guarantee to be able to make it work.

=== If you are using public IP addresses: ===

Allowing appropriate SIP and RTP packets through a firewall is the key to reliable VoIP communication. It may be possible to achieve reliability using SIP Keep-Alive packets (every 120 seconds or so) and relying on phones using UDP hole punching for the audio channel, but firewall rules are more certain to work.

This is what we suggest firewall-wise for VoIP customers who have SIP devices (phones/PABXs etc) on public IP addresses.


{| class="wikitable"
{| class="wikitable"
!colspan="3"|Firewall Requirements on the AAISP VoIP Platform
!colspan="4"|Firewall Requirements on the AAISP VoIP Platform
|-
|-
!
|
!Target Ports
!Target Ports
!Source IPs
!Source IPs ([[IPv6]])
!Source IPs (legacy)
|-
|-
!SIP (IPv4)
!SIP
|UDP 5060
|UDP 5060
|2001:8b0:0:30::5060:0/112
2001:8b0:5060::/48
|81.187.30.110 - 81.187.30.119
|81.187.30.110 - 81.187.30.119
90.155.3.0/24
90.155.3.0/24
90.155.103.0/24
90.155.103.0/24
|-
|-
!RTP
!SIP ([[IPv6]])
|UDP 5060
|UDP 1024-65535
|2001:8b0:0:30::5060:0/112
|2001:8b0:0:30::5060:0/112
2001:8b0:5060::/48
2001:8b0:5060::/48
|-
!RTP (IPv4)
|UDP 1024-65535
|81.187.30.110 - 81.187.30.119
|81.187.30.110 - 81.187.30.119
90.155.3.0/24
90.155.3.0/24
90.155.103.0/24
90.155.103.0/24
|-''
|-''
!RTP ([[IPv6]])
|UDP 1024-65535
|2001:8b0:0:30::5060:0/112
2001:8b0:5060::/48
|}
|}


Line 49: Line 55:
=Example FireBrick Config=
=Example FireBrick Config=
Allow inbound calls to your VoIP Phone, if you register it with FireBrick:
Allow inbound calls to your VoIP Phone, if you register it with FireBrick:
<syntaxhighlight>
<syntaxhighlight lang="xml">
<rule name="Allow Firebrick" source-interface="self" comment="Allow all from the FireBrick to LAN"/>
<rule name="Allow Firebrick" source-interface="self" comment="Allow all from the FireBrick to LAN"/>
</syntaxhighlight>
</syntaxhighlight>

Allow inbound calls to your VoIP Phone, if you register it with Voiceless:
Allow inbound calls to your VoIP/Snom Phone, if you register it with Voiceless:
<syntaxhighlight>
<syntaxhighlight lang="xml">
<rule name="SIP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="1.2.3.4" target-port="5060" action="accept"/>
<rule name="SIP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="1.2.3.4" target-port="5060" action="accept"/>
<rule name="RTP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="1.2.3.4" target-port="1024-65535" protocol="17" action="accept"/>
<rule name="RTP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="1.2.3.4" target-port="1024-65535" protocol="17" action="accept"/>
</syntaxhighlight>
Allow inbound calls to your Snom Phone, if you register it with Voiceless:
<syntaxhighlight>
<rule name="SIP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="1.2.3.4" target-port="5060" action="accept"/>
<rule name="RTP" source-ip="81.187.30.110-119 90.155.3.0/24 90.155.103.0/24 2001:8b0:0:30::5060:0/112 2001:8b0:5060::/48" target-ip="1.2.3.4" target-port="49152-65535" protocol="17" action="accept"/>
</syntaxhighlight>
</syntaxhighlight>


Line 80: Line 82:
|IPv6
|IPv6
|UDP
|UDP
|5000-5999
|5000-5099
|ACCEPT
|ACCEPT
|WAN to LAN
|WAN to LAN
Line 88: Line 90:
|IPv6
|IPv6
|UDP
|UDP
|5000-5999
|5000-5099
|ACCEPT
|ACCEPT
|WAN to LAN
|WAN to LAN
Line 96: Line 98:
|IPv4
|IPv4
|UDP
|UDP
|5000-5999
|5000-5099
|ACCEPT
|ACCEPT
|WAN to LAN
|WAN to LAN
Line 104: Line 106:
|IPv4
|IPv4
|UDP
|UDP
|5000-5999
|5000-5099
|ACCEPT
|ACCEPT
|WAN to LAN
|WAN to LAN
Line 112: Line 114:
|IPv4
|IPv4
|UDP
|UDP
|5000-5999
|5000-5099
|ACCEPT
|ACCEPT
|WAN to LAN
|WAN to LAN
Line 120: Line 122:
|IPv4
|IPv4
|UDP
|UDP
|5000-5999
|5000-5099
|ACCEPT
|ACCEPT
|WAN to LAN
|WAN to LAN
Line 132: Line 134:


=NAT=
=NAT=
Avoid using NAT where possible. However, some NAT gateways provide an adequate SIP ALG (e.g. Technicolor TG582), and some devices provide NAT that works with the new call server (e.g. FireBrick 2500/2700 and many simple NAT routers). Using a STUN server (e.g. ''stun.aa.net.uk''} is another possible solution. If NAT works, then well done, but if not we cannot guarantee to be able to make it work. See: [[VoIP NAT]]
Avoid using NAT where possible. However, some NAT gateways provide an adequate SIP ALG (e.g. Technicolor TG582), and some devices provide NAT that works with the new call server (e.g. FireBrick 2500/2700 and many simple NAT routers). Using a STUN server (e.g. ''stun.aa.net.uk'') is another possible solution. If NAT works, then well done, but if not we cannot guarantee to be able to make it work.

If you have 2 phones behind a NAT router, they cannot have the same SIP port number, nor the same RTP port range (if they both used port number for SIP of 5060 then when an incoming call came in to external port 5060, NAT wouldn't know which phone to send it to).

As an example with 2 phones, the first phone uses inbound SIP port 5060 and incoming RTP ports 5062-5068, and the second phone uses inbound SIP port 5040 and incoming RTP ports 5042-5048. Using iptables, the required rules would be like:

/sbin/iptables -t nat -A PREROUTING -i eth0 -m udp -p udp -s 81.187.30.112/29 --dport 5060:5069 -j DNAT --to-destination 192.168.1.12
/sbin/iptables -t nat -A PREROUTING -i eth0 -m udp -p udp -s 81.187.30.112/29 --dport 5040:5049 -j DNAT --to-destination 192.168.1.13


See: [[VoIP NAT]]


=Further VoIP Security=
=Further VoIP Security=
Retrieved from "http://support.aa.net.uk/VoIP_Firewall"