Â
Firewall and NAT Configuration
Firewall/NAT Configuration
See http://en.wikipedia.org/wiki/Network_address_translation for explanation of terminology in this section.
If your ITSP is checking if the remote port matches the SDP specified in call setup signaling, then you must allocate the ports statically and map internal port to external port. i.e. you need full cone with static outbound ports and one to one mapping of internal to external ports. You cannot, in that case, tolerate any randomization of ports from the NAT. The packet would be ejected by the ITSP.
Following standard terminology, confiugre your NAT with work with full cone and static outbound ports. Your NAT should implement port preservation.
If your ITSP is doing NAT compensation and does not care about remote port for packets that it receives matching the SDP media port, and you are not concerned about remote worker support, you an get away with a simpler configuration. In such cases, you don't need to have anything but a symmetric NAT. Further, if your firewall allows inbound traffic on ports that have sent outbound traffic, you should not need to open up the RTP port range either. Only the signaling port 5080 would need to be opened up. This would be the case for many low cost ITSPs such as les.net and
voip.ms. These are pretty simple to configure and should work with most DSL routers with minimal effort.
Note that SipXbridge does NAT compensation for both media and signaling (i.e. it will send packets first to the remote address before packets are received in order to open up the pinhole).
If you have equipment that does not follow symmetric RTP, you can turn off stray packet rejection in the NAT traversal rules. This is not a recommended practice.
Linux Firewall/NAT configuration tips
If you are using Linux firewall / NAT, the following IP Tables settings may be handy.
Note that many good references for IP Tables are available and these should be consulted for authoritative advice.
SipXbridge assumes symmetric NAT port mapping. That means an internal port must be mapped to an identical external port and vice versa. Without such a mapping some sipXecs components will not work. Not all NATs will lend themselves to such mapping.
Some ITSPs work without any special NAT configuration needed. They work by ignoring the SIP/SDP port information -- relying instead on the remote address and port of the incoming datagram (SIP/RTP) packet. Such ITSPs require no special NAT configuration (other than the normal IP Tables forwarding rules for symmetric NAT) and will expect you to use local addresses in all your call setup signaling.
Other ITSPs are more particular. They will expect you to provide a valid port in your call setup signaling and only send RTP packets to the specified ports. To cover such cases, you need to configure your NAT/Firewall, appropriately. You need to set up port forwarding in the port range that sipxbridge uses.
Here are my linux firewall rules for this:
iptables --flush
iptables -F FORWARD
iptables -F nat
# EXTIF is my WAN-facing interface of the NAT ( eth3 ).
# INTIF0 is my LAN-facing interface of the NAT ( eth0 ).
export EXTIF=eth3
export INTIF0=eth0
# my sipXecs proxy server and sipxbridge run here.
export SIPXADDR=192.168.5.75
export PORTRANGE=30000:31000
iptables -A FORWARD -i $EXTIF -o $INTIF0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF0 -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 5080 -j DNAT --to-destination $SIPXADDR
iptables -A FORWARD -i $EXTIF -o $INTIF0 -d $SIPXADDR -p udp --dport 5080 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i $EXTIF --dport $PORTRANGE -j DNAT --to-destination $SIPXADDR
iptables -A FORWARD -i $EXTIF -o $INTIF0 -d $SIPXADDR -p udp --dport $PORTRANGE -j ACCEPT
iptables -t nat -A PREROUTING -i eth3 -p udp --dport 5060 -j DNAT --to-destination $SIPXADDR:5060
iptables -A FORWARD -i $EXTIF -o eth0 -d $SIPXADDR -p udp --dport 5060 -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface $EXTIF -j MASQUERADE
Here, my sipxbridge runs on 192.168.5.75 and accepts inbound signaling on port 5080 and symmetrically maps UDP traffic going both ways in the port range 30000:31000
It is possible in versions 4.4 and later to allow sipxbridge to listen for inbound SIP trunking on port 5060 while simultaneously listening for SIP Proxy requsts. This is done by enabling the bridge-proxy-relay setting in Server -> Services -> SIP Proxy.
Adtran firewall settings
ip rtp firewall-traversal
ip rtp firewall-traversal reuse-nat-ports
(courtesy of Josh Patten)
WinRoute firewall settings
Rules are
From ITSP_SIP_server To Kerio_fw_public_ip ports (5080,30000-31000) MapTo sipX_local_ip
From sipX_local_ip To ITSP_SIP_server ports all NAT from Kerio_fw_public_ip