Firewall Settings

Please Note, this is still being worked on and so some of the info my be updated soon.

We need to now talk about the firewall and what is needed for SIP to work.

One problem some people may have is called double NAT, its when you have more then one router with NAT enabled.

Example is, your ISP to NBN connection is a NAT'd Router, and just after it you might have another firewall with NAT on too.

Double NAT will cause so must problems, Eg calls going out dropping, but worst is calls NOT coming.

If you have to have a extra Firewall & Modem supports it, its best to place the modem into bridge mode and make the firewall handle all trafic.

for people who can not put there modem into bridge mode, then use the DMZ function to forward all traffic to the firewall but also turn off NAT on the firewall, but also make sure the modem knows how to route to the internal network.

For our customers that have firewalls setup by us, we like to make a few network changes, the most is to change there modem to one that supports bridge mode

But to note; it the NBN to ISP modem is a cat5 network connection (WAN) then we remove the modem out right as its not needed, this makes it so much better and stops the double NAT problem out right.

 Now some Actual settings.

For people who have only a basic setup, just making sure you don't have a Double NAT will fix it all and now changes needed.

But for Larger sites settings and extra lockdown you will need to have a few settings in to allow traffic.

 

From here on we will talk as if you are running a PFsense Router and your ISP connection is direct to it & Sip is Provided by APC.

But these settings in some form will work on other types of firewalls with changes.

 

On a Locked Down Network in both directions the first and biggest setting is to have a "allow rule" for you PBX (Sip device) to have access to the Sip provider.

Many people set up port settings and so on but we recommend to only set IP's and protocols.

Most Sip traffic will use UDP protocols but we also recommend to set the rules with TCP to.

 

For APC Rules in PFsense we use PFBlockerNG but you can use Firewall Aliases URLs

We setup the first part to fetch the IP's that are allowed IN/Out (like our txt one for APC,)

For PFBlockerNG we add a IP Rule to allow "Alias Permit" and make it fetch the file every week.

We then add (after a update of PFBlockerNG) a firewall rule in WAN to allow TCP&UDP the from the Alias to the Sip/Firewall, and another rule from the SIP to the Alias, and that's it.

 

You have to remember, SIP might register on port 5060 but when you are on a call Audio uses RTP and uses but not limited too Ports 10000 to 65535 on UDP, so just setting IP allows make it so much easier