How to Pass External VOIP traffic through a Firewall
The assumption is that you are trying to pass external VOIP traffic through an inexpensive broadband router to the local network where your PiaF server is located. This example is based on the D-Link DI-604 and DI-724 broadband routers and the DGL-4300 wireless broadband router. The basics are the same for wireless routers and other brands such as SMC Barricade routers. The concepts covered here are easily transferred to other routers.
There are two basic protocols used with Asterisks: SIP and IAX2. SIP is used for VOIP phone traffic and IAX2 is used to connect Asterisk servers and applicances together such as the IAXy POTS to SIP convertor
- Slipping SIP Past the Firewall
The goal of configuring the firewall is to allow a VOIP phone outside of the local subnet to register with the Asterisk server. The local subnet would be firewalled from the outside world.
There's few issues with getting SIP to work through a firewall. SIP uses port 5060 for setup and RTP (real time protocol) ports 10,000 to 20,000 for transporting the voice. NAT (network address translation) can cause grief if the firewall also performs PAT (port address translation). A common effect of a firewall that is performing PAT is one way audio. You can check the firewall logs to see if a VOIP phone outside of the firewall is being blocked. If you see the IP address in the log, then its most likely being blocked as the logs generally record problems.
The steps to make it work are:
- At the firewall:
- For SIP, allow port 5060 UDP traffic to pass to the server. This example uses a Virtual Server to pass data through a Dlink
Broadband router
- For RTP, allow ports 10,000 to 20,000 UDP traffic to pass to the server. This example uses Special Application to pass the RTP ports
- For SIP, allow port 5060 UDP traffic to pass to the server. This example uses a Virtual Server to pass data through a Dlink
Broadband router
- At the Asterisk server:
- Use FreePBX and the Config Edit tool to configure the /etc/asterisk/sip-nat.conf for the following:
externip=Your External IP
localnet=192.168.1.0/255.255.255.0 ; substitute your subnet info here
nat=yes
- Reload the Asterisk SIP configuration, at the Asterisk CLI:
CLI> sip reload
- Use FreePBX and the Config Edit tool to configure the /etc/asterisk/sip-nat.conf for the following:
- Strange Phone behaviour
The Snom-190 phone was strange as it tried to make a SIP connection using port 2051 by default instead of port 5060! In the firewall log, it showed the Snom-190's IP address and port 2051 (10.192.18.191:2051) being blocked. In the Advanced Settings of the Snom-190's web admin tool, set:
Net Identity Port: 5060
That forces it to use port 5060 for SIP. You may have to power off the Snom phone as just rebooting it didn't seem to work in my case.
- At the firewall:
- Slipping IAX2 Past the Firewall
The goal here is to pass IAX2 traffic from the public network through the firewall to the local network. An example is connecting two Asterisk PBXs together using a trunk or using an IAXy pots to VOIP convertor. It is very easy to get working as IAX2 only uses port 4569 using UDP. On the broadband router, you create a virtual server that points to the local Asterisk PBX.
