How to Pass External VOIP traffic through a Firewall
The assumption is that you are trying to pass external VOIP traffic through an inexpensive broadband router to the local network where your PiaF server
is located. This example is based on the D-Link DI-604 and DI-724 broadband routers and the DGL-4300 wireless broadband router.
The basics are the same for wireless routers and other brands such as SMC Barricade routers. The concepts covered here are
easily transferred to other routers.
There are two basic protocols used with Asterisks: SIP and IAX2. SIP is used for VOIP phone traffic and IAX2 is used to connect Asterisk servers
and applicances together such as the IAXy POTS to SIP convertor
- Slipping SIP Past the Firewall
The goal of configuring the firewall is to allow a VOIP phone outside of the local subnet to register with the Asterisk server. The local
subnet would be firewalled from the outside world.
There's few issues with getting SIP to work through a firewall. SIP uses port 5060 for setup and RTP (real time protocol) ports 10,000 to
20,000 for transporting the voice. NAT (network address translation) can cause grief if the firewall also performs PAT
(port address translation). A common effect of a firewall that is performing PAT is one way audio. You can check the firewall logs to see if a VOIP
phone outside of the firewall is being blocked. If you see the IP address in the log, then its most likely being blocked as the logs generally
The steps to make it work are:
- At the firewall:
- For SIP, allow port 5060 UDP traffic to pass to the server. This example uses a Virtual Server to pass data through a Dlink
- For RTP, allow ports 10,000 to 20,000 UDP traffic to pass to the server. This example uses Special Application to pass the RTP ports
- At the Asterisk server:
- Use FreePBX and the Config Edit tool to configure the /etc/asterisk/sip-nat.conf for the following:
externip=Your External IP
localnet=192.168.1.0/255.255.255.0 ; substitute your subnet info here
- Reload the Asterisk SIP configuration, at the Asterisk CLI:
CLI> sip reload
- Strange Phone behaviour
The Snom-190 phone was strange as it tried to make a SIP connection using port 2051 by default instead of port 5060! In the firewall log, it showed
the Snom-190's IP address and port 2051 (10.192.18.191:2051) being blocked. In the Advanced Settings of the Snom-190's web admin tool, set:
Net Identity Port: 5060
That forces it to use port 5060 for SIP. You may have to power off the Snom phone as just rebooting it didn't seem to work in my case.
- Slipping IAX2 Past the Firewall
The goal here is to pass IAX2 traffic from the public network through the firewall to the local network. An example is connecting two
Asterisk PBXs together using a trunk or using an IAXy pots to VOIP convertor. It is very easy to get working as IAX2 only uses port 4569
using UDP. On the broadband router, you create a virtual server that points to the local Asterisk PBX.