Firewall Ports - Basics

siptrunk
configuration
Tags: #<Tag:0x00007f702aa45280> #<Tag:0x00007f702aa45050>

(Stevd) #1

Hi all,

Sorry for a basic post. I know firewall ports questions comes up a lot, but unfortunately I have managed to comfuse myself somewhat and need some pointers in the right direction.

I set up Freepbx a few months ago. I pretty much closed everything down on the firewall to just allow users/extensions within my local network access to the freepbx or via VPN.

I wanted to see if I could easily allow external users to gain access without the need for a vpn to try and simplify things and not worry about VPN connection drop outs etc.

First I should give a bit of background info…please let me know if you need more.

Free pbx is installed behind a draytek router/firewall. I have a static IP address for my internet connection. My SIP provider provides authentication on my IP address, not other authentication is required. I initially opened up the ports in my draytek router from 10002 - 20000 to allow access from from just my sip trunk providers IP address. I also opened up port 5060 for just the sip trunk provider - although I am unsure if this is necessary? I have also set up the freepbx firewall using the wizard. The Sip trunks are PJSIP. Extensions are PJSIP.

I have an old version of the Bria phone app installed on my mobile. Today I tried opening up the ports 10002 - 20000 on my router/firewall to all traffic as well as the port 5060. The Bria app would occassionally register and would allow me to make calls, other times it wouldn’t register at all even with the same settings. So I installed the Zoiper free lite app. This connected instantly and worked as expected. After aproximately 30 mins to an hour, I started getting what appeared to be internal calls from extension 1001, but I don’t have extension 1001 set up.

At this point alarm bells were ringing so I decided to shut down the open ports in my Draytek back to how they were set up previously. Unfortunately the calls kept coming. In the end I shut down the router and restarted it, but the calls kept coming. I unplugged the modem connection and then calls stopped. After 15 mins or so I plugged the modem back in and so far haven’t had any more calls from extension 1001. Does it take a while for Draytek to shut a port down in its firewall or is it instant?

Would it seem that in the timeframe set out above, that someone was trying to access my system?

Does my sip trunk provider require access to port 5060 to make / set up the SIP calls?

I have read that it is best to change the port that telephones use from 5060 to another port…but this is where my confusion comes from… do both telephones and my sip trunk provider require the use of port 5060 or is it just the telephones?

Sorry for the long post, but I am struggling to get my head around the ports used as it has been a little while since I initially set it all up.

I have closed of 5060 to my sip trunk provider on the draytek firewall and I am still able to make and receive calls, but I am wondering if this is to do with the fact that there maybe a delay in the draytek, or is it not required? I was certain that I needed it open to the sip trunk provider when I originally set up freepbx, and that I couldnt make calls until I had opened this port to the sip trunk provider?


(Dave Burgess) #2

OK - there are a lot of basics here.

Port 5060 on your system is arbitrary. You can set your ITSP to use whatever address you want using the “yo.ur.ip.here:6969” syntax at the remote end of the connection back to you. Same method with your phones. The PJ-SIP channel driver will bind with that port on all addresses on your system using the PJ-SIP advanced settings.

Port 5060 on your ITSP’s system (how you send them calls) probably isn’t negotiable. They are both arbitrary, 5060 is just the lie we all agree to tell.

On the Draytek - only allow your ITSP access to that port. You will need to include all of the addresses that can send you calls, which can be as simple a list as one or two IPs, or huge swaths of blocks; it depends entirely on your ITSP.

You should have the Integrated Firewall turned on on your PBX. This should be limited to the addresses of your ITSP as well. If you use the Adaptive Firewall enabled for PJ-SIP, you will see attempts to access your machine from time to time, but the calls should be blocked before they ever get a toehold on the server.

Next, you’re going to want to set up the “external extension” access methodology.

  • This could be as simple as allowing specific IP addresses or DynDNS names through the Integrated Firewall.
  • Setting up the Adaptive Firewall to manage these connections is a possibility as well.
  • Setting up VPN connections from the external phones works too.

On to the phone: if you don’t have an extension 1001 in your system (double check), then someone is connecting via anonymous or guest services. Check your SIP settings (under Advanced Settings, IIRC) and make sure both of those are turned off. If you have an extension 1001, you’re probably going to want to reset all of the device passwords for the extensions in your system. Go for ridiculous passwords (the 32 character auto generated ones work).

In general: do not expose any ports to the outside world that you don’t manage in fine control. This is particularly true of provisioning ports, 80, 443, etc. Do not port forward anything from the firewall that you don’t want the world to have access to.


(Stevd) #3

Thank you so much for taking the time to give a lengthy and very informative reply. There is a lot to digest, but I will make my way through your points.

My understanding in simplistic terms about the use of the signaling port; my SIP trunk provider needs to use 5060 as a port for signaling purposes between the SIP server any my Freepbx server, which can be changed if the sip provider allows for a port number to be added to my IP address in their setup. It is also required for remote extensions for signaling between a remote telephone/extension and my Freepbx server if there is no VPN connection in place.

Am I correct in thinking that the I dont have to use the same signaling port for the connection between my Freepbx server to my SIP trunk provider and for my extensions to my freepbx server. For example I could change my telephone extensions to use a signaling port of 5454 and my sip trunk signaling port as 5656 as an example?

Thanks again for the help. Really appreciated


(Dave Burgess) #4

Not quite. Inbound signalling and outbound signalling are disconnected. Basically, you are each operating a daemon that listens on port 5060. The source port will always be something else, but the destination will always be an arbitrary SIP port. By convention, we always use 5060 for that, but (since it’s arbitrary) we don’t have to.

So, you can send your traffic to start up a call (which is the control traffic) on port 5060 like they want. When you set up the connection back, you will use whatever port you’ve decided to use on your end (in the format x.x.x.x:5999) so that the SYN packets that start the process go to the right port.

So, if you want to use 5454 for inbound SIP control traffic, knock yourself out. Configure your phones to use 5454 and set up your configuration at the ITSP to talk to your IP at 5454. When you talk to them, use 5060 (since that’s how they’ve set up their arbitrary port connection).

We often talk about how inbound calling and outbound calling are largely unrelated. This port discussion is just another aspect of that. You control your inbound port and use whatever the remote port is. Your connection correspondents use the same model. Their “outbound” call to you needs to go to your control port, and if they know where that is, they can start the conversation and you can make phone calls.


(Stevd) #5

Thanks again for taking the time to clear up the coonfussion which is occuring inside my brain! That has helped clarifying things. I am not surprised I got a little lost along the way when I was trying to piece it together myself!

On another note, I thought I had broke my system by tampering with the setting, but it seems like my SIP provider has gone down…talk about coincidence!

Anyway, when it is back up and running I will let you know how I get on.