NAT configuration


(somianduso) #1

Hello,
this question could be a repetition of questions already asked but I did not find anything relevant by looking in the forum. The wiki

This is the topology:

INTERNET <-> FIREWALL <-> FREEPBX
where:
PUBLIC IP <-> FIREWALL <-> 192.168.100.10/24

I’m using only PJSIP for TRUNK and PHONES
I’m using ZULU
No more service needed from internet (443 and 22 are used only by LANl)

The wiki is not exhaustive because even without opening all the doors indicated the system works, so I would like to open only and exclusively those that are really necessary.

Can someone please tell me the exact list of ports that must be forwarded from the firewall to the pbx?

Thanks in advance!


(Dave Burgess) #2

There is some variability in your space, so the answer won’t be a straight up “here you go” list.

  • Your SIP port (typ 5060, but can be set) should be open and passed through the firewall to the PBX. Straight (Chan or PJ)-SIP needs UDP, but Sangoma Connect (the “new” Zulu) needs TCP.
  • Incoming calls (from an ITSP) require you to pass UDP ports 10000-20000 to the PBX.
  • OpenVPN will require 1159 (or whatever is configured) forwarded to the PBX, unless there is a contravening requirement, like you are handling VPN at the firewall, etc.

There are a couple others - port 80 may need to be handled because of LetsEncrypt, for example.

In general, if your phones are inside the network and the people who call you are outside (coming through POTS), you can lock everything out except those listed above to your ITSP. The tighter the hold on the firewall, the happier you’ll be.


(somianduso) #3

Thanks for clarifications.
The PBX is certified by an SSL certificate, so i don’t use letsencrypt… in this case port 80 can stay closed, no?
The 5060 UDP can be opened only from IP of the ISP? Or it’s safe to be opened from any IP sorce?
10k-20k UDP can be opened only from IP of the ISP? Or it’s safe to be opened from any IP sorce?
OpenVPN is needed for? i don’t need to use that

To use Sangoma Connect use 5060 TCP as you said, must be opened from any IP source?

Thanks in advance!


(Dave Burgess) #4

All of this assumes you are running an ‘on premise’ or ‘cloud’ PBX server somewhere. They are generalities intended to act as a guide for your continued system health and prosperity.

Yeah - that’s probably fine.

Yes. This way people can’t probe your network, get connected through your phone configs and run up your phone bill.

Under no circumstances should you open any port on your phone system to the world, especially since you are behind a firewa…/

Not really. There’s some variability in SIP requests, so you have to open these up from anyone and forward them all to the PBX. Note that these are only used for incoming data streams for phone calls - the ‘Start’ packets for these are the ones that set up the connection and nothing else on your network is likely to be using these for anything, so they are reasonably safe.

If you use a VPN product (and OpenVPN is just an example), you may need to forward a port. Note that the point of VPN Interfaces is to allow ‘random’ addresses to connect to your machine securely, so this one is probably OK for open and forward, but ONLY if you are using VPN products to connect. We’re going to come back to this in a sec.

That’s a “your needs will dictate” that one. First, when you set up your system, you can change port 5060 (the SIP port) to be on some other port. If the people you are communicating with are at a ‘predictable’ IP address, then you can lock it down, but if they come in from random addresses, you may not be able to.

In addition to this, you might also consider using the Adaptive Firewall to control your SIP ports (if you can’t lock them down). This will reduce your chances of getting port-hammered.

Now, if you are using a VPN product on the phone system, you can use that instead of opening up ports to these people. This way, the port 5060 stuff would show up in your local network, having been ‘magically’ transported from your Sangoma Connect machine to your phone server.

So, in conclusion:

  • Use a VPN for any phones that connect from outside your network to your PBX.
  • Only allow direct connections from your ITSP to your SIP control port.
  • If you need to open port 5060 (TCP or UDP), try as much as possible to lock it down.
  • Ports 10000-20000 need to be open on the firewall and forwarded to your PBX if you want to hear the people that are calling you.
  • If you are operating in The Cloud (on other people’s hardware), then you will need to open up ports 443 and 80 (and maybe a couple others) to your local network. If you are running a machine in your local network (your own hardware), then you can open the Integrated Firewall up a little bit more to allow local machines “a little” more access to your machine.

(somianduso) #5

Thanks very much for clarification!


(system) closed #6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.