Noob question: ports to forward if I have only local extensions

wassy83 · April 20, 2018, 2:43pm

Sorry for this noob question, but I just want to be sure about this:

freepbx is behind my router’s NAT
firewall on my router is not blocking any outbound/inbound traffic
all my extensions are local, in the same subnet of my freepbx appliance.
external calls are coming from several pjsip trunks.
I don’t need access to my pbx from the outside world.
is necessary to forward any port from the outside to my freepbx?
many thanks

cynjut · April 20, 2018, 2:52pm

On your external firewall:

You need to blacklist everything “inbound” except for the port (5060/5160) for your PJSIP trunks, and they need to be limited to the IP addresses of your providers. Allow UDP ports 10000-20000 through the firewall, but only with the destination of your PBX. Allow all outbound traffic so that your calls can complete.
Port forward UDP port 5060/5160 (or both is you are using PJ-SIP and ChanSIP).
Port forward UDP ports 10000-20000 from your firewall to the server (for your audio).

If EVERYTHING else is local, you don’t need to allow anything “unsolicited” through the firewall. Once you’ve got the firewall set up, you need to set up the integrated firewall on the PBX and set up the “local” and “trusted” networks so that traffic from outside the LAN will be allowed into the server.

wassy83 · April 20, 2018, 2:57pm

Ok I understand this is for security

why to forward this? I was thinking that this was only for comunication with external extensions, in this moment I don’t have these ports forwarded and I can receive calls with no problem. This is exactly my doubt. Can you explain this to me? maybe this will improve call quality?

many thanks

cynjut · April 20, 2018, 2:59pm

When the conversation starts, the RTP from the remote end starts the conversation with it’s own SYN packets. Without the forward of 10000-20000, the remote end audio will never make it to your server and you’ll get one-way audio.

wassy83 · April 20, 2018, 3:02pm

ok…so how is possible that this is working now?

cynjut · April 20, 2018, 3:10pm

If you already knew the answer, what was the point of asking the question? To see who you could troll?

Are you setting up registered connections from your ITSP or are you using IP authentication?

If you are registering, the outbound registration will open the inbound path, allowing the RTP to work for the period of time your router keeps those open. Depending on your configuration, you could lose RTP connectivity if the firewall closes the inbound RTP port for lack of traffic. The point of the process is to allow the inbound RTP traffic to connect to your server. Without some kind of mechanism in place to do that, you need the inbound allowance and forward for UDP ports 10000-20000.

wassy83 · April 20, 2018, 3:27pm

the point of my question was to understand exactly this

and maybe explains to me why sometimes I have one way audio, this doesn’t occours very often but I think that the reason is this. I will follow your suggestions but I can understand the meaning of this observation

but maybe you didn’t understood my point.
anyway thanks

lgaetz · April 20, 2018, 3:30pm

I wrote a blurb about this once:

tl;dr - it’s complicated

wassy83 · April 20, 2018, 3:54pm

lgaetz:

The nuts and bolts of SIP are complicated, but put simply: SIP session negotiation takes place over the signalling port (default 5060) and the audio (more correctly, the ‘media’) goes over a random pair of ports in the RTP port range (default 10k-20k). It’s quite common for providers to do SIP signalling and SIP media from different hosts, and some providers have many media servers. So imagine what happens when a SIP session is negotiated through a NAT router, but the audio appears from a different port range and from a different server. Unless the router is configured for this scenario, you will experience zero way or one way audio on the call, probably the most frequent troubleshooting question asked here in this forum.

Whether your provider proxies media through their signalling server or not, is the main determining factor on whether you need port forwarding in place. It also depends on the router’s implementation of NAT. Some routers have a SIP ALG that is intended to correct for this, but it seems like most ALGs do more harm than good, at least for Asterisk. You will find some who boldly claim port forwarding is never required. Virtually every SIP provider will claim the opposite. They are both arguing from experience.

In support we run into all the fun edge cases. When the router is not port forwarding media, we see cases when inbound audio on calls is lost until the PBX first sends outbound audio to establish a media path through the NAT router. This is irrelevant for 99.9% of use cases, but there are automated call scenarios (DISA, Broadcasting, FMFM to external DIDs, etc) where there is no audio outbound from the server (or at least not initially) and so therefore inbound media (including DTMF) won’t work either. There is a little test I do from the Asterisk CLI when I suspect this might be a problem:

my friend this is exactly what I was searching for, I appreciate it thank you

system · April 20, 2019, 3:54pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.