Noob question: ports to forward if I have only local extensions

Sorry for this noob question, but I just want to be sure about this:

  • freepbx is behind my router’s NAT
  • firewall on my router is not blocking any outbound/inbound traffic
  • all my extensions are local, in the same subnet of my freepbx appliance.
  • external calls are coming from several pjsip trunks.
  • I don’t need access to my pbx from the outside world.
    is necessary to forward any port from the outside to my freepbx?
    many thanks

On your external firewall:

  • You need to blacklist everything “inbound” except for the port (5060/5160) for your PJSIP trunks, and they need to be limited to the IP addresses of your providers. Allow UDP ports 10000-20000 through the firewall, but only with the destination of your PBX. Allow all outbound traffic so that your calls can complete.
  • Port forward UDP port 5060/5160 (or both is you are using PJ-SIP and ChanSIP).
  • Port forward UDP ports 10000-20000 from your firewall to the server (for your audio).

If EVERYTHING else is local, you don’t need to allow anything “unsolicited” through the firewall. Once you’ve got the firewall set up, you need to set up the integrated firewall on the PBX and set up the “local” and “trusted” networks so that traffic from outside the LAN will be allowed into the server.

Ok I understand this is for security

why to forward this? I was thinking that this was only for comunication with external extensions, in this moment I don’t have these ports forwarded and I can receive calls with no problem. This is exactly my doubt. Can you explain this to me? maybe this will improve call quality?

many thanks

When the conversation starts, the RTP from the remote end starts the conversation with it’s own SYN packets. Without the forward of 10000-20000, the remote end audio will never make it to your server and you’ll get one-way audio.

ok…so how is possible that this is working now?

If you already knew the answer, what was the point of asking the question? To see who you could troll?

Are you setting up registered connections from your ITSP or are you using IP authentication?

If you are registering, the outbound registration will open the inbound path, allowing the RTP to work for the period of time your router keeps those open. Depending on your configuration, you could lose RTP connectivity if the firewall closes the inbound RTP port for lack of traffic. The point of the process is to allow the inbound RTP traffic to connect to your server. Without some kind of mechanism in place to do that, you need the inbound allowance and forward for UDP ports 10000-20000.

the point of my question was to understand exactly this

and maybe explains to me why sometimes I have one way audio, this doesn’t occours very often but I think that the reason is this. I will follow your suggestions but I can understand the meaning of this observation

but maybe you didn’t understood my point.
anyway thanks

I wrote a blurb about this once:

tl;dr - it’s complicated

1 Like

my friend this is exactly what I was searching for, I appreciate it thank you

1 Like

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.