I’m getting conflicting information regarding port forwarding. Our NAT-enabled FreePBX box is sitting behind a Cisco router. Do we need to forward TCP 5060 and UDP 10000-20000 to the PBX? We do not have any external phones, they are all on the same LAN as the PBX.
I’m asking because we cannot receive inbound calls and when we make an outbound call, outgoing audio works, but we do not hear anything.
I thought that since our PBX establishes the outgoing connection to our SIP line provider we didn’t need to forward anything. Maybe I need to add something to our inbound ACL?
If your system is registering with a remote ITSP, you need to whitelist the ITSP in all of your firewalls (including the one in FreePBX). The registration should set up the bidirectional path you need to get calls through the external router and back to the system. If there are problems getting this done, you should troubleshoot the connect using SIP DEBUG command (which vary depending on your channel driver). This will highlight if your sending commands to the right place and if the respondent is sending them back to the right place.
As long as you whitelist the service provider and blacklist everyone else, setting up the port 5060 connection on your edge router to forward to your PBX is good belt-and-suspenders approach and can make setup a little easier. It also solves problems where the remote system doesn’t connect back through the NAT correctly. Forwarding 10000-20000 on your external router to the PBX is actually safe - the large the range, the harder it is to spoof connections and trace calls.
If, on the other hand, you are using IP authentication (where your ITSP only knows your external IP address) then you will need to create the tunnel ports back to the server through the router.
Since you are registering, you shouldn’t need to set up the port forwards. The fact that they aren’t working may actually indicate that something else in your registration setup is incorrect. If you want to paste in the 30-or-so lines in the log where you registration is failing, we can help you troubleshoot that.
The registration actually succeeds, that’s the weird thing. We have a Cisco router and also an Untangle web filter appliance between it and the rest of the network. It’s a transparent proxy, but apparently it acts as a brouter in the background. If you’re saying that ports usually don’t need to be forwarded in our setup I’ll bypass the Untangle box to continue troubleshooting; it might be doing something funky with the packets. SIP ALG is disabled on both devices.
The way we got it “working” for the moment, is specifying a bogus IP address in “External address” under Asterisk SIP Settings. Incoming calls obviously do not work as the lines don’t register to our external IP, but for some magical reason outgoing calls work perfectly fine. When I revert to our proper IP address, that’s when the mute audio issue occurs.
Hopefully we won’t need to forward ports, as Cisco doesn’t seem to support forwarding a range of UDP ports on our router, it needs 1 config line per port forward.
