SIP Port Forwarding

Hi guys,

Wanted to get a definitive direction on this. I notice on my asterisk server heaps of attempts from scammers trying to connect to my server via SIP. On my firewall i have 5060 TCP/UDP forwarded to my server. I checked my firewall logs and i never see an attempt to connect to my server on these ports from my SIP trunk provider so I temporarily removed the rule. this stopped all traffic from scammers and doesn’t appear to affect my trunk connection either which is great. I have mobile users however they have a VPN installed on their phones so again no impact. My trunk provider even tells me i need to forward these ports yet i don’t know why. Is there something I’m missing as to why these ports need to be open?

You can forward port 5060 on your firewall but whitelist your provider’s IP addresses.
This way you only allow traffic from your voice service provider, but block the bad guys.
That’s what people generally do.

Are you using TCP for SIP? UDP is standard and there would be no need to allow TCP on 5060.

If your provider tells you you need to forward the ports, then it’s probably true.
I generally have problems with incoming calls if I don’t, but it MIGHT work without. If it does work without forwarding, then good.

The nuts and bolts of SIP are complicated, but put simply: SIP session negotiation takes place over the signalling port (default 5060) and the audio (more correctly, the ‘media’) goes over a random pair of ports in the RTP port range (default 10k-20k). It’s quite common for providers to do SIP signalling and SIP media from different hosts, and some providers have many media servers. So imagine what happens when a SIP session is negotiated through a NAT router, but the audio appears from a different port range and from a different server. Unless the router is configured for this scenario, you will experience zero way or one way audio on the call, probably the most frequent troubleshooting question asked here in this forum.

Whether your provider proxies media through their signalling server or not, is the main determining factor on whether you need port forwarding in place. It also depends on the router’s implementation of NAT. Some routers have a SIP ALG that is intended to correct for this, but it seems like most ALGs do more harm than good, at least for Asterisk. You will find some who boldly claim port forwarding is never required. Virtually every SIP provider will claim the opposite. They are both arguing from experience.

In support we run into all the fun edge cases. When the router is not port forwarding media, we see cases when inbound audio on calls is lost until the PBX first sends outbound audio to establish a media path through the NAT router. This is irrelevant for 99.9% of use cases, but there are automated call scenarios (DISA, Broadcasting, FMFM to external DIDs, etc) where there is no audio outbound from the server (or at least not initially) and so therefore inbound media (including DTMF) won’t work either. There is a little test I do from the Asterisk CLI when I suspect this might be a problem:

channel originate local/xxxxxxxxxx@from-internal application echo

replace the x’s with a test DID and call yourself. You should be able to hear your own voice echoed back when you answer, but in (at least some) cases when the PBX is behind NAT and media ports are not forwarded, the audio is broken.

Long story short, do what works for you. If all is fine without port forwarding, then do it. If at any future point you experience one-way or zero-way audio, you will need to revisit this decision.

edit - In the following post, Greg brings up an important point, all of the above refers specifically to trunks that register to a SIP provider. If you are not using registration then you MUST ALWAYS port forward all SIP signalling and media ports without exception.

Generally the dividing line is SIP trunks that register versus IP Authorization trunks - Trunks that register are more of a Client-Server model - because they initiate the connection from behind the firewall, and through Keep-Alive methods, they keep the connection open and therefore no port forwarding is required.

IP Auth trunks on the other hand just blindly send the traffic to a predetermined IP address and expect the firewall at the site to pass the traffic on through - IP Auth trunks always need port forwarding if the PBX is behind the firewall.

Great explanation of SIP. My confusion is in a SIP Trunk typically you have a single host. If a SIP carrier has different hosts for signaling and media how would you program that in your trunk settings? Would you just put in the signalling server?

Correct. The media hosts are negotiated as part of the signalling process. The only reason to even be aware of SIP signalling media servers is when configuring Firewalls.