Nicholas Blasgen
2010-Jan-04 02:14 UTC
[asterisk-users] Outgoing Calls Only -- Firewall Rules
I'm trying to move my Asterisk deployments under a Virtual IP address and now remember why I dislike this. My primary Asterisk system is now behind a firewall in private address space. My question is what ports are needed to be opened just for the purpose of placing outgoing calls. I would have assumed none, but I can't even get replies on registration from any of my 3 VoIP providers. I tried defining the External IP and some other stuff, but I assume it's fully an issue with the firewall. Do I really need 5060 port forwarded just to register with remote hosts? Nicholas Blasgen Partner / Network Operations Refractive Dialer LLC (724) 252-7436 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100103/0374e44f/attachment.htm
On Sun, Jan 3, 2010 at 9:14 PM, Nicholas Blasgen <nicholas at refractivedialer.com> wrote:> I'm trying to move my Asterisk deployments under a Virtual IP address and > now remember why I dislike this. My primary Asterisk system is now behind a > firewall in private address space. My question is what ports are needed to > be opened just for the purpose of placing outgoing calls. I would have > assumed none, but I can't even get replies on registration from any of my 3 > VoIP providers. I tried defining the External IP and some other stuff, but > I assume it's fully an issue with the firewall. Do I really need 5060 port > forwarded just to register with remote hosts?Each NAT device likes it differently. I usually do the following: 1. Forward udp:5060 (SIP) 2. Forward udp:10000-20000 (RTP) 3. Setup sip.conf so that asterisk knows it's behind nat (externalip, localnet and sip=yes) Depending on how fancy your device is, I usually have to turn off all app level stuff meant for sip. Linksys calls it ALG, Sonicwall something else etc. I haven't played with 1.4 or 1.6 yet, only 1.2 so I am not really sure what needs to be done on the other versions, but I'm assuming it's all the same.> > Nicholas Blasgen > Partner / Network Operations > Refractive Dialer LLC > (724) 252-7436 > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >
Nicholas, you haven't specified which version, which does make a lot of difference. 1.6.x can easily traverse NAT. If you are only making outbound calls, you shouldn't need to forward 5060. Unless you have a special NAT that is blocking outbound connections, the SIP.conf settings below should work whether your provider uses SIP registrations or not. My codec related settings may not be applicable to your installation : ; ------------------------------------- [general] dtmfmode=rfc2833 relaxdtmf=yess bandwidth=high disallow=all allow=ulaw ; ; NAT stuff ; localnet=192.168.x.0/255.255.255.0 externip=a.b.c.d:5060 nat=yes ; ; Media stuff ; canreinvite=no ; ; [your-voip-provider-para] ; context=default type=friend ; ; your provider's outbound gateway ; host=w.x.y.z ; dtmfmode=rfc2833 relaxdtmf=yess disallow=all allow=ulaw ; ; ------------------------------------- On Sun, Jan 3, 2010, Nicholas Blasgen wrote:> I'm trying to move my Asterisk deployments under a Virtual IP address and > now remember why I dislike this.? My primary Asterisk system is now behind a > firewall in private address space.? My question is what ports are needed to > be opened just for the purpose of placing outgoing calls.? I would have > assumed none, but I can't even get replies on registration from any of my 3 > VoIP providers.? I tried defining the External IP and some other stuff, but > I assume it's fully an issue with the firewall.? Do I really need 5060 port > forwarded just to register with remote hosts? > > Nicholas Blasgen > Partner / Network Operations > Refractive Dialer LLC > (724) 252-7436 > > __________________________________