dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
20810

mdshs
@teksavvy.com

mdshs

Anon

Question about opening ports for Asterisk

Hi all,

Just curious, we have Asterisk PBX in our office on Static IP using voip.ms as our trunk. Voip.ms told me the ports they use are UDP 5060 and UDP 10001-20000. Does this mean in my router I need to port forward those ports to my Asterisk box in order to make/receive calls? Or do I keep the firewall closed on the router and not open any ports at all? Was thinking that the ports should be open but then thinking isn't that a security risk?

Trimline
Premium Member
join:2004-10-24
Windermere, FL

Trimline

Premium Member

Never open 5060, or port forward 5060 unless you want a lot of trouble (hackers). UDP ports 10001 - 20000 can be port forwarded without issue - these are used for RTP streams (voice). This can be forwarded depending on your situation. On example would be one-way audio.

Unless you are experiencing call audio issues, I would leave well enough alone.
SCADAGeo
Premium Member
join:2012-11-08
N California

SCADAGeo to mdshs

Premium Member

to mdshs
said by mdshs :

Or do I keep the firewall closed on the router and not open any ports at all? Was thinking that the ports should be open but then thinking isn't that a security risk?

My personal preference is to keep ports closed.

VoiP.MS supports the IAX2 protocol, which uses a single UDP port (usually 4569) for both signaling and media flow.

»en.wikipedia.org/wiki/IAX2

Trev
AcroVoice & DryVoIP Official Rep
Premium Member
join:2009-06-29
Victoria, BC

1 recommendation

Trev to mdshs

Premium Member

to mdshs
The only ports you need to forward are the ports you are using. It doesn't matter what anyone else is using (this includes your provider).

Look at /etc/asterisk/rtp.conf and you should see something like
[general]
;
; RTP start and RTP end configure start and end addresses
;
; Defaults are rtpstart=5000 and rtpend=31000
;
rtpstart=40000
rtpend=50000
 

You'll want to forward ports 40000-50000 to ensure incoming audio can reach Asterisk. You shouldn't need to forward the SIP port unless you have outside phones that need to reach your server.

brg
Premium Member
join:2001-01-03
Chicago, IL

brg

Premium Member

said by Trev:

The only ports you need to forward are the ports you are using. It doesn't matter what anyone else is using (this includes your provider).
***
You shouldn't need to forward the SIP port unless you have outside phones that need to reach your server.

Question 1: So, if I have a home asterisk implementation, and all my extensions are local to my personal private network, I wouldn't ever need to open any SIP port (say, 5060) on my router, nor would I need to forward said port to my asterisk server box and/or ATAs? That makes sense for local outbound calls.

Question 2: Same as above; but assume inbound calling to one of my DIDs from a VoIP provider. I'm registered to that provider from my asterisk box. No opening/forwarding of SIP port(s) to the * box needed? Because of my registration?

Question 3: Assume inbound calling to one of my DIDs from a VoIP provider and I'm registered to that provider direct from my ATA -- no asterisk box. No opening/forwarding of SIP port(s) to the ATA needed? Because of my registration?

Question 4: Now I'm traveling and want to connect via SIP client on my iPod to my asterisk; have that client register as an authorized extension. Is this the only situation requiring opening/forwarding of SIP port(s) to the * box? (Yes, I'm aware of "the traveling man", etc...)

AndrewZ
Premium Member
join:2003-07-17
somewhere

AndrewZ

Premium Member

said by brg:

Question 1: So, if I have a home asterisk implementation, and all my extensions are local to my personal private network, I wouldn't ever need to open any SIP port (say, 5060) on my router, nor would I need to forward said port to my asterisk server box and/or ATAs? That makes sense for local outbound calls.

No need.

Question 2: Same as above; but assume inbound calling to one of my DIDs from a VoIP provider. I'm registered to that provider from my asterisk box. No opening/forwarding of SIP port(s) to the * box needed? Because of my registration?

No forwarding for SIP ports, because of your registration AND keepalives.
You will need to forward your RTP ports if you want to forward incoming calls through your server.

Question 3: Assume inbound calling to one of my DIDs from a VoIP provider and I'm registered to that provider direct from my ATA -- no asterisk box. No opening/forwarding of SIP port(s) to the ATA needed? Because of my registration?

Correct, because of your registration AND keepalives.

Question 4: Now I'm traveling and want to connect via SIP client on my iPod to my asterisk; have that client register as an authorized extension. Is this the only situation requiring opening/forwarding of SIP port(s) to the * box? (Yes, I'm aware of "the traveling man", etc...)

Yes, you will have to open a port.

XCOM
digitalnUll
Premium Member
join:2002-06-10
Spring, TX
(Software) pfSense
MikroTik CRS125-24G-1S-RM

1 edit

XCOM to Trimline

Premium Member

to Trimline
said by Trimline:

Never open 5060, or port forward 5060 unless you want a lot of trouble (hackers). UDP ports 10001 - 20000 can be port forwarded without issue - these are used for RTP streams (voice). This can be forwarded depending on your situation. On example would be one-way audio.

Unless you are experiencing call audio issues, I would leave well enough alone.

Really? WRONG!

You can port forward the ports specifically to a ITSP or a dynamic dns if no static ip is present via rules.

I have all my SIP ports open to my ITSP with no issues due to the type of nat my firewall uses.
Depending on your router you may have to open the RTP ports... In some more restricted routers that use symmetric NAT will force you to hell before you can get some protocols to play nice while some more adopted nat like cone nat play very well and RTP or even sip in some cases dont have to be forwarded.

Edit:

For got to mention that with proper security you can forward any port. in the VoIP world fail2ban and arno's firewall is one of the best tool in the arsenal to have.

brg
Premium Member
join:2001-01-03
Chicago, IL

brg to AndrewZ

Premium Member

to AndrewZ
said by AndrewZ:

said by brg:

Question 2: Same as above; but assume inbound calling to one of my DIDs from a VoIP provider. I'm registered to that provider from my asterisk box. No opening/forwarding of SIP port(s) to the * box needed? Because of my registration?

No forwarding for SIP ports, because of your registration AND keepalives.
You will need to forward your RTP ports if you want to forward incoming calls through your server.

RTP is forwarded; thanks. A much smaller block than the huge block recommended as "standard." It's just me; not an office full of callers...
said by AndrewZ:

said by brg:

Question 3: Assume inbound calling to one of my DIDs from a VoIP provider and I'm registered to that provider direct from my ATA -- no asterisk box. No opening/forwarding of SIP port(s) to the ATA needed? Because of my registration?

Correct, because of your registration AND keepalives.


Any need to forward RTP to the ATA in this case?

AndrewZ
Premium Member
join:2003-07-17
somewhere

AndrewZ

Premium Member

said by brg:


Any need to forward RTP to the ATA in this case?

No. Your outgoing RTP stream will open your NAT for incoming voice.