dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
11587
share rss forum feed


mdshs

@teksavvy.com

Question about opening ports for Asterisk

Hi all,

Just curious, we have Asterisk PBX in our office on Static IP using voip.ms as our trunk. Voip.ms told me the ports they use are UDP 5060 and UDP 10001-20000. Does this mean in my router I need to port forward those ports to my Asterisk box in order to make/receive calls? Or do I keep the firewall closed on the router and not open any ports at all? Was thinking that the ports should be open but then thinking isn't that a security risk?


Trimline
Premium
join:2004-10-24
Windermere, FL
Reviews:
·ObiVoice
·Bright House
·Callcentric
·voip.ms
Never open 5060, or port forward 5060 unless you want a lot of trouble (hackers). UDP ports 10001 - 20000 can be port forwarded without issue - these are used for RTP streams (voice). This can be forwarded depending on your situation. On example would be one-way audio.

Unless you are experiencing call audio issues, I would leave well enough alone.

SCADAGeo

join:2012-11-08
N California
kudos:2
reply to mdshs
said by mdshs :

Or do I keep the firewall closed on the router and not open any ports at all? Was thinking that the ports should be open but then thinking isn't that a security risk?

My personal preference is to keep ports closed.

VoiP.MS supports the IAX2 protocol, which uses a single UDP port (usually 4569) for both signaling and media flow.

»en.wikipedia.org/wiki/IAX2


Trev
IP Telephony Addict
Premium
join:2009-06-29
Victoria, BC
kudos:6

1 recommendation

reply to mdshs
The only ports you need to forward are the ports you are using. It doesn't matter what anyone else is using (this includes your provider).

Look at /etc/asterisk/rtp.conf and you should see something like
[general]
;
; RTP start and RTP end configure start and end addresses
;
; Defaults are rtpstart=5000 and rtpend=31000
;
rtpstart=40000
rtpend=50000
 

You'll want to forward ports 40000-50000 to ensure incoming audio can reach Asterisk. You shouldn't need to forward the SIP port unless you have outside phones that need to reach your server.

--
Wondering what I do? Find out at »www.digitalcon.ca
Get your Obihai ATA in Canada.


brg

join:2001-01-03
Chicago, IL
kudos:1
said by Trev:

The only ports you need to forward are the ports you are using. It doesn't matter what anyone else is using (this includes your provider).
***
You shouldn't need to forward the SIP port unless you have outside phones that need to reach your server.

Question 1: So, if I have a home asterisk implementation, and all my extensions are local to my personal private network, I wouldn't ever need to open any SIP port (say, 5060) on my router, nor would I need to forward said port to my asterisk server box and/or ATAs? That makes sense for local outbound calls.

Question 2: Same as above; but assume inbound calling to one of my DIDs from a VoIP provider. I'm registered to that provider from my asterisk box. No opening/forwarding of SIP port(s) to the * box needed? Because of my registration?

Question 3: Assume inbound calling to one of my DIDs from a VoIP provider and I'm registered to that provider direct from my ATA -- no asterisk box. No opening/forwarding of SIP port(s) to the ATA needed? Because of my registration?

Question 4: Now I'm traveling and want to connect via SIP client on my iPod to my asterisk; have that client register as an authorized extension. Is this the only situation requiring opening/forwarding of SIP port(s) to the * box? (Yes, I'm aware of "the traveling man", etc...)


AndrewZ
Premium
join:2003-07-17
somewhere
said by brg:

Question 1: So, if I have a home asterisk implementation, and all my extensions are local to my personal private network, I wouldn't ever need to open any SIP port (say, 5060) on my router, nor would I need to forward said port to my asterisk server box and/or ATAs? That makes sense for local outbound calls.

No need.

Question 2: Same as above; but assume inbound calling to one of my DIDs from a VoIP provider. I'm registered to that provider from my asterisk box. No opening/forwarding of SIP port(s) to the * box needed? Because of my registration?

No forwarding for SIP ports, because of your registration AND keepalives.
You will need to forward your RTP ports if you want to forward incoming calls through your server.

Question 3: Assume inbound calling to one of my DIDs from a VoIP provider and I'm registered to that provider direct from my ATA -- no asterisk box. No opening/forwarding of SIP port(s) to the ATA needed? Because of my registration?

Correct, because of your registration AND keepalives.

Question 4: Now I'm traveling and want to connect via SIP client on my iPod to my asterisk; have that client register as an authorized extension. Is this the only situation requiring opening/forwarding of SIP port(s) to the * box? (Yes, I'm aware of "the traveling man", etc...)

Yes, you will have to open a port.


XCOM
digitalnUll
Premium
join:2002-06-10
Spring, TX
Reviews:
·ObiVoice
·flowroute
·Comcast

1 edit
reply to Trimline
said by Trimline:

Never open 5060, or port forward 5060 unless you want a lot of trouble (hackers). UDP ports 10001 - 20000 can be port forwarded without issue - these are used for RTP streams (voice). This can be forwarded depending on your situation. On example would be one-way audio.

Unless you are experiencing call audio issues, I would leave well enough alone.

Really? WRONG!

You can port forward the ports specifically to a ITSP or a dynamic dns if no static ip is present via rules.

I have all my SIP ports open to my ITSP with no issues due to the type of nat my firewall uses.
Depending on your router you may have to open the RTP ports... In some more restricted routers that use symmetric NAT will force you to hell before you can get some protocols to play nice while some more adopted nat like cone nat play very well and RTP or even sip in some cases dont have to be forwarded.

Edit:

For got to mention that with proper security you can forward any port. in the VoIP world fail2ban and arno's firewall is one of the best tool in the arsenal to have.
--
[nUll@dcypher ~]$


brg

join:2001-01-03
Chicago, IL
kudos:1
reply to AndrewZ
said by AndrewZ:

said by brg:

Question 2: Same as above; but assume inbound calling to one of my DIDs from a VoIP provider. I'm registered to that provider from my asterisk box. No opening/forwarding of SIP port(s) to the * box needed? Because of my registration?

No forwarding for SIP ports, because of your registration AND keepalives.
You will need to forward your RTP ports if you want to forward incoming calls through your server.

RTP is forwarded; thanks. A much smaller block than the huge block recommended as "standard." It's just me; not an office full of callers...

said by AndrewZ:

said by brg:

Question 3: Assume inbound calling to one of my DIDs from a VoIP provider and I'm registered to that provider direct from my ATA -- no asterisk box. No opening/forwarding of SIP port(s) to the ATA needed? Because of my registration?

Correct, because of your registration AND keepalives.


Any need to forward RTP to the ATA in this case?


AndrewZ
Premium
join:2003-07-17
somewhere
said by brg:


Any need to forward RTP to the ATA in this case?

No. Your outgoing RTP stream will open your NAT for incoming voice.