Firewall ports

system · July 16, 2010, 3:43pm

We are setting up an asterisk server inside the company firewall. This server will have one sip trunk to a sip provider.

The firewall has no outgoing blocks, but blocks most incoming ports. There is no NAT, its all routeable IP addresses.

Which ports have to be unblocked incoming for the Asterisk server?

Which ports have to be unblocked incoming for the Sip Phones?

david55 · July 16, 2010, 3:51pm

Standard ones like DNS, UDP 5060, the range of UDP ports specified in rtp.conf.

Where are the phones in relation to the firewall? Do you intend to re-invite the RTP stream out of Asterisk?

system · July 16, 2010, 4:23pm

If all of the phones are on the same lan with the Asterisk server. Do those need incoming 5060 and the full rtp range incoming from the firewall?

Does this change if there are softphones outside the firewall?

david55 · July 16, 2010, 4:30pm

Depends on the answer to my second question. They shouldn’t need 5060, but, if you allow re-inviting, they will need the UDP port range configured in the respective phone. Re-inviting will reduce the load on Asterisk.

They don’t add any requirements not already needed for the trunks.

system · July 19, 2010, 1:22pm

So with “canreinvite=no”, does that mean

all the rtp traffic from outside the firewall is with the asterisk server.
sip phones on the lan with the asterisk server don’t need any firewall ports unblocked.

It would be much easier to unblock ports just to the asterisk server’s IP.

In this scenario, would sip phones outside the firewall require any additional unblocking?

Does running with “canreinvite=no” add so much load to the asterisk server that 20 simultaneous calls on the sip trunk would require high end hardware on the asterisk server?

david55 · July 19, 2010, 1:26pm

ALL RTP traffic would go through the server, and internal phones only need to be able to see the server.

20 erlangs is probably supportable, but I generally work with development systems, not production ones, so I’d seek a second opinion.

MrFidget · July 20, 2010, 3:31pm

Re RTP ports, you will need 4 free UDP ports for RTP per call.

If you are not wanting to accept anonymous SIP calls, only allow 5060/UDP traffic from your SIP provider (as well as the handset subnet…obviously), it will reduce the SPIT and extension enumeration attacks as is becomming ever more frequent.

20 calls is pretty straight forward on most current hardware provided there is no codec translation. Thats the CPU killer. Try to keep it all g711 or g729 or even g722 if your bandwidth and ITSP support it. So long as you dont have to convert the audio.

We have a similar situation, only we have NAT and we are using port forwarding on the Asterisk box. Its a Via C3 running at 800MHz with 512Mb RAM and a standard EIDE 80Gb disk. It manages to keep up with 6-8 calls and no complaints. I recon I could double it, judging by the overall CPU usage. All handsets are running g711a (alaw which is standard for Australia) to the ITSP. The box handles all SIP and RTP traffic from the handsets to the trunk.

Check out http://www.voip-info.org/wiki/view/Asterisk+dimensioning. There are some good rule of thumb examples there.

Good luck and let us know how you go.
Cheers
Chris

Topic		Replies	Views
Asterisk VOIP Nat firewall Asterisk Support	7	1062	February 22, 2016
A few questions on SIP Asterisk Support	4	266	September 23, 2011
Sip-Aware firewall Asterisk Support	5	401	December 14, 2005
SIP and port Asterisk Support	3	212	March 1, 2014
Problems with an outside SIP connection through firewall Asterisk Support	5	1547	October 9, 2006

Firewall ports

Related topics