When Firewalls are filtering my UDP pakets

While doing a lot of asterisk setups for the last 15 years, there is one problem that keeps me busy at least one time a month and I would really like to know if I can do something about it. It happened with all asterisk versions I ever used (and that’s a lot).

So I am talking about asterisk setups behind NAT Firewalls (but without portforwardings for security reasons). Everything works fine for months or even years but at some day calls to the VoIP Provider stop working. In this case I turn debug on and I notice that asterisk is sending registers to the provider but doesn’t get any answers. It looks like the answers get filtered by the firewall. Or the register pakets get filtered in the first place.

When I have this state there are two things I can do about that:

  1. stop asterisk for at least five to ten minutes. It looks like if there es no traffic from asterisk for some minutes, the firewall forgets what it was grumpy about and then when I start asterisk again it works again.


  1. restart the firewall and even the router of the ISP in front of the firewall. Then it usualy starts to work again.

While I am sure that this is of course not the fault of asterisk I wonder if someone else saw something like this and if there is something I can do about that from my side or at least somthing I could tell the admins of the firewalls.
When talking about that with the firewall guys, no one was helpful here by now.

What I discovered in all these years:

  • I think this behaviour happens very often with Fortigate Firewalls
  • I somehow think that it got a bit better since I started to use alternative ports on my side (so bind pjsip to some random port instead of 5060). But it also happened with alternative ports. But my impression is that it happens less.

Maybe someone experienced something like this also?

hmm yes there is a solution
start using port forward, but set a firewall roule to only allow the IP of your providers SIP/RTP servers
this is not less but in fact more security

look at using 1to1 nat if you not already are doing that

also using somthing else that the default ports is just security by obscurity
a better alternativ is move to TLS + SRTP with good account names with domain and long random passwords
and look at using Kamailio as an SBC if you want to beef up your security for connection to the Internet

I know that portforwarding probably would solve that. Problem is that usually the Firewalls are not administrated by me and I don’t have access to them. And over the last years I stopped trusting the firewall guys.
The last time I asked a firewall admin for an portforwarding restricted to the IP of the provider, what he did was to enter my asterisk box as exposed host, so that all internet traffic hit there.

Of course, I didn’t change the port for security reasons but instead I was hoping that maybe I would avoid SIP-ALGs or other unwanted Firewall features that maybe look at source port 5060.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.