NAT, firewall and port forwarding issues
Getting Started
This guide covers some of the issues you will come across if you are using your VoIP phones or PBX behind a router/firewall without public IP addresses.
Basic Configuration
NAT (Network Address Translation) is a technology most commonly used by firewalls and routers to allow multiple devices on a LAN with 'private' IP addresses to share a single public IP address. A private IP address is an address, usually something like 192.168.2.2, which can only be addressed from within the LAN but not from the Internet outside the LAN.
When we have to make a call from your phone on your private network or accept a call from the outside world, we call this NAT Traversal. The SIP protocol was not designed with NAT traversal in mind, and has to be 'fudged' to make it work properly. A key problem is that the SIP protocol only deals with call setup and signaling.
The voice traffic is handled by a separate protocol (RTP) and uses a randomly negotiated port. This means that your router often sees random packets arriving, without knowing which internal device they are destined for. At first, for both the calling and the party receiving the call, everything will appear just fine.
The party receiving the call will see the calling party's Caller ID and the telephone will ring while the calling party will hear a ringing feedback tone at the other end. When the party receiving the call picks up the telephone, both the ringing and the associated ringing feedback tone at the other end will stop as one would expect. However, the calling party will not hear the called party (one way audio) and the called party may not hear the calling party either (no audio).
In this case port forwarding, along with the use of an outbound proxy address of nat.gradwell.net:5082, must be performed for the calls to successfully function.
Advanced Configuration
The following range of ports are the required ports you need to open for various hardware VoIP Devices. Please refer to your firewall instructions on how to achieve this. Please note that these are the default settings for these devices. You can of course manually force the devices to use any range you want in order to restrict the open ports on your firewall, and this must be done if multiple devices are being used behind the router. Please consult the relevant device documentation on how to do this.
Xten softphones
| Port Type | Number | Service |
|---|---|---|
| UDP | 3478 | STUN SERVER COMMUNICATIONS |
| UDP | 5060/5061 | SIP COMMUNICATIONS (plus custom ports) |
| UDP | 5082 | SIP COMMUNICATIONS (OUTBOUND PROXY) |
| UDP | 8000 - 8012 | RTP, RTCP, VOICE |
Two additional ports after 8001 are required for each additional line used. For example, if using a second line, UDP ports 8002-3 will be used.
Linksys Range of phones/Adaptors
| Port Type | Number | Service |
|---|---|---|
| UDP | 53 | DNS PORT |
| UDP | 3478 | STUN SERVER COMMUNICATIONS |
| UDP | 5060/61 | SIP COMMUNICATIONS (plus custom ports) |
| UDP | 5082 | SIP COMMUNICATIONS (OUTBOUND PROXY) |
| UDP | 49152-65534 | RTP,RTCP,VOICE |
Sipura Range of phones
| Port Type | Number | Service |
|---|---|---|
| UDP | 53 | DNS PORT |
| UDP | 3478 | STUN SERVER COMMUNICATIONS |
| UDP | 5060/61 | SIP COMMUNICATIONS (plus custom ports) |
| UDP | 5082 | SIP COMMUNICATIONS (OUTBOUND PROXY) |
| UDP | 16384-16482 | RTP,RTCP,VOICE |
SNOM Range of phones
| Port Type | Number | Service |
|---|---|---|
| UDP | 53 | DNS PORT |
| UDP | 3478 | STUN SERVER COMMUNICATIONS |
| UDP | 5060/61 | SIP COMMUNICATIONS (plus custom ports) |
| UDP | 5082 | SIP COMMUNICATIONS (OUTBOUND PROXY) |
| UDP | 49152-65534 | RTP,RTCP,VOICE |
Flexor 151 Adaptor
| Port Type | Number | Service |
|---|---|---|
| UDP | 53 | DNS PORT |
| UDP | 3478 | STUN SERVER COMMUNICATIONS |
| UDP | 5060/5066 | SIP COMMUNICATIONS (plus custom ports) |
| UDP | 5082 | SIP COMMUNICATIONS (OUTBOUND PROXY) |
| UDP | 5004 | RTP,RTCP,VOICE |
Grandstream Range of Products
| Port Type | Number | Service |
|---|---|---|
| UDP | 53 | DNS PORT |
| UDP | 3478 | STUN SERVER COMMUNICATIONS |
| UDP | 5060/61 | SIP COMMUNICATIONS (plus custom ports) |
| UDP | 5082 | SIP COMMUNICATIONS (OUTBOUND PROXY) |
| UDP/TCP | 5004 | RTP,RTCP,VOICE |
Cisco Products
| Port Type | Number | Service |
|---|---|---|
| UDP | 53 | DNS PORT |
| UDP | 3478 | STUN SERVER COMMUNICATIONS |
| UDP | 5060/61 | SIP COMMUNICATIONS (plus custom ports) |
| UDP | 5082 | SIP COMMUNICATIONS (OUTBOUND PROXY) |
| UDP/TCP | 16384 to 32768 | RTP,RTCP,VOICE |
Asterisk servers
| Port Type | Number | Service |
|---|---|---|
| UDP | 5060 | SIP COMMUNICATIONS |
| UDP | 4569 | IAX2 PROTOCOL |
| UDP | 5036 | IAX PROTOCOL |
| UDP | 10000-20000 | RTP MEDIA STREAM |
| UDP | 2727 | MEDIA GATEWAY CONTROL |
Siemens Range of phones/Adaptors
| Port Type | Number | Service |
|---|---|---|
| UDP | 53 | DNS PORT |
| UDP | 3478 | STUN SERVER COMMUNICATIONS |
| UDP | 5060/61 | SIP COMMUNICATIONS (plus custom ports) |
| UDP | 5082 | SIP COMMUNICATIONS (OUTBOUND PROXY) |
| UDP | 5004-5020 | RTP,RTCP,VOICE |
Yealink Range of Products
| Port Type | Number | Service |
|---|---|---|
| UDP | 53 | DNS PORT |
| UDP | 3478 | STUN SERVER COMMUNICATIONS |
| UDP | 5060/65 | SIP COMMUNICATIONS (plus custom ports) |
| UDP | 5082 | SIP COMMUNICATIONS (OUTBOUND PROXY) |
| UDP | 11780-11800 | RTP,RTCP,VOICE |
Hosted Unified Comms - Telepo Softphone
| Port Type | Number | Service |
|---|---|---|
| TCP | 443 | |
| TCP | 80 | |
| TCP | 5060 | |
| TCP | 5061 | |
| UDP | 49152-65535 | RTP,RTCP,VOICE |
If you are only allowing your firewall to accept connections from certain IP addresses then these IPs will be the most common ones used by us (we do not recommend this as our network is dynamic):
| Network Address | Network Size |
|---|---|
| 213.166.5.128 | 28 |
| 193.84.87.0 | 24 |
| 194.165.60.0 | 24 |
| 195.74.60.0 | 23 |
| 193.111.200.0 | 23 |
| 79.135.96.0 | 19 |
| 212.11.64.0 | 19 |
| 194.145.191.128 | 27 |
| 87.238.72.128 | 26 |
| 87.238.74.128 | 26 |
| 213.166.5.128 | 26 |
| 46.43.59.0 | 24 |
| 78.40.243.192 | 27 |
| 79.135.125.179 | 19 |
| 79.135.125.184 | 19 |
Additional Problems using multiple devices behind NAT
When multiple VoIP devices are used behind a NAT firewall, it is important to make sure the correct ports are being forwarded to the correct devices otherwise problems such as all phones ringing, no phones ringing, one way audio etc will occur.
The correct way of setting up the NAT firewall and telephones is as follows.
- Make sure the phones are allocated a static (or fixed dynamic) IP
- Set up the firewall to port forward the correct SIP and dynamic ports, the following is an example for three VoIP devices.
########################
Phone 1 -
SIP port 5060
RTP ports 49152 - 49202
Phone 2 -
SIP Port 5062
RTP ports 49203 - 49253
Phone 3 -
SIP port 5064
RTP ports 49254 - 49304
You can then create six firewall services on the router,
1 for 5060 UDP
2 for 5062 UDP
3 for 5064 UDP
4 for the range 49152 - 49202 UDP
5 for the range 49203 - 49253 UDP
6 for the range 49254 - 49304 UDP
Forward service 1 to the IP address of phone 1
Forward service 2 to the IP address of phone 2
Forward service 3 to the IP address of phone 3
Forward service 4 to the IP address of phone 1
Forward service 5 to the IP address of phone 2
Forward service 6 to the IP address of phone 3
########################
3. Configure the phones to use the new SIP and dynamic RTP ports
4. Reboot router, then reboot VoIP devices