NAT, firewall and port forwarding

Getting Started
This guide covers some of the issues you will come across if you are using your VoIP phones or PBX behind a router/firewall without public IP addresses.

Basic Configuration
NAT (Network Address Translation) is a technology most commonly used by firewalls and routers to allow multiple devices on a LAN with ‘private’ IP addresses to share a single public IP address. A private IP address is an address, usually something like 192.168.1.60, which can only be addressed from within the LAN but not from the Internet outside the LAN.

When we have to make a call from your phone on your private network or accept a call from the outside world, we call this NAT Traversal. The SIP protocol was not designed with NAT traversal in mind, and has to be ‘fudged’ to make it work properly. A key problem is that the SIP protocol only deals with call setup and signaling.

The voice traffic is handled by a separate protocol (RTP) and uses a randomly negotiated port. This means that your router often sees random packets arriving, without knowing which internal device they are destined for. At first, for both the calling and the party receiving the call, everything will appear just fine.

The party receiving the call will see the calling party’s Caller ID and the telephone will ring while the calling party will hear a ringing feedback tone at the other end. When the party receiving the call picks up the telephone, both the ringing and the associated ringing feedback tone at the other end will stop as one would expect. However, the calling party will not hear the called party (one way audio) and the called party may not hear the calling party either (no audio).

In this case port forwarding, along with the use of an outbound proxy address of nat.voipadvantage.co.uk:5082, must be performed for the calls to successfully function.

Advanced Configuration
The following range of ports are the required ports you need to open for various hardware VoIP Devices. Please refer to your firewall instructions on how to achieve this. Please note that these are the default settings for these devices. You can of course manually force the devices to use any range you want in order to restrict the open ports on your firewall, and this must be done if multiple devices are being used behind the router. Please consult the relevant device documentation on how to do this.

Xten softphones

Port Type Number Service
UDP 3478 STUN SERVER COMMUNICATIONS
UDP 5060/5061 SIP COMMUNICATIONS (plus custom ports)
UDP 5082 SIP COMMUNICATIONS (OUTBOUND PROXY)
UDP 8000 – 8012 RTP, RTCP, VOICE

Two additional ports after 8001 are required for each additional line used. For example, if using a second line, UDP ports 8002-3 will be used.

Linksys Range of phones/Adaptors

Port Type Number Service
UDP 53 DNS PORT
UDP 3478 STUN SERVER COMMUNICATIONS
UDP 5060/61 SIP COMMUNICATIONS (plus custom ports)
UDP 5082 SIP COMMUNICATIONS (OUTBOUND PROXY)
UDP 49152-65534 RTP,RTCP,VOICE

Sipura Range of phones

SNOM Range of phones

Port Type Number Service
TCP 123 Time Server
UDP 53 DNS PORT
UDP 3478 STUN SERVER COMMUNICATIONS
UDP 5060/61 SIP COMMUNICATIONS (plus custom ports)
UDP 5082 SIP COMMUNICATIONS (OUTBOUND PROXY)
UDP 49152-65534 RTP,RTCP,VOICE

Flexor 151 Adaptor

Port Type Number Service
UDP 53 DNS PORT
UDP 3478 STUN SERVER COMMUNICATIONS
UDP 5060/5066 SIP COMMUNICATIONS (plus custom ports)
UDP 5082 SIP COMMUNICATIONS (OUTBOUND PROXY)
UDP 5004 RTP,RTCP,VOICE

Grandstream Range of Products

Cisco Products

Asterisk servers

Port Type Number Service
UDP 5060 SIP COMMUNICATIONS
UDP 4569 IAX2 PROTOCOL
UDP 5036 IAX PROTOCOL
UDP 10000-20000 RTP MEDIA STREAM
UDP 2727 MEDIA GATEWAY CONTROL

Siemens Range of phones/Adaptors

Yealink Range of Products

Port Type Number Service
UDP 53 DNS PORT
UDP 3478 STUN SERVER COMMUNICATIONS
UDP 5060/65 SIP COMMUNICATIONS (plus custom ports)
UDP 5082 SIP COMMUNICATIONS (OUTBOUND PROXY)
UDP 11780-11800 RTP,RTCP,VOICE

Hosted Unified Comms – Telepo Softphone

Port Type Number Service
TCP 443
TCP 80
TCP 5060
TCP 5061
UDP 49152-65535 RTP,RTCP,VOICE

If you are only allowing your firewall to accept connections from certain IP addresses then these IPs will be the most common ones used by us (we do not recommend this as our network is dynamic):

Network Address Network Size
213.166.5.128 28
193.84.87.0 24
194.165.60.0 24
195.74.60.0 23
193.111.200.0 23
79.135.96.0 19
212.11.64.0 19
194.145.191.128 27
87.238.72.128 26
87.238.74.128 26
213.166.5.128 26

Additional Problems using multiple devices behind NAT

When multiple VoIP devices are used behind a NAT firewall, it is important to make sure the correct ports are being forwarded to the correct devices otherwise problems such as all phones ringing, no phones ringing, one way audio etc will occur.

The correct way of setting up the NAT firewall and telephones is as follows.

1.Make sure the phones are allocated a static (or fixed dynamic) IP
2.Set up the firewall to port forward the correct SIP and dynamic ports, the following is an example for three VoIP devices.
########################

Phone 1 –

SIP port 5060

RTP ports 49152 – 49202

Phone 2 –

SIP Port 5062

RTP ports 49203 – 49253

Phone 3 –

SIP port 5064

RTP ports 49254 – 49304

You can then create six firewall services on the router,

1 for 5060 UDP

2 for 5062 UDP

3 for 5064 UDP

4 for the range 49152 – 49202 UDP

5 for the range 49203 – 49253 UDP

6 for the range 49254 – 49304 UDP

Forward service 1 to the IP address of phone 1

Forward service 2 to the IP address of phone 2

Forward service 3 to the IP address of phone 3

Forward service 4 to the IP address of phone 1

Forward service 5 to the IP address of phone 2

Forward service 6 to the IP address of phone 3

########################

3. Configure the phones to use the new SIP and dynamic RTP ports

4. Reboot router, then reboot VoIP devices

VoIP Advantage

Please contact us

Recent articles

Service Updates

NAT, firewall and port forwarding

Login

VoIP Phones

Popular Articles

Receive new articles by email