1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. If you had a PIAF Forum account in the vBulletin days, log in with your old credentials. Otherwise, sign up again and we'll get you back in business as soon as we can.
  3. A serious FreePBX vulnerability has been reported. Update your Framework Module immediately. Click here for details.
  4. Critical FreePBX vulnerability! Update your server immediately. Details here.

Restricting the number of rtp ports used by PBXiaF

Discussion in 'Help' started by dallas, May 16, 2008.

  1. dallas Member

    I've searched the forum but 'rtp' is too short for the search engine.
    I want to restrict rtp to the barest minimum number of ports. I don't expect more than 3 concurrent SIP calls. I have no SIP trunks.
    Any suggestions as to how many I need open in the firewall? One for each direction of voice traffic? Can I use a different range on my lan vs through the firewall to the net?
  2. jroper Guru

    Hi

    There should not be a problem letting all the ports through, as it is only SIP listening on the other side, they cannot do anything else. Unless of course you have got one of those really cheap routers that does not allow you to put in port ranges.

    However to answer your question. The NAT=Yes setting in sip.conf makes the two ends use the same port so that to the NAT device, the returning audio hits the same port that was opened by the outgoing audio.

    If the Audio does comes back on a different port, as it is designed to do in SIP, then the NAT device would not know how to send the packets onto Asterisk, as they would be turning up on an unrelated port, and therefore would be dropped. Sip aware expensive firewalls can cope with this.

    So the first thing to do is ensure that every extension is set to NAT = yes, or do it globally. I think this is done by default by FreePBX.

    Next, we need an RTP stream available for every phone, just in case everyone does call at once. So lets assume that you have 5 phones - it does not matter to Asterisk as to whether they are internal or external.

    We need to adjust the SIP ports that Asterisk is listening on. so in /etc/asterisk/rtp.conf, you will see an entry like this: -

    rtpstart=10000
    rtpend=20000

    Change the end port to rtpend=10004 to give you 5 ports, and do an amportal restart.

    So in theory, you should be able to direct the following UDP ports to the Asterisk server. 5060, 10000->10004

    If you have more phones, you will need more RTP ports.

    As ever no guarantees that this will not break everything.

    Joe
  3. dallas Member

    Thanks Joe,

    I now (think) I understand how it all works. :smile5: I use sme-server as my gateway / firewall. I'm not sure if it is SIP aware or not.

    Your reply gives me plenty of information to allow me to experiment with remote SIP extensions without the hair pulling associated with testing blindly. Thanks again.

    Dallas
  4. dallas Member

    Resolved

    I did some testing yesterday.
    I have set all the SIP setting for external extension, nat=yes, qualify=yes, externalip, localnet in sip.conf... & I restricted rtp to 50 ports.
    In my sme-server I have port forwarded only 5060 to the PiaF.
    So to answer my original question; I don't need to open any rtp ports on the firewall. My external registers and I get two way audio.

    Dallas
  5. wardmundy Nerd Uno

    It's kinda like web browsing. You don't have to point your firewall to your PC to receive incoming HTTP packets... unless you have a quirky provider or unless you're sitting outside the firewall and want to communicate from behind the firewall (through an Asterisk server, for example). ;)
  6. jroper Guru

    The success or failure of passing SIP through firewalls and routers would appear to be down to the type of NAT device you are using. Asterisk can only do so much to help.

    Joe
  7. stuck Member

    In your ATA converter do you have a section that specifies the RTP ports? Did you change those to match your router?
    The PAP2's have default values in the 16000's I wonder if they don't match the asterisk setting whether it would cause problems?
  8. dallas Member

    I'm not using an ATA, I'm using a remote Zoiper Biz softphone in the wild.

Share This Page