Q. Can I operate VoIP behind a firewall and with Network Address Translation (NAT)?

 

If your computer is behind a firewall, certain ports must be open to allow your VoIP Phone/Adaptor to communicate with our Servers.

 

The following range of ports are the required ports you need to open for various hardware VoIP Devices.  Please refer to your firewall instructions on how to achieve this.

 

Please note that these are the default settings for these devices. You can of course manually force the devices to use any range you want in order to restrict the open ports on your firewall. Please consult the relevant device documentation on how to do this.

 

Xten softphones: 

Port Type

Number

Service

UDP

3478

STUN SERVER COMMUNICATIONS

UDP

5060/5061

SIP COMMUNICATIONS (plus custom ports)

UDP

5082

SIP COMMUNICATIONS (OUTBOUND PROXY)

UDP

8000 - 8012

RTP,RTCP,VOICE

Two additional ports after 8001 are required for each additional line used.
For example, if using a second line, UDP ports 8002-3 will be used.

 

Sipura Range of phones: 

Port Type

Number

Service

UDP

53

DNS PORT

UDP

3478

STUN SERVER COMMUNICATIONS

UDP

5060/61

SIP COMMUNICATIONS (plus custom ports)

UDP

5082

SIP COMMUNICATIONS (OUTBOUND PROXY)

UDP

16384 -16482

RTP,RTCP,VOICE

 

SNOM Range of phones: 

Port Type

Number

Service

UDP

53

DNS PORT

UDP

3478

STUN SERVER COMMUNICATIONS

UDP

5060/61

SIP COMMUNICATIONS (plus custom ports)

UDP

5082

SIP COMMUNICATIONS (OUTBOUND PROXY)

UDP

49152 - 65534

RTP,RTCP,VOICE

Cisco Products: 

Port Type

Number

Service

UDP

53

DNS PORT

UDP

3478

STUN SERVER COMMUNICATIONS

UDP

5060/61

SIP COMMUNICATIONS (plus custom ports)

UDP

5082

SIP COMMUNICATIONS (OUTBOUND PROXY)

UDP

16384 to 32768

RTP,RTCP,VOICE

 

Asterisk servers: 

Port Type

Number

Service

UDP

5060

SIP COMMUNICATIONS

UDP

4569

IAX2 PROTOCOL

UDP

5036

IAX PROTOCOL

UDP

10000-20000

RTP MEDIA STREAM

UDP

2727

MEDIA GATEWAY CONTROL

 

Note:  An Outbound proxy is mostly used in presence of a firewall/NAT to handle the signaling and media traffic across the firewall. Generally, if you have an outbound proxy and you are not using STUN or other firewall/NAT traversal mechanisms, you can use it. However, if you are using STUN or other firewall/NAT traversal tools, do not use an outbound proxy at the same time. If your firewall restricts incoming connections, you may have to use an Outbound Proxy to properly receive audio.

Expat Email/emailitis.com Outbound Proxies are:      
nat.expat-voip.com:5082    and
nat2.expat-voip.com:5082

 

STUN stands for Simple Traversal of UDP over NAT. It is a protocol which enables an IP phone to detect the presence and type of NAT behind which the phone is placed. An IP phone that supports STUN can intelligently modify the private IP address and port in its SIP/SDP message by using the NAT mapped public IP address and port through a series of STUN queries against a STUN server located on the public Internet. This will allow SIP signaling and RTP media to successfully traverse a NAT without requiring any configuration changes on the NAT. STUN presents a working solution for most NATs that are not symmetric NAT, e.g., most of the SOHO routers have non-symmetric NAT and in this case, it is OK to use STUN. However, STUN does NOT work with symmetric NAT and if your routers have built-in symmetric NAT, do not use STUN.

The Expat Email/emailitis.com STUN Server is:      stun.expat-voip.com:3478

 

If you are restricting your firewall by incoming IP addresses you will also need to allow the following range of IP addresses through your firewall in order to be sure that your audio will be allowed between your devices and our servers:
193.111.200.0/23
213.166.5.134

 

 

If you have Multiple VoIP phones/adaptors behind your firewall you will need to assign a unique Listening SIP Port and a unique Listening RTP Port for each Phone/adaptor.

 

Although we have taken the utmost care in compiling this information we cannot guarantee that the information will remain current and suggest that you check your manuals and search the internet for the latest information for the specific device you are using.

 

When multiple VoIP devices are used behind a NAT firewall, it is important to make sure the correct ports are being forwarded to the correct devices otherwise problems such as all phones ringing, no phones ringing, one way audio etc will occur.


The correct way of setting up the NAT firewall and telephones is as follows.

 

1. Make sure the phones are allocated a static (or fixed dynamic) IP

2. Set up the firewall to port forward the correct SIP and dynamic ports, the following is an example for three VoIP devices..

########################

Phone 1 -
SIP port 5060
RTP ports 49152 - 49202

 

Phone 2 -
SIP Port 5062
RTP ports 49203 - 49253

 

Phone 3 -
SIP port 5064
RTP ports 49254 - 49304


You can then create six firewall services on the router,
1 for 5060 UDP
2 for 5062 UDP
3 for 5064 UDP
4 for the range 49152 - 49202 UDP
5 for the range 49203 - 49253 UDP
6 for the range 49254 - 49304 UDP
Forward service 1 to the IP address of phone 1
Forward service 2 to the IP address of phone 2
Forward service 3 to the IP address of phone 3
Forward service 4 to the IP address of phone 1
Forward service 5 to the IP address of phone 2
Forward service 6 to the IP address of phone 3

########################

3.              Configure the phones to use the new SIP and dynamic RTP ports

4.              Reboot router, then reboot VoIP devices

Back to VoIP FAQs

Text Box: Frequently Asked Questions

Home | Broadband | Domain Hosting | VoIP | Data Backup | Contact Us

©  2008 Expat Email Ltd

Privacy Policy | Terms & Conditions | FAQs

emailitis.com is a trading name of Expat Email Ltd                                                                                                  All prices within this website exclude VAT