Knowledgebase

Portal Home > Knowledgebase > Fonality Trixbox PBX > Firewall Setup

Firewall Setup



Port forwarding and VoIP traffic

Hosted / remote customers

(On-site servers should skip down to the "Ports to forward" section)

Some enterprise-class firewalls block outbound traffic by default unless specifically allowed.  Traffic should be allowed outbound (originating from deskphones/smartphones/computers) for the following ports.

ALLOW OUTBOUND:  (this is unlikely to be restricted, but FYI)

  1. 80 TCP - web admin panel.  (http)
  2. 123 UDP - time for deskphones.  (ntp)
  3. 443 TCP - HUD authentication.  (https)
  4. 4000-4031 UDP - audio for HUDmobile. (pending)
  5. 5060 UDP - call setup and teardown for desk phones.  (sip)
  6. 5060 TCP - call setup and teardown for HUDmobile. (pending)
  7. 5222 TCP - HUD status and control.
  8. 5269 TCP - (optional) HUD external chat contacts such as Jabber and Google Chat.

 

Premise-based servers

(Local servers only.  Hosted customers should skip down to the "Disable SIP ALG" section)

All of the following ports MUST be forwarded to the internal IP address of your PBXtra in order to use IP Phones or HUD remotely!  Unless, of course, you know that you don't use linked servers (skip port 4569 if so).

FORWARD INBOUND (only for on-site servers):
  1. 5060 UDP - SIP registration, used by remote phones and VoIP carriers.
    (initiate, pick up, and end calls - call signalling and setup/teardown)
  2. 10000-20000 UDP - RTP voice traffic.
    (audio travels over a randomly selected pair of ports in this range)
  3. 5222 TCP - HUD, used by remote HUD3 clients, HUDweb, and HUDMobile.
    (5269 TCP is additionally used for external chat contacts and linked servers)
  4. 4569 UDP - IAX2 registration and audio, for linked servers.
  5. 4000-4031 UDP - only if you have HUDMobile. (pending) Will be used in the future by remote HUDMobile client softphones.
    (audio travels over a randomly selected pair of ports in this range)
  6. 443 TCP - Don't forward by default, but if HUDmobile is not connecting, try forwarding this.
  7. 5060 TCP - Don't forward by default (TCP, that is), but if HUDmobile is not connecting, try forwarding this.
  8. 8997 TCP - only if you have HUD Desktop screen sharing.

For remote phones, remote HUD, and VoIP providers to work, these ports must be forwarded inbound to the PBX.  Remote traffic hitting the public IP address of the router or firewall needs to be forwarded to the internal IP address of the PBX on the local area network.

Otherwise, remote phone traffic and VoIP providers will not be able to consistently reach or send calls to the PBX sitting behind your router or firewall.

NOTE: when performing port forwarding on your network, be sure to only allow trusted sources! Allowing untrusted sources can result in unsolicited registrants to your system.  See Security Considerations below.

ALLOW OUTBOUND (on-site servers):

Some enterprise-class firewalls block outbound traffic by default unless specifically allowed.  The PBX connects outbound on the following ports, in addition to the above.

Do not forward these ports*, but traffic should be allowed outbound (originating from the PBX) for:

  • 21 TCP - FTP for phone config downloads (and server updates, if premise-based).
  • 53 TCP/UDP - DNS, or Domain Name Service.  Used for resolving hostnames such as "vpn1.fonality.com".
  • 80 TCP - HTTP.  Required for the PBXtra to determine its public IP address, and download updates/patches.
  • 123 UDP - NTP, or Network Time Protocol.  Used for time and date settings.
  • 443 TCP - HTTPS.  HUD clients also use this when first setting up their username.
  • 8000 TCP - VPN tunnel.  Required by the Web Admin Panel - the PBX establishes a couple of SSH VPN tunnels back to the Fonality datacenter on this port.
    (some larger firewalls block outbound traffic on TCP port 8000 unless you add an exception.)

Tip: if your outbound firewall rules say "allow all", you shouldn't need to add specific allow rules.

*-With the exception of 443, which may be required for remote HUDmobile users - if you use HUDmobile.

 

Inbound ports that must not allow unsolicited inbound connections

(read the Security Considerations section below)

The following inbound ports should not be forwarded.  Or at worst, they should be restricted to a very narrow range of IP addresses (use whitelists).

  • Don't forward: 21 FTP.  (but don't block outbound access to remote FTP servers)
  • Don't forward: 22 SSH.
  • Don't forward: 69 TFTP.
  • Don't forward: 80 HTTP.

Don't expose phones to the Internet.  At a minimum, inbound Internet access to TCP port 80 (HTTP) on the phone must be blocked.

 

Tip 1: Disable "SIP ALG" and other SIP-related helper services on the router/firewall

SIP helpers typically do more harm than good.  In almost all cases, the following items should be disabled: "SIP ALG", "SIP Session Helper", "SIP Fixup", "SIP Debug", "SIP NAT Traversal" should be

Read this article for in-depth information.  See the malformed-packet section below for detailed information on what this is and how to fix it.

 

Tip 2: Malformed SIP packets will cause problems.

FONcore expects to see uniform SIP packets.  If the SIP packet has been modified in any way the packet may be discarded leading to dropped calls or the inability to connect a call. Usually this occurs when features on firewalls/NATs try to help SIP communication by altering SIP packets but it actually ends up interfering with FONcore built in method of traversing NATs. Common names for some of these features are "SIP Fixup", "SIP Debug", "SIP NAT Traversal" or "SIP ALG", but there are many other names as well.

Packets may also be processed by FONcall but the call can experience lost audio due to dropped packets or one-way audio if FONcall does not know where to send RTP packets because of a malformed source port.

 

Tip 3: UDP Timeouts

On certain firewalls/routers, it may be necessary to raise UDP timeouts to 90 seconds to ensure that phones don't briefly become unreachable (which can happen if the timeouts are at 30 seconds).  These may be found under Firewall: Access Rules on some models, Advanced: Network, or Advanced: Conntrack/Netfilter on others, to name a few possible locations.