Restricting the number of rtp ports used by PBXiaF

dallas

Active Member
Joined
Oct 21, 2007
Messages
844
Reaction score
247
I've searched the forum but 'rtp' is too short for the search engine.
I want to restrict rtp to the barest minimum number of ports. I don't expect more than 3 concurrent SIP calls. I have no SIP trunks.
Any suggestions as to how many I need open in the firewall? One for each direction of voice traffic? Can I use a different range on my lan vs through the firewall to the net?
 

jroper

Guru
Joined
Oct 20, 2007
Messages
3,832
Reaction score
71
Hi

There should not be a problem letting all the ports through, as it is only SIP listening on the other side, they cannot do anything else. Unless of course you have got one of those really cheap routers that does not allow you to put in port ranges.

However to answer your question. The NAT=Yes setting in sip.conf makes the two ends use the same port so that to the NAT device, the returning audio hits the same port that was opened by the outgoing audio.

If the Audio does comes back on a different port, as it is designed to do in SIP, then the NAT device would not know how to send the packets onto Asterisk, as they would be turning up on an unrelated port, and therefore would be dropped. Sip aware expensive firewalls can cope with this.

So the first thing to do is ensure that every extension is set to NAT = yes, or do it globally. I think this is done by default by FreePBX.

Next, we need an RTP stream available for every phone, just in case everyone does call at once. So lets assume that you have 5 phones - it does not matter to Asterisk as to whether they are internal or external.

We need to adjust the SIP ports that Asterisk is listening on. so in /etc/asterisk/rtp.conf, you will see an entry like this: -

rtpstart=10000
rtpend=20000

Change the end port to rtpend=10004 to give you 5 ports, and do an amportal restart.

So in theory, you should be able to direct the following UDP ports to the Asterisk server. 5060, 10000->10004

If you have more phones, you will need more RTP ports.

As ever no guarantees that this will not break everything.

Joe
 

dallas

Active Member
Joined
Oct 21, 2007
Messages
844
Reaction score
247
Thanks Joe,

I now (think) I understand how it all works. :smile5: I use sme-server as my gateway / firewall. I'm not sure if it is SIP aware or not.

Your reply gives me plenty of information to allow me to experiment with remote SIP extensions without the hair pulling associated with testing blindly. Thanks again.

Dallas
 

dallas

Active Member
Joined
Oct 21, 2007
Messages
844
Reaction score
247
Resolved

I did some testing yesterday.
I have set all the SIP setting for external extension, nat=yes, qualify=yes, externalip, localnet in sip.conf... & I restricted rtp to 50 ports.
In my sme-server I have port forwarded only 5060 to the PiaF.
So to answer my original question; I don't need to open any rtp ports on the firewall. My external registers and I get two way audio.

Dallas
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
It's kinda like web browsing. You don't have to point your firewall to your PC to receive incoming HTTP packets... unless you have a quirky provider or unless you're sitting outside the firewall and want to communicate from behind the firewall (through an Asterisk server, for example). ;)
 

jroper

Guru
Joined
Oct 20, 2007
Messages
3,832
Reaction score
71
The success or failure of passing SIP through firewalls and routers would appear to be down to the type of NAT device you are using. Asterisk can only do so much to help.

Joe
 

stuck

Member
Joined
Nov 8, 2007
Messages
238
Reaction score
1
I did some testing yesterday.
I have set all the SIP setting for external extension, nat=yes, qualify=yes, externalip, localnet in sip.conf... & I restricted rtp to 50 ports.
In my sme-server I have port forwarded only 5060 to the PiaF.
So to answer my original question; I don't need to open any rtp ports on the firewall. My external registers and I get two way audio.

Dallas
In your ATA converter do you have a section that specifies the RTP ports? Did you change those to match your router?
The PAP2's have default values in the 16000's I wonder if they don't match the asterisk setting whether it would cause problems?
 

dallas

Active Member
Joined
Oct 21, 2007
Messages
844
Reaction score
247
I'm not using an ATA, I'm using a remote Zoiper Biz softphone in the wild.
 

Members online

Forum statistics

Threads
25,782
Messages
167,509
Members
19,203
Latest member
frapu
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top