My DECT-Bridge (Gigaset S850A GO) is in the ORANGE Network.
I read this
But the DECT-Bridge can not connect to the provider.
There is no difference when Masquerading is enabled or not.
Where is my misunderstanding?
Default red to orange is blocked.
Will need ports open for Phone.
As far as I have understand ORANGE → RED is allowed by default (see the wiki) so I assume that there is no additional rule necessary.
But even if I copy both of your settings, the DECT-Bridge is unable to connect to the ISP. Do you have additional masquerading enabled in Firewall-Options? (I have disabled this setting on alle LAN)
Unfortunately the remote phone server will try to open port to phone to make connections. Like ring phone . Red to orange.
My rules are:
Is there a log where I can see if and why there are packets blocked?
May i assume that the DECT bridge counterpart (ISP/PBX) is using SIP for talking to the device in your DMZ?
I assume this to 
To restrict the access I have now redirected the following incoming ports only:
| DNS (TCP) | 53 | TCP |
| DNS (UDP) | 53 | UDP |
| H323 - call signaling and control | 1731 | UDP |
| H323 call signaling and control | 1719:1720 | UDP |
| RTP | 10000:20000 | UDP |
| RTP tcp | 5004:5020 | TCP |
| RTP udp | 5004:5020 | UDP |
| SIP encrypted tcp | 5061 | TCP |
| SIP unencrypted tcp | 5060:5076 | TCP |
| SIP unencrypted udp | 5060:5076 | UDP |
| STUN | 3478 | UDP |
Can you set the DNS on the DECT unit.
There is no DNS os DHCP in orange.
Devices in orange need fixed IP.
WebGUI menu Logs > Firewall Logs will show what is blocked. Posting those will help.
I have reconfigured the DECT-Bridge to manual. And removed the fixed lease from the DHCP.
After that I have to add these two rules:
But:
There should be no need for rule 3
Unless you are trying to log those connections.
I’d like to clarify some terms that might be confusing:
NAT (Network Address Translation): Remaps the IP addresses in the source or destination fields of IP packets, maintaining a translation table for consistent mapping and routing.
DNAT (Destination Network Address Translation): Alters the destination IP and optionally the port number of incoming packets. Useful for directing external traffic to specific internal hosts.
SNAT (Source Network Address Translation): Modifies the source IP and optionally the port number of outgoing packets. Used for mapping multiple internal IPs to a single or multiple public IPs. Essential for some protocols like SIP.
Masquerading: A form of SNAT where the source IP is set to the IP of the outgoing network interface. Useful for dynamic IPs.
For your VOIP setup, you’ll need to use DNAT to divert incoming traffic to your DECT-Bridge. This is handled by rule 4. You’ll also need to configure either SNAT (for fixed public IPs) or Masquerading (for dynamic public IPs) for the outbound traffic from the DECT-Bridge to ensure SIP functionality. This would be addressed in rule 3.
If your public IP is fixed, you can use SNAT for better efficiency, though Masquerading will work as well. For specifying SNAT or MASQUERADE, you’ll need to manually configure iptables rules in firewall.local. I believe that when writing a rule using the WUI, it will be done automatically.
