My DECT-Bridge (Gigaset S850A GO) is in the ORANGE Network.
I read this

that there is no(!) fence between the ORANGE LAN and the Internet. That means that there should be no connection problems!

But the DECT-Bridge can not connect to the provider.

There is no difference when Masquerading is enabled or not.

Where is my misunderstanding?

Default red to orange is blocked.

Will need ports open for Phone.

1 Like

As far as I have understand ORANGE → RED is allowed by default (see the wiki) so I assume that there is no additional rule necessary.
But even if I copy both of your settings, the DECT-Bridge is unable to connect to the ISP. Do you have additional masquerading enabled in Firewall-Options? (I have disabled this setting on alle LAN)

Unfortunately the remote phone server will try to open port to phone to make connections. Like ring phone . Red to orange.

My rules are:

From my POV this is more then necessary. ORANGE → RED shut be allowed by default as the Wiki explains. But the DECT-Bridge is unable to login to the ISP.

Is there a log where I can see if and why there are packets blocked?

May i assume that the DECT bridge counterpart (ISP/PBX) is using SIP for talking to the device in your DMZ?

I assume this to :wink:
To restrict the access I have now redirected the following incoming ports only:

H323 - call signaling and control 1731 UDP
H323 call signaling and control 1719:1720 UDP
RTP 10000:20000 UDP
RTP tcp 5004:5020 TCP
RTP udp 5004:5020 UDP
SIP encrypted tcp 5061 TCP
SIP unencrypted tcp 5060:5076 TCP
SIP unencrypted udp 5060:5076 UDP

Can you set the DNS on the DECT unit.
There is no DNS os DHCP in orange.
Devices in orange need fixed IP.


WebGUI menu Logs > Firewall Logs will show what is blocked. Posting those will help.

1 Like

I have reconfigured the DECT-Bridge to manual. And removed the fixed lease from the DHCP.

After that I have to add these two rules:


shows me that ORANGE is allowed to reach the RED LAN. Why do I need the rule no. 3?
OK, it seems because there is a needed port redirection. Why does this rule need this port redirection?
Maybe it is better/easier to use the masquerading in the firewall options? Just now there are all disabled.

There should be no need for rule 3
Unless you are trying to log those connections.

I’d like to clarify some terms that might be confusing:

  • NAT (Network Address Translation): Remaps the IP addresses in the source or destination fields of IP packets, maintaining a translation table for consistent mapping and routing.

  • DNAT (Destination Network Address Translation): Alters the destination IP and optionally the port number of incoming packets. Useful for directing external traffic to specific internal hosts.

  • SNAT (Source Network Address Translation): Modifies the source IP and optionally the port number of outgoing packets. Used for mapping multiple internal IPs to a single or multiple public IPs. Essential for some protocols like SIP.

  • Masquerading: A form of SNAT where the source IP is set to the IP of the outgoing network interface. Useful for dynamic IPs.

For your VOIP setup, you’ll need to use DNAT to divert incoming traffic to your DECT-Bridge. This is handled by rule 4. You’ll also need to configure either SNAT (for fixed public IPs) or Masquerading (for dynamic public IPs) for the outbound traffic from the DECT-Bridge to ensure SIP functionality. This would be addressed in rule 3.

If your public IP is fixed, you can use SNAT for better efficiency, though Masquerading will work as well. For specifying SNAT or MASQUERADE, you’ll need to manually configure iptables rules in firewall.local. I believe that when writing a rule using the WUI, it will be done automatically.