Need to open ports for VOIP

Need to open some ports for VOIP phone system to work from inside IPFire firewall. I have done a couple of port forwards, but don’t know how to just “open” traffic on some particular port(s). Can’t find any “how to’s” that cover this subject in the IPFire documentation. Was requested to open ports:
10000-20000 udp to 216.198.105.90
5060 udp to 216.198.105.90
443 tcp to 216.198.100.250

In general I think that port 5060 is for setting up the SIP call, then the actual call takes place on available ports in the 10000 to 20000 range. (or something along those lines). That is about as much as I understand about VOIP. LOL

1. There is a voicevox E510 box that sits inside the Green (LAN) side and all calls from the handsets go through that. The E510 would of course have some IP address on my local LAN. On the “Firewall Rules” page would I put the specific ip address (ex 216.198.105.90) in the Source box and Green (or maybe the IP address of the E510) in the Destination box with NAT checked and UDP in the Protocol section? Am I on the right track or have I entirely missed the point.

2. How do I open up the entire range 10000 to 20000 without doing rules for each one (ie 10000, 10001, 10002, etc)

Did you see firewall rule wiki pages in this section?

I am fairly sure 216.198.105.90 is an external address for your set-up. And anything from GREEN → RED is open. So nothing needs to be done. See bottom of this Wiki page:

I think it is either 10000-20000 or 10000:20000 but I am not sure.

If this is from GREEN to RED it is not needed. If it is from RED to GREEN then I am not sure it should be that open.

It’s been too long since I experimented with VOIP. So it would be better to wait for someone with VOIP type skills!

Would also recommend setting up a service group.

I hope the following pages can be helpful

https://support.digium.com/s/article/Firewall-NAT-Checklist

edit
https://support.digium.com/community/s/article/How-to-Set-Up-and-Manage-Switchvox-for-the-Switchvox-Softphone

https://support.digium.com/community/s/article/What-are-the-Differences-among-the-Basic-Network-Topologies-Used-with-the-Switchvox-Softphone-for-iPhone

For IPTables, it’s the second:

iptables -A INPUT -p tcp --dport start:end -j ACCEPT
iptables -A INPUT -p udp --dport start:end -j ACCEPT

Hey there,

first of all make sure that in your “modem” all options for VOIP are “unblocked”. I have a FritzBox and once I accidentally blocked VOIP in the FritzBox, then no matter what I tried on the IPFire, calls would never go through.

Anyway, concerning IPFire:

Clarify if you need SIP (Port 5060) or SIPoverTLS (Port 5061), it depends on wether your phone system uses encrypted connection or not.

Simplified: The SIP-ports are for building up and managing the call itself, think of it as the “permission to ring”.

10000-20000 look like RTP-ports. These ports are needed for the audio transmission, as soon as the call is answered. In IPFire you need to use a colon if you want to define a port range. “10000:20000” would mean every port from 10000 to 20000.

443 obviously is https, I guess this is for your voicevox to connect to a server? I don’t know how these voicevox works, so I can only guess BUT because you wrote that you need to open the ports to only two external IP adresses, I would assume that the voicevox is something like a client, that connects to a server on the web.

In this case, you only need to allow OUTGOING connection, so from GREEN (or rather the voicevox) to the external IP-adresses.

Depending on your setup (what is between your IPFire and the Internet?) and the configuration of your IPFire in general (NAT activated?), you do not need to activate NAT specifically in this one firewall-rule.

Wrapping up (the comfortable way):

Create a host: 216.198.100.250
Create another host: 216.198.105.90
Create a host-group with both hosts in it.

Create a service for SIP (5060) or SIPoverTLS (5061).
Create another service for RTP (10000:20000).
Create another service for HTTPS (443).
Create a service-group with all the services in it.

Allow traffic from your voicevox to the newly created host-group and as protocols choose the newly created service-group.

Personal opinion: You could separate the traffic to the two different external IP addresses for security reasons but this seems a bit overkill in this case.

Please note: If my assumption is wrong and the voicevox is something like a phone server itself the RTP and SIP ports have be opened to the whole RED network and not just one IP because these ports must be opened to every IP address you want to call (at least for “direct connections”). On the other hand, there would be no need for the open port 443 to an external IP address if the voicevox is a server itself. Also if the voicevox is a server you need to allow INGOING traffic as well because it must be reachable for people who want to call you.

A bit much text but I hope this explains some things. =)

Greetings

Alex

This rule should not be required on the green network (or even the orange) if there are no restrictions imposed by the administrator. as the default to RED is “allowed”. Do you know that you need this rule?

I do not understand this sentence. host-group to reach the server in green should need a NAT, should it not?

Hey cfusco,

You are absolutely right, this rule is not needed with the “standard” IPFire-configuration because all traffic which is forwarded would be allowed in the first place. My standard-config is “block everything” and then I only whitelist the services I need. Maybe it’s a bit too much but I think that’s the way a correctly configured firewall should be and the good thing is you learn what ports/services are really needed (for which applications) and which are not. Although I must confess, it is kind of annoying sometimes.

That depends on wether the voicevox is only a client or a server. If it’s a server, yes he would need destination NAT for his ingoing-rules (for incoming calls). If it’s only a client he would not need this because the telephone system on the web (to which the connection is already established) would handle the calls and the routing.

Greetings

Alex

What is the emoji for a standing ovation? Congratulations sir, you belong to a very restricted group of people that have done at least one difficult thing, just because is the right thing to do. I am ashamed to admit that I do not belong to this group (yet).

Clear explanation, now I got it. I learned something new today. Thank you.

I am in the same group. I’ve read and re-read the documentation and I’ve not been able to set things up properly.

The more I read the more confused I become:
1)Where exactly does the firewall sit? I would think it is a “thing” that sits between the red zone and the internal zones (blue, green, and orange) and controls traffic in and out of the router, but it also appears that it somewhat controls traffic between the internal zones (ie between blue and green, between green and orange, etc)
2)When looking at the default ruleset at the bottom of the page you reference, I see (in color) an entry Red → Firewall AS WELL AS entries for Red-> Orange, Blue, & Green (ie internal zones). Not sure what difference that implies. Isn’t the firewall what sits between the Red zone (ie the outside world) and Orange, Blue, & Green (ie the internal zones)???

The firewall sits between red and all zones
like the hub in a wheel.
I would take all of your Handset IPs and make a “network group” “handsets”
Then make a “network group” “IP phone network”
Then make a “service group” " PBX phone"
Add services needed for phone
Like port 5060 udp
port 443 tcp
port 10000:20000 udp

then make a firewall rule to allow “IP phone network” to "Handsets’ Group
select service group "PBX phone’
Now the fun part here is, if Firewall default behavior is “blocked”
than You will probably need a rule for "handsets’ to reach “IP phone network” also.

So why are there entries in this chart that show Red → Firewall. Shouldn’t I only be concerned with Red to some Internal Zone? What does Red → Firewall even mean?

Did you come right?
I am looking into this at present, specifically to QoS as it became apparent to me that then our breakout link is not saturated, we do not have a problem but can almost instantly become saturated at which time, SIP/VoIP packets should be prioritized. Thus far I have prioritized port 5060 traffic and our SIP Servers Public IP above all else apart from ACK.
If you managed to come right, please could I ask for an indication of which ports you configured and whether you utilized the QoS functionality of IPFire? Would be most appreciative for your response and TIA