Microsoft Teams Integration
Hikvision Intercom Integration
ISDN Switch-off Migration
All materials to evaluate Yeastar as a PBX vendor on products, solutions, partner program, support, learning resources, etc.
hi,
Soon I will be configuring a Yeastar S100 PBX, and I would like to know if I can from the router allow the ITSP service provider to enter and exit the RTP ports between 10000 -12000 and 5060?
Date
Votes
6 comments
-
Oscar Colka This depends on your routers, normally, we don't need to configure the port forwarding for SIP trunks.
-
Larry Neblett Oscar, I am not sure I understand your response. Can you expand on how/why? Are you using keep-alive to force holes in the firewall and will the S PBX also create the hole for the provider RTP stream so that the data can come in on the port that the PBX side INVITE/183/200 (SDP) stipulated (depending on which end originated)?
-
Oscar Colka Larry, it is part of my past experience.
Also, for SIP trunk registration, it is outgoing traffic, so normally, the firewall will allow the outgoing traffic to go through. After registered correctly, S PBX will send SIP OPTIONS packet periodically(This is similar to Keep-Alive packet) and most SIP server will response to the SIP OPTIONS request. This is for SIP, it will keep the dynamic NAT works for S PBX and SIP server.
For RTP, as most SIP server and RTP server using the same IP address, the firewall normally allow incoming packets from one IP address if it allow SIP incoming, it will allow RTP packets in also.
Some firewall might restrict to port mapping, means it will allow SIP packets incoming only but not RTP specially when there is not outgoing RTP packets. This will caused one way audio or not audio issue. At this time, you will need to do port forwarding in the firewall/router.
See here for the explanation of different type of NAT:
http://www.omnisecu.com/cisco-certified-network-associate-ccna/static-nat-dynamic-nat-and-pat.php
-
Larry Neblett Oscar, I am very familiar with NAT/PAT and SIP options and/or keep-alives.
You kind of hit the nail on the head when you mentioned the RTP stream and the possibility of a different media server IP, which may happen at any time for an INVITE (Re-INVITE) and particularly so if a fax transition to t.38 occurs. This was what I was alluding to in my initial post.
While there are some who worry about opening ports and therefore try not doing so; I have found that it is more likely to cause issues as there are two sides that have to traverse the firewall and you only have control of one side. I never expose a PBX directly to the Internet regardless if the PBX in question has some form of firewall/router. I always put behind a router/firewall and open the ports, but at the same time use rules to drop SIP requests packets from other than desired IPs. I also close down the number of RTP ports as the default values are usually far more than what the PBX can possibly support in simultaneous calls. I prefer that the PBX do its primary job of handling calls and not spend resources on firewall activity and let the router in front take on the task of determining what can come in and out.
Keeping ports open by using keep-alives/SIP options or sending of empty packets is doing somewhat the same thing as port forwarding as obviously, a call that originates somewhere else that is destined for the PBX has to traverse the firewall somehow. The difference between the two is that port forwarding is implicit as to where the packets are to be directed. There is no reliance on NAT and PAT tables and no concern about how much traffic or how many streams. Such may not be the case should one have multiple devices behind the firewall, such as PBX, ATA for fax, etc. using the same ports. If it were all TCP, then not as much of an issue.
Thanks, I was just curious about the recommendation.
-
Paul Thank you Oscar and Larry for sharing the knowledge with the community. It helps a lot for me to understand my one way audio issue.
-
Alesia hi,
Thank you all for your comments,
Please sign in to leave a comment.