NAT and Firewall Settings for VoIP
ITSPA Best Current Practice (BCP) for on site phone systems
For secure deployment of an IP-PBX please see - Recommendations for secure deployment of an IP-PBX - Version 2
SIP Trunks and Inbound
Asterisk
- Forward Ports 5060 UDP for SIP to your Asterisk server (please note newer versions of Asterisk may use 5160 UDP by default)
- Forward ports 10000 to 20000 UDP for RTP (Voice) to your Asterisk server.
This configuration assumes you are using the default RTP ports 10000-20000.
FreeSWITCH
- Forward port 5060 UDP to your FreeSWITCH server.
- Forward ports 10000 to 40000 UDP to your FreeSWITCH server.
This assumes you are using the FreeSWITCH default RTP range 10000-40000.
FreeSWITCH will also need to be able to access DNS (port 53 UDP) and NTP (port 123 UDP, for time). These ports should not be forwarded but your firewall should allow this traffic to pass through if required.
Other IP-PBX
Refer to your documentation for which RTP ports you need to forward.
SureVoIP Hosted
Softphones
Do not configure any port forwarding as the SureVoIP Hosted platform handles network address translations (NAT) automatically.
If you need to allow a range of ports, please allow port 5060 UDP and TCP.
RTP ports from the SureVoIP Hosted platform will be in the range 10000 to 40000.
Your internal RTP port will vary depending on which softphone client you are using.This is normally configurable from the advanced configuration page.
- Ensure STUN or ICE is Off or any NAT traversal settings
See our softphone setup guides for guidance on connecting your software to SureVoIP
Deskphones
Allow ports 5060 UDP and 10000 to 40000 UDP to pass through your firewall to access your phones. Please do not use port forwarding.
Your internal ports may differ depending on your phone model. This is normally configurable from the advanced settings page.
- Ensure STUN is Off or any NAT traversal settings.
See our phones setup guides for more info on setting up your phones to connect to SureVoIP.