Firewall Configuration for SIP Trunking

⌘K
  1. Home
  2. Programmable Voice
  3. Configuration
  4. Firewall Configuration for SIP Trunking

Firewall Configuration for SIP Trunking

If you intend to use an outside SIP carrier for trunking your calls, then firewall configuration is a critical step in setting up your Voice Elements Platform properly. Customers using appliances (Voip Gateways) or sending traffic to a local endpoint (Cisco Call Managers, or PBX) generally don’t have to reconfigure their firewalls.

In order for Voice Elements to communicate with your SIP carrier properly, you must permit traffic for call control and permit traffic for the audio portion of a call.

Call control is normally sent to and from port 5060 using UDP. The messages that are sent over this port consist of SIP (RFC 3261) messages that start new calls and terminate established calls.

SIP Sniffers Warning

It is important to be aware of SIP sniffers.

These robots seek out SIP servers on the internet and try to break in hoping to find weaknesses that would allow them to place free calls over your system.

To combat this, we HIGHLY recommend that you only permit the IP addresses of your sip carrier(s) to have access to this port.

Most firewall rules will allow you to specify what IP addresses can send traffic to the port and using this feature of the firewall will greatly enhance your security.

Carriers generally publish what IP addresses they send traffic from or you can contact their support department for more information.

If you are using our sip trunking services, please contact support@inventivelabs.com for obtaining the IP addresses that will send traffic to your servers.

Open Ports

In addition to opening port 5060 for SIP signaling, ports also need to be opened for handling the audio. Audio is transmitted and received by UDP. By default Voice Elements uses port 49152 as a starting point. How many ports depends on how many concurrent calls you plan on handling at the same time with your server. Additionally, each concurrent call requires two adjacent ports.

If you plan on having a 1000 “concurrent call” system using 1000 “licensed ports”, then you will need 2 times that amount for the port range you need in your firewall. This can be a little confusing because a single call requires 1 licensed “port” but needs two “IP ports” on your server.

To add one more level of complexity to the calculation, there is a possibility that one or more of the ports you need in your port range are already in use by the operating system. When this happens Voice Elements will skip over ports already in use and move upward. The maximum number of ports that it will skip over is 250.

So in a nutshell, the correct number of ports to open on your firewall follows this formula:

For RTP/Audio: Open ports (UDP) 49152 thru (2*number of concurrent calls or licenses) + 250.

In my above example of 1000 concurrent calls, you would open the port range 49152-51402 (UDP).

NOTE: You generally don’t need to secure these ports to the SIP carrier’s IP addresses as many carriers use other IP addresses for sending the audio.  Therefore we generally recommend that, unless otherwise necessary, you leave these ports open to any IP address.

Was this article helpful to you? No Yes 18

How can we help?