Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SIP Firewall ports

Status
Not open for further replies.

OldAndKnackered

Programmer
Jan 10, 2007
353
GB
I have been installing SIP on a customer's site, and although it is already up and running on another of their sites, which are all within their own cloud, and have a single connection to the outside world, the SIP on the new site keeps dropping out. The I.T./firewall people have been asked to replicate what they did at the original site for the new one, but it still keeps going down. Are the only ports needed 5060 and the RTP/RTCP port range, or is there another like ICMP, which if blocked, could cause issues?. I have dropped the binding refresh time to 30s, and on Friday, when left for over an hour with no calls in or out, things still worked first time, but this happened the week before and things stopped. I know it must be a firewall thing, as I use a similar setup whenever I do SIP, and have never had this issue before, but they must be blocking something.
Any help appreciated.
 
I open the port:

5060 UDP/TCP
5061 UDP/TCP
49152-53246 UDP
5005 UDP

You might get away with opening less ports, but this is what I have always done. It would be nice to close down any ports that are not necessary.

Also make sure in the router that ALG is turned "OFF"

Mike
 
Thanks Mike,

The SIP isn't set up as secure, so they're not using 5061, but I didn't ask them for 5005, I might give that a go.
 
Not sure if port 5005 will help for SIP, I think it's for monitoring H.323 traffic.

ALG caused us lots of problems, turning it off helped. Also we had customers that had the exact same problem you are having over Cable modems and they said their internet was fine, but when it came time for "Real-time" traffic it had problems. We solved this by complaining to the ISP and replacing the modems.

If you have a cablem modem start ping the gateway from outside, then while that is pinging go to just-ping.com and ping it from there. I saw 26ms ping time go to 3000ms ping times.

Mike

 
You should not open ports 49152-53246 UDP since these contain admin/tapi etc interfaces that can be used to hack the PBX.
The ports which should be used as default was changed in 9.1 and if you have the old defaults you should change these to the new recommendations.

Port Range (minimum) IP500 V2 default = 46750. Range = 46750 to 50750.
Linux default = 40750. Range = 40750 to 50750

This sets the lower limit for the RTP port numbers used by the system.


"Trying is the first step to failure..." - Homer
 
@janni78
I actually used 49,152 - 49,406 as this worked on the other system (the systems are 9.0.4), so hopefully should be OK.

@TBITservices
I think I need to find out exactly what they are using as a Firewall etc.
 
@CatOnKeyboard
It should work but you should define the RTP ports being used under System -> LANx -> VoIP.
Although since the system always starts at the lowest port available you should be fine as long as you don't have more 125 calls in the system.

"Trying is the first step to failure..." - Homer
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top