Frequently Asked Question
Asterisk and NAT - So simple
Last Updated 7 years ago
There are a lot of reasons today NOT to connect your IPPBX to the public internet directly and most important of these is the relentless probing and scanning that goes on. In our experience we only have to connect the server to the internet for a few minutes before we start seeing foreign registrations and invites.
Anyway protecting your system isn't hard and there are a few rules to follow.
1. Use a good router. There are some very good ones, and some really crap ones and using a good router even if its more money makes things so much easier and more reliable.
2. NAT it. I know people often have real issues making NAT work but actually its not that hard and I'll show you how to do it later. Using NAT keeps the internet away from your ippbx and therefore minimises the risk.
3. Don't use Port UDP/5060. If your trunking provider permits you to change it, then do so, this will block 99% of all the crap your system has to deal with.
4. Use IAX if available. Some trunking providers support IAX trunks and if so then use them, they are faster and more secure than SIP and this means you can block SIP at the router and save yourself a lot of work.
This article will be mostly referring to using a Draytek Router and Asterisk 14 but all routers/ippbx's have the same functionality you will just have to look for it in different places.
So firstly setup your trunking provider(s). Your going to need to know their originating IP block, the user & secret and ports. This normally is available via a portal of some sort. The two we're most familiar with are Telappliant/Voiptalk and Orbtalk both have a good service but poor tech support in our experience. If you find others that have a good service AND good tech support then comment and I'll add them to the article.
So first steps are to setup your router. Assuming your ippbx is at 192.168.1.10 then you'll need to find your routers NAT menu and look for 'Port Redirection' and 'Open Ports'.
In Port Redirection, we can setup an incoming port to be directed to a local address. We need to set the ports UDP/5060 and UDP/4569 to point to 192.168.1.10. If your trunk provider allows you to change these ports then do so both at the provider and at the router.
In Open Ports, we need to setup UDP/10000 to UDP/20000 to point to your ippbx.
If you want to lock down your configuration so only your trunk provider can connect to you (which is a really good idea) then create an IP object and use that in the Source IP when setting up the Port Redirection and Open Ports. Not all routers have this feature but Draytek do.
Now on your ippbx, we need to make two changes.
1. In your sip.conf (or sip_general_additional.conf) or if your using FreePBX then its in Settings/SIP Settings you need to change the following
bindport=5060
allowguest=no
nat=force_rport,comedia
externip=195.234.234.234
allow_sip_anon=no
localnet=192.168.1.0/24
You will need to change the exterip to be your static public IP and localnet to be your local network.
in rtp.conf you need to change the following in the [general] section
rtpstart=10000
rtpend=20000
and we're almost done. Now all that remains is for you to setup your trunks either via your GUI or using the asterisk config files and your good to go. Look out for Codecs, they are going to ruin your life unless you take a note. Asterisk can translate some codecs in realtime but not all. Pick one like G711a and use it everywhere. If your going to use a licensed codec like G729 then be aware that each license will be consumed for each leg of the journey - one between the phone and asterisk and one between asterisk and the trunk provider.
If your still having issues then use the asterisk command line (asterisk -r) and use SIP SET DEBUG ON to enable SIP debug. (if your using IAX then use IAX SET DEBUG ON) and if you've still not figured it out then post that output and your SIP.conf, RTP.conf and IAX.conf in the forum on www.gensupport.net and we'll take a look.
Anyway protecting your system isn't hard and there are a few rules to follow.
1. Use a good router. There are some very good ones, and some really crap ones and using a good router even if its more money makes things so much easier and more reliable.
2. NAT it. I know people often have real issues making NAT work but actually its not that hard and I'll show you how to do it later. Using NAT keeps the internet away from your ippbx and therefore minimises the risk.
3. Don't use Port UDP/5060. If your trunking provider permits you to change it, then do so, this will block 99% of all the crap your system has to deal with.
4. Use IAX if available. Some trunking providers support IAX trunks and if so then use them, they are faster and more secure than SIP and this means you can block SIP at the router and save yourself a lot of work.
This article will be mostly referring to using a Draytek Router and Asterisk 14 but all routers/ippbx's have the same functionality you will just have to look for it in different places.
So firstly setup your trunking provider(s). Your going to need to know their originating IP block, the user & secret and ports. This normally is available via a portal of some sort. The two we're most familiar with are Telappliant/Voiptalk and Orbtalk both have a good service but poor tech support in our experience. If you find others that have a good service AND good tech support then comment and I'll add them to the article.
So first steps are to setup your router. Assuming your ippbx is at 192.168.1.10 then you'll need to find your routers NAT menu and look for 'Port Redirection' and 'Open Ports'.
In Port Redirection, we can setup an incoming port to be directed to a local address. We need to set the ports UDP/5060 and UDP/4569 to point to 192.168.1.10. If your trunk provider allows you to change these ports then do so both at the provider and at the router.
In Open Ports, we need to setup UDP/10000 to UDP/20000 to point to your ippbx.
If you want to lock down your configuration so only your trunk provider can connect to you (which is a really good idea) then create an IP object and use that in the Source IP when setting up the Port Redirection and Open Ports. Not all routers have this feature but Draytek do.
Now on your ippbx, we need to make two changes.
1. In your sip.conf (or sip_general_additional.conf) or if your using FreePBX then its in Settings/SIP Settings you need to change the following
bindport=5060
allowguest=no
nat=force_rport,comedia
externip=195.234.234.234
allow_sip_anon=no
localnet=192.168.1.0/24
You will need to change the exterip to be your static public IP and localnet to be your local network.
in rtp.conf you need to change the following in the [general] section
rtpstart=10000
rtpend=20000
and we're almost done. Now all that remains is for you to setup your trunks either via your GUI or using the asterisk config files and your good to go. Look out for Codecs, they are going to ruin your life unless you take a note. Asterisk can translate some codecs in realtime but not all. Pick one like G711a and use it everywhere. If your going to use a licensed codec like G729 then be aware that each license will be consumed for each leg of the journey - one between the phone and asterisk and one between asterisk and the trunk provider.
If your still having issues then use the asterisk command line (asterisk -r) and use SIP SET DEBUG ON to enable SIP debug. (if your using IAX then use IAX SET DEBUG ON) and if you've still not figured it out then post that output and your SIP.conf, RTP.conf and IAX.conf in the forum on www.gensupport.net and we'll take a look.