Jump to:navigation, search
Wiki

UTM between VoIP client and VoIP server

From Securepoint Wiki





notempty
Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!

notempty
Der Artikel für die neueste Version steht hier

notempty
Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Beta-Version bezieht







































































Settings in the UTM firewall for VoIP devices when the UTM is located between the VoIP server and the VoIP clients.

Last adaption: 07.2022

New:
  • Note on avoiding slipstreaming attacks
notempty
This article refers to a Beta version


Starting point

Port filter rule for VoIP

If there is a UTM between VoIP end devices and a VoIP server, it is necessary to create an additional port filter rule that enables VoIP with NAT.
The connection is established via SIP, the device logs on to the VoIP server with its local IP. The voice packets themselves are then sent via rtp on other ports. In order to make the VoIP client and the rtp ports in the local network available from outside - in this case accessible for the VoIP server - it is necessary to create a port filter rule for this:

Port filter rule

→ Firewall →PortfilterTab Portfilter Button Add Rule


General
Source voip-clients An appropriate group should be defined. For example: Phones and workstations or VoIP-devices
  • Internal Network allows all network devices VoIP!
  • For reasons of network security, devices that do not require VoIP (e.g. printers or IoT devices) should not be allowed VoIP either.
    • Destination voip-server VoIP connections with the corresponding open ports should only be available to the VOIP server.
    Service voip VoIP service group: Enables the following ports:
    • SIP: UDP Port 5060 protocol type sip
      The protocol type sip loads the Application Layer Gateway modules (ALG)
    • rtp: UDP Port 7070-7089
    Action Stateless
    NAT
    Type HIDENAT
    Network object external-interface


    VoIP without SIP Helper

    The predefined service sip (contained in the port filter group voip) has the protocol type sip, which loads the Application Layer Gateway (ALG) modules.

    If VoIP is to be performed without the sip helper and thus without ALG, a new service must be created that uses port 5060 UDP without the protocol type sip.
    → Firewall →PortfilterTab Services Button Add object

    Create service

    Caption Value Description
    New service
    Name: udp 5060 without type Prominent name
    Protocol: udp
    Protocol type: Leave blank!
    Destination port type: Single port Only one port is needed
    Destination port: 5060 Destination port for sip via udp is 5060
    Source port type: All Die Clients können über verschiedene Ports die Verbindung aufbauen
    Save Create the service

    Create service group

    Subsequently, a new group should be created under  Service groups  with Add group:
    Caption Value Description
    Name: voip without ALG Prominent name
    Services:  udp 5060 without type Destination ports:5060
     rtp Destination ports: 7070:7089    		 The newly created service for udp (port 5060) and the service rtp (ports 7070-7089) must be included

    Port filter rule

    Finally, a port filter rule is created as described above, but now containing the new service group as the service. # Source Target Service NAT Action Active
    24 voip-clients voip-server voip without ALG HN Stateless On



    There is no longer a need to load or unload the sip-Helper modules via CLI

    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/FAQ-VoIP_07.2022&oldid=91717"