Jump to:navigation, search
Wiki

UTM between VoIP client and VoIP server

From Securepoint Wiki


































































De.png
En.png
Fr.png






Settings in the UTM firewall for VoIP devices when the UTM is located between the VoIP server and the VoIP clients.
Last adaptation to the version: 12.6.0
New:
  • Updated to Redesign of the webinterface
notempty
This article refers to a Resellerpreview

07.2022 11.8

Starting point

If there is a UTM between VoIP end devices and a VoIP server, it is necessary to create an additional packet filter rule that enables VoIP with NAT.
The connection is established via SIP, the device logs on to the VoIP server with its local IP. The voice packets themselves are then sent via rtp on other ports.
In order to make the VoIP client and the rtp ports in the local network available from outside - in this case accessible for the VoIP server - it is necessary to create a packet filter rule for this.

Packetfilter rule

Firewall Packetfilter  Button Add Rule
General
Source: Node-group.svg voip-clients An appropriate group should be defined. For example: Phones and workstations or VoIP-devices
  • Internal Network allows all network devices VoIP!
  • For reasons of network security, devices that do not require VoIP (e.g. printers or IoT devices) should not be allowed VoIP either.
    		•  Add Rule UTMuser@firewall.name.fqdnFirewallPacketfilter UTM v12.6 FAQ-VoIP Paketfilterrel erstellen-en.pngAdding packet filter rule
    Destination: Host.svg voip-server VoIP connections with the corresponding open ports should only be available to the VOIP server.
    Service: Service-group.svg voip VoIP service group: Enables the following ports:
    • SIP: UDP Port 5060 protocol type sip
      The protocol type sip loads the Application Layer Gateway modules (ALG)
        
    • rtp: UDP Port 7070-7089
    Action: Stateless
    [ - ] NAT
    Type: HIDENAT
    Network object: Interface.svg external-interface

    VoIP without SIP Helper

    The predefined service sip (contained in the packet filter group voip) has the protocol type sip, which loads the Application Layer Gateway (ALG) modules.

    If VoIP is to be performed without the sip helper and thus without ALG, a new service must be created that uses port 5060 UDP without the protocol type sip.
    → Firewall →Services Button Add object

    Create service

    Caption Value Description Add Service Object UTMuser@firewall.name.fqdnFirewallServices: UTM v12.6 FAQ-VoIP Dienst erstellen-en.pngNew service
    Name: udp 5060 without type Prominent name
    Protocol: udp
    Protocol type:
  • Leave blank!
    • Destination port type: Single portPort range Only one port is needed
    Destination port: 5060Link= Destination port for sip via udp is 5060
    Source port type: AllSingle port Port range The clients can establish the connection via various ports
    Save and close Create the service

    Create service group

    Subsequently, a new group should be created under  Service groups  with Add group:
    Caption Value Description
    Name: voip without ALG Prominent name
    Services: ×Udp.svg udp 5060 without type Destination ports:5060
    ×Udp.svg rtp Destination ports: 7070:7089    		 The newly created service for udp (port 5060) and the service rtp (ports 7070-7089) must be included

    Packetfilter rule

    Finally, a packet filter rule is created as described above, but now containing the new service group as the service. # Source Target Service NAT Action Active
    Dragndrop.png 24 Node-group.svg voip-clients Host.svg voip-server Service-group.svg voip without ALG HN Stateless On



  • There is no longer a need to load or unload the sip-Helper modules via CLI

    • Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/FAQ-VoIP&oldid=89458"