notempty Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!
notempty Der Artikel für die neueste Version steht hier
notempty Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Reseller-Preview bezieht
Settings in the UTM firewall for VoIP devices when the UTM is located between the VoIP server and the VoIP clients.
Last adaption: 07.2022
New:
- Note on avoiding slipstreaming attacks
notemptyThis article refers to a Resellerpreview
11.8
Starting point
Port filter rule for VoIP
If there is a UTM between VoIP end devices and a VoIP server, it is necessary to create an additional port filter rule that enables VoIP with NAT.
The connection is established via SIP, the device logs on to the VoIP server with its local IP. The voice packets themselves are then sent via rtp on other ports. In order to make the VoIP client and the rtp ports in the local network available from outside - in this case accessible for the VoIP server - it is necessary to create a port filter rule for this:
Port filter rule
Tab Portfilter Button Add Rule
General
|
Source |
voip-clients |
An appropriate group should be defined. For example: Phones and workstations or VoIP-devices
Internal Network allows all network devices VoIP!
For reasons of network security, devices that do not require VoIP (e.g. printers or IoT devices) should not be allowed VoIP either.
|
Destination |
voip-server |
VoIP connections with the corresponding open ports should only be available to the VOIP server.
|
Service |
voip |
VoIP service group: Enables the following ports:
- SIP: UDP Port 5060 protocol type sip
The protocol type sip loads the Application Layer Gateway modules (ALG)
- rtp: UDP Port 7070-7089
|
Action |
Stateless |
|
NAT
|
Type |
HIDENAT |
|
Network object |
external-interface |
|
VoIP without SIP Helper
The predefined service sip (contained in the port filter group voip) has the protocol type sip, which loads the Application Layer Gateway (ALG) modules.
If VoIP is to be performed without the sip helper and thus without ALG, a new service must be created that uses port 5060 UDP without the protocol type sip.
Tab Services Button Add object
Create service
Caption |
Value |
Description
|
New service
|
Name: |
udp 5060 without type |
Prominent name
|
Protocol: |
udp |
|
Protocol type: |
|
Leave blank!
|
Destination port type: |
Single port |
Only one port is needed
|
Destination port: |
5060 |
Destination port for sip via udp is 5060
|
Source port type: |
All |
Die Clients können über verschiedene Ports die Verbindung aufbauen Nur für interne Prüfzwecke
|
Save |
Create the service
|
Create service group
Subsequently, a new group should be created under
Service groups with
Add group:
Caption |
Value |
Description
|
Name: |
voip without ALG |
Prominent name
|
Services: |
× udp 5060 without type Destination ports:5060 × rtp Destination ports: 7070:7089 |
The newly created service for udp (port 5060) and the service rtp (ports 7070-7089) must be included
|
Port filter rule
There is no longer a need to load or unload the sip-Helper modules via CLI