VoIPowering Your Office with Asterisk: Getting SIP through Firewalls

SIP is a complex protocol, and all this newfangled VoIP stuff is still pretty
new, so there are some kinks to iron out. Probably the most common problem is
getting SIP calls through NAT (Network Address Translation: define)
firewalls. SIP is a peer-to-peer protocol, and this presents two different types
of problems when you’re trying to get past a NAT firewall: managing peer calls
made without a local VoIP server, and managing a VoIP server like Asterisk.
Let’s tackle the first one first.

Why SIP confounds NAT
The SIP (Session Initiation Protocol) protocol is very flexible and transports
voice and video to all manner of devices. It’s an application-layer signaling
protocol that creates and terminates sessions. The difficulty with traversing
NAT firewalls lies not with SIP, but with the RTP (Real-time Transport Protocol:
define). SIP establishes the connection; then RTP moves the actual voice packets.
It works like this:

  • SIP sends an INVITE packet containing the caller’s IP address and port number for RTP to use
  • When the call is received, the receiver’s IP address and port for RTP are sent back
  • With the ports and IP addresses established, happy conversation ensues

Except when NAT is in the way. Because traffic that passes through a NAT firewall is mangled and the port numbers are changed, which makes all kinds of weird things happen. The call fails entirely, or you can hear but not speak, or speak not but hear. Fortunately these are problems that can be fixed.

Direct SIP calling
This is very popular, and all manner of providers
of such service
have sprouted like mushrooms after a rain. Vonage is the
biggest and most famous, and runs the most annoying TV commercials. (OK, so
it’s a question of taste—if you like the Three Stooges, you’ll love the
Vonage ads.) Skype, the other famous and popular peer VoIP network, does not
use SIP, but some secret proprietary protocol that doesn’t work with any other
services, so we shall ignore it for now. (However, it has a number of very interesting
advantages over SIP VoIP services, such as sliding through firewalls with ease,
bandwidth efficiency, and excellent call quality, which we shall discuss in
a future article.)

As loyal readers of VoIPplanet.com, you have no doubt already read and enjoyed
Softphones
Reviewed: Gizmo Project
, in which intrepid editor Ted Stevenson puts his
computer and money on the line to test the SIP-based Gizmo VoIP service. Alas,
he had to retreat to his home to test Gizmo, thanks to the SIP-unfriendliness
of the corporate firewall. There’s not much Mr. Stevenson can do, short of launching
a Ninja attack on the network administrators and commandeering the firewalls.
But users who have control of their own firewalls can get their SIP calls through.

First check the instructions for your service on how to configure your router and firewall. For example, Gizmo users should refer to this page first. Vonage users go here.

If you are wisely protecting your network with a Linux iptables NAT firewall, these rules should make your Gizmo service work:

# SIP
iptables -A INPUT -p udp --dport 5004 -j ACCEPT
iptables -A INPUT -p udp --dport 5005 -j ACCEPT
iptables -A INPUT -p udp --dport 64064 -j ACCEPT

Presumably you have a default iptables -P OUTPUT ACCEPT policy, so you won’t
need to explicitly open outgoing ports. If you have your firewall more locked
down and are using a iptables -P OUTPUT DENY policy, this rule will fix the outgoing
Gizmo port requirements:

iptables -A OUTPUT -p udp --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 7070 -j ACCEPT

Vonage users need these rules:

# these rules are not needed with a default OUTPUT ACCEPT policy
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -m multiport --dport 21, 69, 2400 -j ACCEPT
iptables -A OUTPUT -p udp --dport 80 -j ACCEPT
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A OUTPUT -p udp --dport 5061 -j ACCEPT
iptables -A OUTPUT -p udp --dport 10000:20000 -j ACCEPT
# for incoming RTP packets
iptables -A INPUT -p udp --dport 10000:20000 -j ACCEPT

If your service provider is unhelpful, the motherlode of all help resources is Portforward.com. Don’t leave home without it. PortForward provides detailed instructions for dozens of routers and VoIP services. Maybe even hundreds. Anyway it’s a lot, and you should find everything you need there.

Asterisk and NAT fun
Next week we’ll explore some ways to help Asterisk handle SIP calls without having a nervous breakdown. Us, that is, not Asterisk, which is immune to nervous disorders.

Resources
Portforward.com gives detailed instructions for configuring routers for many VoIP service
An
Introduction To SIP, Part 1: Meet SIP

Build a Linux-Based Single-Board WAP (Part 3) tells how to build a NAT iptables firewall on a Soekris router board
What Is Skype

Latest Articles

Follow Us On Social Media

Explore More