0

I'm making a VoIP application and I have trouble to make it working properly. On each side there are SIP clients. In my office, we use 2 differents boxes to access internet. The first one is like a home network and it is quite not restricted. On this one, everything is working fine. The second one, (which causes me troubles) is a company network and a lot of ports on it are blocked by default.

My VoIP application uses an Asterisk server. Some clients that should connect on that Asterisk server are in the company network, behind the restricted router. Actually, SIP registering is using the port 5060 TCP/UDP and RTP is using the range from 10 000 to 20 000 UDP.

The problem is that my network admin doesn't want to open that huge range of port. According to him, this would create security holes.

Is there any mean to allow SIP signaling or voice through RTP protocol to pass through the company router ?

Currently I have some ideas but I don't know if they are relevant.

  1. My SIP clients are connected to a VPN. Could I pass all the traffic through the VPN interface so that the restricted router would not have any knowledge of what passes through it ? I tried, but some packets still seems to be passing via my ethernet interface instead of my VPN interface.

  2. Would protocols like STUN or ICE resolve such a problem ?

  3. I read a lot about NAT traversal, but didn't found any solution that would have resolved my issue.

I am able to provide more detail about my setup if needed.

2021/01/12 : My VPN server instance is an OpenVPN and it runs on a pfSense virtual machine that is accessible with its IP address.

I ran a tcpdump command to capture traffic on port 5060 on my pfSense machine but my client doesn't reach this server when I'm connecting clients from the restricted network...

Bastien Matthai
  • 1
  • 1
  • You could create a tunnel between the networks, and use that for VoIP. – Ron Maupin Jan 11 '21 at 17:54
  • Tell me if I'm not right but does this would encapsulate traffic in VPN packets ? In this case do I only need to open VPN port ? Currently I'm trying to use such a solution but neither SIP signaling or RTP voice pass. – Bastien Matthai Jan 12 '21 at 10:16
  • A tunnel, like a VPN, creates a logical link, as if you had a cable plugged in from one network to the other, and you can set up routing for the VoIP to route across the tunnel link. – Ron Maupin Jan 12 '21 at 13:19

1 Answers1

0

You probably don't need such a wide range of ports opened. It requires up to four ports for each simultaneous phone call that might be im progress. So, a 100 ports would suffice for most small offices. You just need to configure them in rtp.conf.

[general]
;
; RTP start and RTP end configure start and end addresses
;
rtpstart=16384
rtpend=16482

Consider using the range 16384-16482 as many VoIP devices already default to using this port range.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972