Network:Firewall:Configuration

From VTX Public Wiki

Revision as of 14:53, 24 June 2024 by Mlr (talk | contribs) (→‎Phone / VPBX / Connect / Firewall rules: Remove NB)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Warning Please make sure your firewall is running the last stable version of his firmware and is not End Of Life or End Of Support because we coped with many bugs on Zyxel / Sophos / Sonicwall / ... firewalls running old versions Warning


Configuration[edit | edit source]

Firewall NAT and QOS configuration[edit | edit source]

  • NAT Timeout: Set the NAT/firewall UDP timeout to a minimum of 30s for SIP/UDP and 600s for SIP/TCP
  • QOS: You need to reserve 100kbps per concurrent call and 100 kbps per 10 BLF NOTIFY message (LED blinking in the same time on the phones)
  • SIP ALG: To disable ( cf warning above)
  • MTU: Please make sure you are using the good MTU value on the LAN and WAN interface of your firewall
    • 1500 on the LAN
    • 1500 on the WAN if Firewall is only doing routing
    • 1492 on the WAN if Firewall is doing PPPoE


Network and NAT setup : STUN / TURN / externip / SIP ALG[edit | edit source]

  • Problem 1: The usage or STUN or TURN or SIP ALG is useful to perform some peer to peer VoIP communication, but these protocols are not working in 100% of cases ( i.e: when using symmetrical NAT (almost all firewall now), or having a firewall that do not support hairpin or do not allow LAN to LAN communication ( like in Hotel Rooms ) )
  • Problem 2: The other problem is that some implementations of these protocols are buggy on some equipments ( phone or PBX or firewall )
  • Conclusion: Since these protocols are not working in all cases and are sometimes buggy, the VTX VoIP platform is always handling NAT detection and all VoIP stream goes via the VTX VoIP platform. Consequently, no need to enable these protocols


Access List[edit | edit source]

Warning You do not need any incoming firewall rule or NAT rules for your phones to work correctly. You need your firewall to be stateful and allow incoming traffic that have been triggered by an outgoing request. Please follow 1st chapter. ex: phone is REGISTERING on the platform and maintain it each 30s to allow incoming calls to work because the VoIP platform will use this same connection to send incoming calls Warning


Phone / VPBX / Connect / Firewall rules[edit | edit source]

  • SIP signaling that allows your phone to call out and to receive calls
    • IP range: 212.147.44.0/22 (from 212.147.44.0 to 212.147.47.255).
    • Port range: UDP/5060 + TCP/5060 + TCP/5061 (for SIP/TLS)
  • RTP and RTCP packets that transport the voice and quality call data
    • IP range: 212.147.44.0/22 (from 212.147.44.0 to 212.147.47.255)
    • Port range: all UDP ports ( WARNING : If you really need a range, use 1024->65535. DO NOT TRY TO GUESS THE PORT RANGE WE ARE USING, IT IS CHANGING OVER TIME WITH CAPACITY INCREASE )
  • HTTP/HTTPs for phone auto-configuration
    • IP range: secure-provisioning.snom.com + rcs.aastra.com + prov.gigaset.net + profile.gigaset.net + suota.gigaset.com + rps.yealink.com + 212.40.12.0/24 + 212.147.44.0/22
    • Port range: TCP/80 + TCP/443
  • LDAP/LDAPS for Centralized Kiosk Directory
    • IP range: 212.40.12.0/24
    • Port range: TCP/389 + TCP/636
  • DNS/NTP for DNS queries and NTP time updated
    • IP range: rs0[1-4].vtx.ch + ( WARNING: Allow "*" in case you own Yealink phones because the Yealink won't boot if there is no answer towards pool.ntp.org which has dynamic IPs )
    • Port: UDP/53 + TCP/53 + UDP/123
  • Syslog: Used for VTX Support to help debug any problem with auto provisioned phones
    • IP range: 212.147.99.16/28
    • Port range: UDP/514


Here is an overview of an Tools:iptables configuration

### Allow SIP Signalisation ###
-A FORWARD -p udp -m multiport --dports 5060 -d 212.147.44.0/22 -j ACCEPT
-A FORWARD -p tcp -m multiport --dports 5060,5061 -d 212.147.44.0/22 -j ACCEPT
# Allow all TCP ports for MS Skype for Business
-A FORWARD -p tcp -d 212.147.44.0/22 -j ACCEPT
### Allow RTP (voice) ####
-A FORWARD -p udp -d 212.147.44.0/22 -j ACCEPT
### Allow HTTP/HTTPS ###
-A FORWARD -p tcp -m multiport --dports 80,443 -d secure-provisioning.snom.com,rcs.aastra.com,prov.gigaset.net,profile.gigaset.net,rps.yealink.com,212.40.12.0/24,212.147.44.0/22 -j ACCEPT
### Allow LDAP/LDAPS ###
-A FORWARD -p tcp -m multiport --dports 389,636 -d 212.40.12.0/24 -j ACCEPT
### Allow DNS/NTP ###
-A FORWARD -p udp -m multiport --dports 53,123 -d rs01.vtx.ch,rs02.vtx.ch,rs03.vtx.ch,rs04.vtx.ch -j ACCEPT
-A FORWARD -p tcp -m multiport --dports 53 -d rs01.vtx.ch,rs02.vtx.ch,rs03.vtx.ch,rs04.vtx.ch -j ACCEPT
### Allow all NTP servers for Yealink phones that needs NTP towards pool.ntp.org to work at boot process otherwise they won't boot, and since pool.ntp.org is dynamic, all NTP traffic needs to be allowed ###
-A FORWARD -p udp -m multiport --dports 123 -j ACCEPT
### Allow Syslog ###
-A FORWARD -p tcp -m multiport --dports 514 -d 212.147.99.16/28 -j ACCEPT
-A FORWARD -p udp -m multiport --dports 514 -d 212.147.99.16/28 -j ACCEPT

Teams Connect/Virtual Firewall Rules[edit | edit source]

  • SIP Signaling: Here are the FQDN to use to define the destination of the trunk
    • sip.pstnhub.microsoft.com – Global FQDN – must be tried first.
    • sip2.pstnhub.microsoft.com – Secondary FQDN – geographically maps to the second priority region.
    • sip3.pstnhub.microsoft.com – Tertiary FQDN – geographically maps to the third priority region.
  • SIP/TLS Firewalling: The SIP/TLS flows could come from one of these IPs and TCP Range
    • IP Ranges: 52.112.0.0/14 + 52.120.0.0/14
    • SIP/TLS Source Port Range: 1024 – 65535
  • RTP Transport Relay Firewalling: The media traffic flows to and from a separate service in the Microsoft Cloud. The IP range for Media traffic:
    • RTP IP Ranges: 52.112.0.0/14 (IP addresses from 52.112.0.1 to 52.115.255.254). + 52.120.0.0/14 (IP addresses from 52.120.0.1 to 52.123.255.254).
    • UDP/SRTP Source Port Range : 3478-3481 and 49152 – 53247
  • RTP Media Bypass Firewalling: This is used for Media Bypass
    • RTP IP Ranges: 52.112.0.0/14 (IP addresses from 52.112.0.1 to 52.115.255.254). + 52.120.0.0/14 (IP addresses from 52.120.0.1 to 52.123.255.254).
    • UDP/SRTP Source Port Range : 50000 – 59999
  • VTX RTP Media Bypass Range: This is used by VTX SBCs
    • RTP IP Range: 212.147.44.0/22 (IP addresses from 212.147.44.0 to 212.147.47.255).
    • UDP/SRTP Source Port Range : 10000 - 39999

VTX GeoIP Restriction[edit | edit source]



Default GeoIP restriction[edit | edit source]

There are the different GeoIP restrictions on the Telephony platform:

  1. Physical phone auto provisioning (CH/FR): is only working from Switzerland and France (other location could be added on request to VTX Support Team)
  2. VTX Softphones (World) : Could be used anywhere in the world ( but you still need to allow outgoing calls if calling from abroad, cf below )
  3. Register and Incoming Calls (World): Open to the whole world
  4. Outgoing Calls (CH/FR/Europe/World/ACLs): Billed outgoing calls are only allowed from Switzerland or France (depending on customer type) by default ( This setting can be changed from customer Admin Kiosk interface to open it to Europe or World or some specific IPs)
  5. Kiosk SIP Credentials (CH/FR): Kiosk SIP account credentials are only accessible from Switzerland or France (depending on customer type) for security reason, no workaround available ( cf below ).



Kiosk : Allow calls from Europe / World or restrict it to ACLs[edit | edit source]

  • Information: Most of our customers are using their phone from Switzerland, so from a security point of view, it was wise to restrict by default the usage of VoIP telephony from Switzerland, but also allowing our customer to change this behavior per number or per service
  • Symptoms: Your are not able to dial an external number while using a phone abroad. You get an error saying that your restrictions or limitations do not allow you to pass this call
  • Problematic: Allow some or all phones of a service to be used in other countries, or from some IPs
  • Solution: Follow the procedure below
  1. (Change allowed Country in Kiosk): Connect to https://kiosk.vtx.ch with your VTX Service Administrator Credentials
    1. Go in section "My Services / Telephony / Call restrictions / IP Filtering"
    2. Read documentation and adapt it to fit your needs


VTX Kiosk - Outgoing Calls GeoIP Filtering
VTX Kiosk - SIP Credentials only accessible from Switzerland, no workaround


Check the country of your IP in the database[edit | edit source]

  • Problematic: You wish to verify the country location of your connection IP
  • Solution: Follow procedure below
  1. (Verify your connection country) You can verify the country of your connection IP in https://www.maxmind.com/en/locate-my-ip-address or https://www.maxmind.com/en/geoip-demo

Restricted call on Tuesday morning - Wrong Country : Submit a correction[edit | edit source]

  • Information:
    • (VTX IPs always set to CH) We made sure that the "VTX" IPs will remain set in Switzerland ( reference #159010 )
    • (Maxmind GeoIP Accuracy) We are using the Maxmind Country Paid database with an accuracy of 99,8% to check from which country the call is passed, cf https://www.maxmind.com/en/geoip2-country-database
  • Symptoms: On Tuesday morning, you start to have your outgoing calls now working anymore with an error "Your restriction or limitation to not allow you to call out"
  • Possible Explanation: Your connection IP did switch country because of the geoip database update
  • Problematic: You wish to submit a correction of the country of your IPs
  • Solution: Follow procedure below
  1. In case of false data, you can submit a correction in https://www.maxmind.com/en/geoip-data-correction-request

Other Network Restrictions[edit | edit source]

  • Ping the VoIP platform which is opened to ping from the whole world
ping s1.12345.bus.ipvoip.ch
PING vtx.res.ipvoip.ch (212.147.47.217) 56(84) bytes of data.
64 bytes from fix.47.147.212.vtx.ch (212.147.47.217): icmp_seq=1 ttl=53 time=7.65 ms
64 bytes from fix.47.147.212.vtx.ch (212.147.47.217): icmp_seq=2 ttl=53 time=8.32 ms
64 bytes from fix.47.147.212.vtx.ch (212.147.47.217): icmp_seq=3 ttl=53 time=8.14 ms
--- s1.12345.bus.ipvoip.ch ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 7.659/8.041/8.324/0.289 ms
  • SIP is also allowed to work on TCP, so you can use telnet to verify your connectivity towards the platform (you need to see "connected" message)
telnet s1.12345.bus.ipvoip.ch 5060
Trying 212.147.47.217...
Connected to s1.12345.bus.ipvoip.ch.
Escape character is '^]'.


Vendor Specific Setup[edit | edit source]

Sonicwall VoiP Configuration[edit | edit source]

Warning Please do not forget to enable Consistant NAT on the Sonicwall, we have noticed bugs on Sonicwall with Downstream audio problem after some time when disabled ! Warning


You can find here the VoiP parameters for the sonicwall validate by VTX.

  • Modifications to perform on the Sonicwall
    • VoIP / Settings / Enable Consistant NAT => Sonicwall Doc Helper
    • On the WAN interface, please set "Do not send ICMP Fragmentation Needed for outbound packets over the Interface MTU"
Sonicwall - Disable SIP ALG
Sonicwall - Suppress ICMP Fragmentation Needed message generation if Sonicwall is doing PPPoE with MTU 1492


Watchguard M400 / Snom[edit | edit source]

Connection UPC / check Modem[edit | edit source]