Configuring the firewall for Easybell VoIP and SIP trunking
The correct firewall settings depend on numerous factors in addition to the type of telephone connection. Due to the large number of possible installations and firewall systems on the market, we have kept this article as precise as necessary, but as general as possible.
First, we provide some general tips on setting up firewalls, which should be sufficient in most cases. We will then go into more detail about specific areas of application.
Set up releases
Release ports
Not every Easybell product uses the same registrar and the ports and protocols also differ in some cases. It is therefore important that you configure the firewall according to the following tables.
Please note that a forwarding is not the same as a release. In general, we strongly recommend against fixed port forwarding!
Ports for unencrypted telephony
| SIP port | RTP port | |
|---|---|---|
| Phone numbers (blocks) | 5060 or 5064 (UDP/TCP) | 20000 - 50000 (UDP/TCP) |
| Cloud PBX | 5060 (UDP/TCP) | 10000 - 50000 (UDP/TCP) |
| Easybell app | 5060 (UDP) | 10000 - 20000 (UDP) |
Ports for encrypted telephony
| SIP port | RTP port | |
|---|---|---|
| Phone numbers (blocks) | 5060 or 5064 (UDP/TCP) | 20000 - 50000 (UDP/TCP) |
| Cloud telephone system | 5060 (UDP/TCP) | 10000 - 50000 (UDP/TCP) |
Further releases for the Cloud PBX
Please note that the Cloud PBX requires additional authorizations:
- ctad.easybell.de (functionality of the user interface)
- Port 443 for https (automatic configuration of devices)
Restrict releases
You can increase security by further restricting the shares.
But beware: the more you restrict the shares in the firewall, the more likely it is that desired connections will be blocked!
- For outgoing connections:
You can restrict the shares to the internal IPs of the telephone system/telephones. - For incoming connections:
You can restrict the releases to the registrar used. In this case, please be sure to use the FQDN and not the IP addresses. The latter can change at any time. The telephones in the local network must also be assigned a fixed IP address. This is not the case with the frequently used DHCP.
Registrars (FQDN)
| Product | Registrar |
|---|---|
| SIP Trunk / VoIP | voip.easybell.de |
| Cloud Telefonanlage | pbx.easybell.de |
General information
Use NAT as an additional security feature
In 95% of use cases, it is sufficient to use NAT as a security feature instead of adjusting the configuration of the firewall and blocking any necessary connections.
NAT stands for "Network Address Translation" and is a function integrated in most routers. When connecting to the Internet, a different, public address is communicated instead of the local network address (LAN). Responses are accepted under this public "identity" and forwarded to the local network device. The router saves the assignment of the local address to the WAN address in the so-called NAT table.
The special feature: the data is only forwarded to the device if there was previously an outgoing connection. This mode of operation usually complements IP telephony perfectly. With Voice-over-IP, a connection from the local network to the Internet is always established first, whether this is when registering an end device or making an outgoing call. With NAT, the router then provides a WAN address and then forwards responses from this public address (WAN) to the local address (LAN). The exchange of data packets is therefore ensured in both directions.
At the same time, all unauthorized access from outside is blocked - NAT thus acts like a rudimentary firewall.
Prioritize VoIP data traffic (QoS)
Regardless of the installation variant, it is always an advantage to prioritize Voice over IP data traffic in the network. Many routers and firewall solutions offer the QoS (Quality of Service) function for this purpose, which should be activated if possible and configured for SIP and RTP data.
Exclude interference from other network services
The following services can have a negative impact on IP telephony and should therefore be deactivated as far as possible:
- SIP-ALG (SIP Application Layer Gateway)
- IGMP snooping (monitoring of the Internet Group Management Protocol)
- ICMP (Internet Control Message Protocol)
Do not configure telephones in subnets
In more complex installations, additional network hardware is often used to extend the range or connect more devices. However, this also makes it more difficult to identify (disruptive) influences. For example, if a subnet is managed by an active switch, the above-mentioned services can be activated there unnoticed and impair IP telephony in the network.
The use of these techniques is of course possible, but requires advanced knowledge of network technology and the configuration of internal routing. In case of doubt, the above-mentioned services should therefore be deactivated on all devices or telephones (if possible) should not be connected via these subnets.
Product-specific information
You will also find detailed information on the individual application areas here:
Single phone number with one end device
Telephone system (PBX)
Easybell Cloud PBX
Easybell app
One phone number with one end device
The simplest variant is for home and small installations. If only a single telephone is registered to a single telephone number at home or in the office, only a few points need to be observed.
With most IP telephones, SIP registration takes place as standard via SIP port 5060 with the UDP or TCP protocol; alternatively, you can also set up your device on SIP port 5064. A port range of 20000-50000 (UDP or TCP) is used here for audio transmission.
Furthermore, with these installations, it is only necessary to ensure that the SIP-ALG and IGMP snooping services are deactivated, which most routers for home and small installations have as standard.
| SIP port Port range Registrar | |
|---|---|
| unencrypted 5060 (UDP/TCP) or 5064 20000 - 50000 (UDP/TCP) voip.easybell.de | |
| encrypted 5061 (TLS) 20000 - 50000 (TLS) voip.easybell.de |
Telephone system
Telephone systems with one or more SIP trunks (connection with number block) are often used in the business sector.
SIP registration usually takes place as standard via SIP port 5060 with the UDP or TCP protocol; alternatively, you can set your system to port 5064. A port range of 20000-50000 (UDP or TCP) is used for audio transmission.
Please note that many system manufacturers require specific settings for the function and accessibility of the telephone system. Please refer to the documentation for your chosen PBX.
It is also often the case that larger, more complex networks naturally use more hardware, which influences the infrastructure with active elements. For example, it is not uncommon for active switches and/or other routers that manage subnets to provide the services SIP-ALG, IGMP snooping, ICMP, etc. or to have them activated by default. These are factors that can influence or even disrupt the functions of IP telephony in the network. Care must therefore be taken to ensure that these additional devices have also deactivated the aforementioned services and functions.
It is also important to note that complex network constructions with subnets and/or VLANs can impair the functionalities. The use of these technologies is of course possible, but requires advanced knowledge of network technology and the configuration of internal routing.
If you are using a redundant Internet connection, please ensure that the SIP traffic is only routed via one line, as otherwise there may be difficulties with registration or telephone calls.
| SIP port Port range Registrar | |
|---|---|
| unencrypted 5060 (UDP/TCP) or 5064 20000 - 50000 (UDP/TCP) voip.easybell.de | |
| encrypted 5061 (TLS) 20000 - 50000 (TLS) voip.easybell.de |
Devices on the Cloud PBX
If you use the Easybell Cloud PBX, your devices must be able to connect to our infrastructure. The Cloud PBX has a separate SIP registrar: pbx.easybell.de. To ensure the functionality of the web interface and a smooth process, the domain ctad.easybell.de must also be released.
The Cloud PBX uses the SIP port 5060 the port range 10000 - 50000 for audio transmission. UDP or TCP is used as the protocol.
When using the Cloud PBX, care should also be taken to ensure that no additional services such as SIP ALG etc. are active in the local network(s) in which the telephones are registered.
Only port 443 for HTTPs is required for the automatic provisioning of the telephones in the Cloud PBX. This is usually already enabled in every router.
| SIP port Port range Registrar |
|---|
| unencrypted 5060 (UDP/TCP) 10000 - 50000 (UDP/TCP) pbx.easybell.de |
| encrypted 5061 (TLS) 10000 - 50000 (TLS) pbx.easybell.de |
Easybell app
For the Easybell app, ports 4998, 5000, 4210 and 4280 (TCP in each case) mustbe enabled for SIP traffic.In addition, ports 4998, 10000-20000 (UDP) for the application's RTP packets. The hosts to which the application logs on are webrtc.easybell.de and webrtc2.easybell.de.
Encryption of telephony via the Easybell app is not yet technically possible.
| SIP | RTP | Hosts |
|---|---|---|
| 4998, 5000, 4210 and 4280 (TCP) | 4998, 10000-20000 (UDP) | webrtc.easybell.de & webrtc2.easybell.de |
