How do I need to configure my firewall for easybell VoIP and SIP trunking?
The correct settings of a firewall depend on numerous factors in addition to the type of telephone connection. Due to the large number of possible installations and firewall systems on the market, we have kept this article as precise as necessary, but as general as possible.
Foremost, we give some general advice on how to set up firewalls, which should already be sufficient in most cases. We then go into detail about specific areas of application.
General settings
Open ports
It is important that the ports and protocols suitable for your product are enabled in the firewall.
For unencrypted telephony, the UDP protocol is always used; the ports can be found in the following table:
Please note that a forwarding is not the same as opening ports. In general, we strongly recommend not to use fixed port forwarding!
SIP port | RTP port | Registrar | |
---|---|---|---|
Single phone numbers | 5060 or 5064 (UDP/TCP) | 20000 - 50000 (UDP/TCP) | sip.easybell.de or voip.easybell.de |
Number blocks | 5060 or 5064 (UDP/TCP) | 20000 - 50000 (UDP/TCP) | sip.easybell.de or voip.easybell.de |
easybell Cloud Telefonanlage | 5060 (UDP/TCP) | 10000 - 50000 (UDP/TCP) | pbx.easybell.de |
easybell VoIP to go App | 5060 (UDP) | 10000 - 20000 (UDP) |
Special features of the Cloud Telefonanlage
Please note that the Cloud Telefonanlage also requires access to the domain ctad.easybell.de. If you want to use the automatic configuration of devices, please also ensure that port 443 is enabled for https.
Special features of encrypted telephony
In most cases, the enabled SIP port and the registrar must be changed in order to encrypt telephony. The protocol is then TLS, the ports can be found in the following table.
Please note that connections with DNS-SRV and the VoIP to go app cannot be encrypted yet.
SIP port | RTP port | Registrar | |
---|---|---|---|
Individual phone numbers | 5061 (TLS) | 20000 - 50000 (TLS) | secure.sip.easybell.de |
Phone number blocks | 5061 (TLS) | 20000 - 50000 (TLS) | secure.sip.easybell.de |
easybell Cloud Telefonanlage | 5061 (TLS) | 10000 - 50000 (TLS) | secure.pbx.easybell.de |
Using NAT as an additional security feature
In 95% of use cases, it makes more sense to use NAT as an additional security feature than to adjust the firewall configuration and risk blocking any necessary connections in the process.
NAT stands for "Network Address Translation" and is a function integrated in most routers. For connections to the Internet, a different public address is communicated instead of the local network address (LAN). Replies are accepted under this public "identity" and forwarded to the local network device. The router stores the assignment of local address to WAN address in the so-called NAT table.
The special feature is that the data is only forwarded to the device if an outgoing connection had previously been established. This mode of operation usually complements IP telephony perfectly. This is because with Voice over IP, a connection is always first established from the local network to the Internet, either when a device is registered or when an outgoing call is made. With NAT, the router will then provide a WAN address and then forward responses from this public (WAN) to the local address (LAN). The exchange of data packets is therefore ensured in both directions.
At the same time, all unauthorized access from outside is blocked - NAT thus acts like a rudimentary firewall.
Be careful with too restrictive settings
The more you restrict the shares in the firewall, the more secure the infrastructure behind it. However, proceed with caution to prevent desired connections from being blocked.
- Always use the desired server address (FQDN), e.g. voip.easybell.de for shares. The IP addresses behind this can change at any time.
- For outgoing connections, you can restrict the shares to the internal IPs of the PBX/phones.
- For incoming connections, you can restrict the shares to the registrar used (e.g. sip.easybell.de). However, you must then ensure that the telephones in the local network are assigned fixed IP addresses, which is not the case with a default setting to DHCP.
Note the special features of the devices
Hardware and firewalls can differ greatly. Therefore, be sure to also pay attention to additional instructions from the manufacturers.
Prioritize VoIP traffic (QoS)
Regardless of the installation variant, it is always advantageous to prioritize voice-over-IP data traffic in the network. Many routers and firewall solutions offer the QoS (Quality of Service) function for this purpose, which should be activated if possible and configured for SIP and RTP data.
Exclude interference from other network services
The following services can have a negative impact on IP telephony and should therefore be disabled as far as possible:
- SIP-ALG (SIP application layer gateway)
- IGMP snooping (Internet Group Management Protocol monitoring)
- ICMP (Internet Control Message Protocol)
If possible, do not configure telephones in subnets
In more complex installations, additional network hardware is often used to extend the range or to connect more devices. However, this also makes it more difficult to identify (interference) influences. If, for example, a subnet is managed by an active switch, the services mentioned above may be activated there unnoticed and affect IP telephony in the network.
The use of these techniques is of course possible, but requires advanced knowledge of network technology and configuration of internal routings. If in doubt, the above services should therefore be deactivated on all devices or telephones should not be connected via these subnets.
Product specific notes
In addition, you will find detailed explanations of the individual application areas here:
Single telephone number with one device
Telephone system with call number block/blocks
easybell single phone number with one device
The easiest variant is the one for home and small installations. If at home or in the office only a single phone is registered to a single phone number, only a few points need to be taken into account.
SIP registration is done by default on most IP phones using SIP port 5060 with UDP or TCP protocol, alternatively you can set your device to SIP port 5064. A port range of 20000-50000 (UDP or TCP) is used here for audio transmission.
Furthermore, you only have to make sure that the services SIP-ALG and IGMP snooping are deactivated for these installations, which most routers for home and small installations come with out of the box.
If you want to be on the safe side and your firewall allows it, you can limit the port shares to the local IP address of the phone and the hostname of our registrar (sip.easybell.de). To do this, the phone must be assigned a fixed IP address in the local network. By default, the phones are configured to DHCP, where the IP address in the local network changes regularly. In this case, IP restriction naturally leads to problems.
SIP port | Port range | Registrar | |
---|---|---|---|
unencrypted | 5060 (UDP/TCP) or 5064 | 20000 - 50000 (UDP/TCP) | sip.easybell.de or voip.easybell.de |
encrypted | 5061 (TLS) | 20000 - 50000 (TLS) | secure.sip.easybell.de |
Telephone system with call number block/blocks
In the business sector, telephone systems with one or more SIP trunks (connection with number block) are often used.
SIP registration usually takes place by default via SIP port 5060 with the UDP or TCP protocol, alternatively you can set your system to port 5064. A port range of 20000-50000 (UDP or TCP) is used here for audio transmission.
It should only be noted that many system manufacturers still require specific settings for the function and accessibility of the telephone system. These can be found in the documentation of your selected PBX.
Furthermore, it is often the case that in larger, more complex networks, of course, more hardware is used, which influences the infrastructure with active elements. For example, it is not uncommon for active switches and/or additional routers that manage subnets to provide the services SIP-ALG, IGMP snooping, ICMP, etc. or to have them activated by default. These are factors that can influence or even disrupt the functions of IP telephony in the network. Care must therefore be taken here to ensure that these additional devices also have the aforementioned services and functions disabled.
It is also important to note that complex network constructions with subnets and/or VLANs can impair the functionalities. The use of these techniques is of course possible, but requires advanced knowledge of network technology and configuration of internal routings.
If you use a redundant Internet connection or DNS-SRV, please register your devices on the voip.easybell.de registrar and adjust the firewall rules accordingly to avoid registration problems or audio problems.
SIP port | Port range | Registrar | |
---|---|---|---|
unencrypted | 5060 or 5064 (UDP/TCP) | 20000 - 50000 (UDP/TCP) | sip.easybell.de or voip.easybell.de |
encrypted | 5061 (TLS) | 20000 - 50000 (TLS) | secure.sip.easybell.de |
Multiple telephones on one easybell trunk with virtual extensions
The Cloud Telefonanlage from easybell offers numerous business functions such as call pickup, busy lamp fields, speed dialing, etc. If you can do without these, easybell gives you the option of registering multiple devices on a SIP trunk without a telephone system. To do this, you first need to set up virtual extensions in the customer portal in order to generate separate registration data for each individual device.
The necessary settings in the firewall are identical to those for individual phone numbers.
Devices of the Cloud Telefonanlage
If you use a Cloud Telefonanlage, your devices must be able to connect to our infrastructure. The Cloud Telefonanlage has a separate SIP registrar: pbx.easybell.de. To ensure the functionality of the web interface and a smooth process, the domain ctad.easybell.de must also be released.
The Cloud Telefonanlage uses SIP port 5060. In the Cloud Telefonanlage, audio transmission takes place in the port range 10000 - 50000UDP or TCP is used as the protocol.
When using the easybell Cloud Telefonanlage, care should also be taken to ensure that no additional services such as SIP ALG etc. are active in the local network(s) in which the telephones are registered.
For automatic provisioning of the phones in the Cloud Telefonanlage, only port 443 for HTTPs is required. This is usually already enabled in each router.
SIP port | Port range | Registrar | |
---|---|---|---|
unencrypted | 5060 (UDP/TCP) | 10000 - 50000 (UDP/TCP) | pbx.easybell.de |
encrypted | 5061 (TLS) | 10000 - 50000 (TLS) | secure.pbx.easybell.de |
Easybell app
Whether in the Cloud Telefonanlage or with a SIP Trunk, with a single phone number or a virtual extension, with the free Easybell app you can turn any smartphone with iOS or Android into an IP phone.
For the Easybell app, ports 4998, 5000, 4210 and 4280 (TCP in each case) must be enabled for SIP traffic. In addition, ports 4998, 10000-20000 (UDP) for the application's RTP packets. The hosts to which the application logs on are webrtc2.easybell.de and webrtc.easybell.de .
Of course, the settings are only necessary if the Easybell app is used in the respective local WLAN. Use via the phone's mobile data does not require any adjustments to the local network. With more complex firewall solutions, it should be noted that there are often separate rules for the LAN and WLAN interfaces.
Encryption of telephony via the Easybell app is not yet technically possible.
SIP ports | RTP packets | Hosts |
---|---|---|
4998, 5000, 4210 and 4280 (TCP) | 4998, 10000-20000 (UDP) | webrtc.easybell.de & webrtc2.easybell.de |