How to set firewall to enable SIP based VoIP application?

PC Best Networks
How to set firewall to enable SIP based VoIP application?
Version 1.02 May 24, 2009
1/4
PC Best Networks
Assume that your SIP device has the following settings:
SIP Port: UDP 5060
RTP Port: UDP 10000
SIP Account Provider: sip2.stinghlr.net (77.240.208.253)
STUN Server: stun.xten.com (75.101.138.128)
There are several ways to set the network environment for your SIP application.
Case 1: In an open connection
In this case, the device which runs SIP application has directly access Internet with public
IP address. You only need to open the firewall for the application.
sip2.stinghlr.net (77.240.208.253)
SIP Port: UDP 5060
RTP Port: Dynamical Exchange
Internet
stun.xten.com (75.101.138.128)
UDP 3478
UDP 3479
SIP Application
UDP 5060
UDP 10000-10020
Firewall rule:
Enable traffic from UDP local:5060 to 77.240.208.253:5060, vise versa.
Enable traffic from UDP local:10000 to 77.240.208.253:any port, vise versa.
Enable traffic from UDP local:5060 to any address:3478 and 3479
Case 2: In the NAT, but with public IP address or in DMZ
2/4
PC Best Networks
In this case, the device which runs SIP application resides in the NAT, but either has a
public IP address, or set DMZ in the router to direct all the incoming traffic to this
internal machine.
sip2.stinghlr.net (77.240.208.253)
SIP Port: UDP 5060
RTP Port: Dynamical Exchange
Internet
Firewall
stun.xten.com (75.101.138.128)
UDP 3478
UDP 3479
Router
NAT
SIP Application
With public-ip or DMZed
Firewall rule:
Enable traffic from UDP public-ip:5060 to 77.240.208.253:5060, vise versa.
Enable traffic from UDP public-ip:10000 to 77.240.208.253:any port, vise versa.
Enable traffic from UDP public-ip:5060 to any address:3478 and 3479
3/4
PC Best Networks
Case 3: In the NAT, with private IP address
In this case, the device which runs SIP application resides in the NAT, and has a private
IP address like 192.168.1.102, 10.98.4.210, ….
sip2.stinghlr.net (77.240.208.253)
SIP Port: UDP 5060
RTP Port: Dynamical Exchange
Internet
Firewall
stun.xten.com (75.101.138.128)
UDP 3478
UDP 3479
Router
with public-ip like 201.222.99.45
NAT
SIP Application
With private ip like: 192.168.1.102
Firewall rule:(Assume router’s public IP is 201.222.99.45)
Enable traffic from UDP 192.168.1.102:5060 to 77.240.208.253:5060, better using
201.222.99.45:5060 to send out.
Enable traffic from UDP 192.168.1.102:10000 to 77.240.208.253:any port, better using
201.222.99.45:10000 to send out.
Enable traffic from UDP 192.168.1.102:5060 to any address:3478 and 3479.
Port forwarding rules:
Forward any traffic from UDP 77.240.208.253:5060 to 201.222.99.45:5060, forward the
traffic to 192.168.1.102:5060
Forward any traffic from UDP 77.240.208.253 to 201.222.99.45:10000, forward the
traffic to 192.168.1.102:10000
4/4