Hosted VoIP Firewall Requirements

Hosted VoIP Firewall Requirements

  • Introduction

The purpose of this document is to define the firewall and general router configuration necessary to implement B4BC’s Voice over Internet Protocol (VoIP) communications on a local area network.


This document is intended to be vendor neutral and is aimed primarily at readers who are not necessarily IT professionals, so explanations are offered throughout to justify the changes requested within, however some networking knowledge is assumed.

  • Firewall

Traffic to/from to the following IP Addresses must be permitted. 


We recommend allowing the entire range of addresses listed below as this will allow for future expansion of the VoIP Network while reducing the likelihood that you will have to modify your firewall rules in future.


IP Range 1

Ports

IP Range 2

Ports

194.50.55.0/24

UDP 5060

194.50.56.0/24

UDP 5060

UDP 10000 - 50000

UDP 10000 - 50000

UDP 53

UDP 53

UDP 123

UDP 123

UDP 21059

UDP 21059

TCP 80

TCP 80

TCP 443 + 8443

TCP 443 + 8443

TCP 21050 - 21051

TCP 21050 - 21051


If your network administrator insists on locking down to specific IP Addresses, the list is below:

Please note, these IP Addresses are subject to change.


IP Address

Ports

Function

URL

194.50.56.35

UDP 5060

Phone Registration

hosted.sip2sip.net

194.50.56.39

UDP 5060 + 10000 to 20000

Voice Media Traffic

ast1.sip2sip.net

194.50.56.40

UDP 5060 + 10000 to 20000

Voice Media Traffic

ast2.sip2sip.net

194.50.56.30

UDP 5060 + 10000 to 20000

Voice Media Traffic

ast3.sip2sip.net

194.50.56.29

UDP 5060 + 10000 to 20000

Voice Media Traffic

ast4.sip2sip.net

194.50.56.28

UDP 5060 + 10000 to 20000

Voice Media Traffic

ast5.sip2sip.net

194.50.56.27

UDP 5060 + 10000 to 20000

Voice Media Traffic

ast6.sip2sip.net

194.50.56.31

UDP 5060 + 10000 to 20000

Voice Media Traffic

ast7.sip2sip.net

194.50.56.32

UDP 5060 + 10000 to 20000

Voice Media Traffic

ast8.sip2sip.net

194.50.56.23

UDP 5060 + 10000 to 20000

Voice Media Traffic

ast9.sip2sip.net

194.50.56.24

UDP 5060 + 10000 to 20000

Voice Media Traffic

ast10.sip2sip.net

194.50.56.26

TCP 21050 - 21051 + UDP 21059

CTI Server

uc.sip2sip.net

194.50.56.37

TCP 80 + 443

Web Portal

hosted.b4bc.co.uk

194.50.55.17

UDP 53

DNS

ns1.sip2sip.net

194.50.55.15

UDP 53

DNS

ns2.sip2sip.net

194.50.55.15

UDP 123

NTP

ntp.sip2sip.net

194.50.56.71

TCP 80 + TCP 443

Phone Provisioning

provision.sip2sip.net

194.50.56.71
TCP 20 - 25
Transfer Server
extservices.sip2sip.net
194.50.56.72
TCP 20 - 25
Transfer Server 1
extservices1.sip2sip.net
194.50.56.73
TCP 20 - 25
Transfer Server 2
extservices2.sip2sip.net
194.50.56.116
UDP 30000 - 50000
WebRTC Mobex 1
webrtc-rtp1.sip2sip.net
194.50.56.119
TCP 8443 + 443WebRTC Mobex 2
webrtc-drac1.sip2sip.net

If the above ports and IP Addresses are not permitted, various issues such as non registration, dropped calls or one way speech could occur.

  • DHCP

The preferred IP address assignment mechanism is DHCP as installations typically take less time to complete. Static address assignments are only used when absolutely necessary. Please also refer to the section relating to VLAN.

  • SIP ALG (Also known as SIP Transformations / SIP Helper / SIP Inspection)

SIP ALG must always be disabled on the sites router/firewall.


SIP Application Layer Gateway (SIP ALG) is common in many routers and in most cases enabled by default. Its primary use is to modify VoIP packets to aid NAT traversal. Active SIP ALG has been known to cause a plethora of problems caused by adjusting VoIP packets incorrectly, manifesting in a range of intermittent issues such as one way audio, dropped calls, problems transferring calls and handsets dropping registration.


For instructions on disabling SIP ALG, please refer to your router’s documentation.


B4BC will be unable to accept any faults or issues with its VoIP service if SIP ALG is enabled.

  • UDP NAT Session Timeout

B4BC configures its VoIP user agents to perform a SIP registration every 600 seconds with the ITSP. This is an outbound initiated connection utilising the UDP protocol. The purpose of the registration is to inform the ITSP how to route calls to the respective user agent.


Many routers terminate idle UDP sessions after only a few seconds.  The effect of this is that following SIP registration, inbound calls will only be successful for those first few seconds after registration. After this period, inbound calls will fail (Assuming the UDP connection has been idle) until the registration expires and the user agent re-registers.


To prevent this scenario, it is vitally important that the edge router’s UDP NAT session timer is set to a value of at least 620 seconds. Please refer to your vendor’s documentation for instruction.

  • Quality of Service

Quality of service (QOS) refers to the ability of your router to prioritize voice traffic (VoIP) differently than regular internet traffic on your network. VoIP is a real time protocol which means that if information is lost or delayed it will result in a noticeable drop in call quality or a complete loss of it. Symptoms of network congestion include garbled audio, dropped calls and echo.


B4BC recommend that all VoIP installations have QOS enabled, however in certain scenarios, QOS may not be effective due to insufficient WAN bandwidth, and a 2nd internet connection intended for the sole transmission of VoIP may be required.


A typical VoIP call comprises of two components; signalling (establishing, maintaining and finalizing calls (SIP)) and voice media (your actual conversation (RTP)).


SIP will use a maximum of 65.5 kbits per call and RTP will require 87 kbps per call.


To this end, 153 kbps (rounded off) per phone on your network must be reserved and prioritised to ensure acceptable call quality.


  • Virtual LAN

We can accommodate VLANs if necessary. If your network has different subnets for various purposes, please let us know which network you would like us to use, or if you require the use of statically assigned IP Addresses.

We will need to know in advance which physical port to connect to in the case of port based VLANs, or any VLAN Tags which may be required for IEEE802.1Q type networks.


Disclaimer:

The information contained within in this document may change to keep abreast of current trends.  Best 4 Business Communications cannot accept responsibility for costs you may incur should it be necessary to modify your network as a result of an update to this information.


    • Related Articles

    • Wildix Firewall Requirements

      Your Wildix PBX will be hosted on Amazon's Web Services (AWS) and will be assigned a unique IP Address. Your firewall must be configured to permit the following ports and protocols to *.wildixin.com TCP 80 (HTTP) TCP 443 (HTTPS) TCP 5060 - 5061 (SIP) ...
    • Prerequisites for a VoIPSure deployment

      Connectivity: Reliable high speed Internet Connection Email Access - each user must have a unique and valid email address, and the ability to access their emails from wherever they intend using the VoIP service. Firewall configuration - VoIP traffic ...
    • Panasonic NS SIP Trunk Requirements

      Panasonic NS700 SIP Trunk Requirements 1. Introduction The purpose of this document is to define the firewall and general router configuration necessary to implement Voice over Internet Protocol (VoIP) communications using a Panasonic PBX across a ...
    • NEC SL1100/SL2100 SIP Trunk Requirements

      NEC SL1100/SL2100 SIP Trunk Requirements 1. Introduction The purpose of this document is to define the firewall and general router configuration necessary to implement Voice over Internet Protocol (VoIP) communications using a NEC SL1100/2100 PBX ...
    • NEC SV9100 SIP Trunk Requirements

      Introduction The purpose of this document is to define the firewall and general router configuration necessary to implement Voice over Internet Protocol (VoIP) communications on a NEC SV9100 PBX across a local area network. Disclaimer: The ...