Hosted VoIP Firewall Requirements

Hosted VoIP Firewall Requirements

  • Introduction

The purpose of this document is to define the firewall and general router configuration necessary to implement B4BC’s Voice over Internet Protocol (VoIP) communications on a local area network.

  • Firewall

Traffic to/from to the following IP Addresses must be permitted. 


We recommend allowing the entire range of addresses listed below as this will allow for future expansion of the VoIP Network while reducing the likelihood that you will have to modify your firewall rules in future.


Source IP Address
Source Port
Destination IP Addresses
Destination Ports
LAN Network or Voice VLAN
1023 - 65535
194.50.55.0/24
194.50.56.0/24
52.29.124.181
3.124.165.251
119.28.67.228
52.221.130.73
TCP 20 - 25
TCP 389
TCP/UDP 3478
TCP 80
TCP 443
TCP 8443
TCP 21050 - 21051
UDP 21059
UDP 5060
UDP 10000 - 20000
UDP 30000 - 50000

If your network administrator insists on locking down to specific IP Addresses, the list is below:

Please note, these IP Addresses are subject to change.


Source IP Address
Source Port
Destination IP Address
Destination Port
Destination URL
Purpose
LAN Network or Voice VLAN
1023 - 65535
194.50.56.35
UDP  5060
hosted.sip2sip.net
Registration
LAN Network or Voice VLAN
1023 - 65535
194.50.56.39
UDP 5060 & 10000 - 20000
ast1.sip2sip.net
RTP & SIP
LAN Network or Voice VLAN
1023 - 65535
194.50.56.40
UDP 5060 & 10000 - 20000
ast2.sip2sip.net
RTP & SIP
LAN Network or Voice VLAN
1023 - 65535
194.50.56.30
UDP 5060 & 10000 - 20000
ast3.sip2sip.net
RTP & SIP
LAN Network or Voice VLAN
1023 - 65535
194.50.56.29
UDP 5060 & 10000 - 20000
ast4.sip2sip.net
RTP & SIP
LAN Network or Voice VLAN
1023 - 65535
194.50.56.28
UDP 5060 & 10000 - 20000
ast5.sip2sip.net
RTP & SIP
LAN Network or Voice VLAN
1023 - 65535
194.50.56.27
UDP 5060 & 10000 - 20000
ast6.sip2sip.net
RTP & SIP
LAN Network or Voice VLAN
1023 - 65535
194.50.56.31
UDP 5060 & 10000 - 20000
ast7.sip2sip.net
RTP & SIP
LAN Network or Voice VLAN
1023 - 65535
194.50.56.32
UDP 5060 & 10000 - 20000
ast8.sip2sip.net
RTP & SIP
LAN Network or Voice VLAN
1023 - 65535
194.50.56.49
UDP 5060 & 10000 - 20000
ast9.sip2sip.net
RTP & SIP
LAN Network or Voice VLAN
1023 - 65535
194.50.56.50
UDP 5060 & 10000 - 20000
ast10.sip2sip.net
RTP & SIP
LAN Network or Voice VLAN
1023 - 65535
194.50.56.23
UDP 5060 & 10000 - 20000
ast1-vm.sip2sip.net
RTP & SIP
LAN Network or Voice VLAN
1023 - 65535
194.50.56.24
UDP 5060 & 10000 - 20000
ast2-vm.sip2sip.net
RTP & SIP
LAN Network or Voice VLAN
1023 - 65535
194.50.56.51
UDP 5060 & 10000 - 20000
ast3-vm.sip2sip.net
RTP & SIP
LAN Network or Voice VLAN
1023 - 65535
194.50.56.52
UDP 5060 & 10000 - 20000
ast4-vm.sip2sip.net
RTP & SIP
LAN Network or Voice VLAN
1023 - 65535
194.50.55.17
UDP 53
ns1.sip2sip.net
DNS
LAN Network or Voice VLAN
1023 - 65535
194.50.55.15
UDP 53
ns2.sip2sip.net
DNS
LAN Network or Voice VLAN
1023 - 65535
194.50.55.15
UDP 123
ntp.sip2sip.net
NTP
LAN Network or Voice VLAN
1023 - 65535
194.50.56.15
TCP 80, 443 & 8443
haproxy.sip2sip.net
Services 
LAN Network or Voice VLAN
1023 - 65535
194.50.56.37
TCP 80 & 443
hosted.b4bc.co.uk
Web Portal
LAN Network or Voice VLAN
1023 - 65535
194.50.56.71
TCP 20 - 25 & 389
extservices.sip2sip.net
S|FTP SMTP LDAP
LAN Network or Voice VLAN
1023 - 65535
194.50.56.72
TCP 20 - 25 & 389
extservices1.sip2sip.net
S|FTP SMTP LDAP
LAN Network or Voice VLAN
1023 - 65535
194.50.56.73
TCP 20 - 25 & 389
extservices2.sip2sip.net
S|FTP SMTP LDAP
LAN Network or Voice VLAN
1023 - 65535
194.50.56.58
UDP/TCP 3478
stun1.sip2sip.net
STUN
LAN Network or Voice VLAN
1023 - 65535
194.50.56.59
UDP/TCP 3478
stun2.sip2sip.net
STUN
LAN Network or Voice VLAN
1023 - 65535
194.50.56.116
UDP 30000 - 50000
webrtc1.sip2sip.net
Mobex
LAN Network or Voice VLAN
1023 - 65535
194.50.56.119
UDP 30000 - 50000
webrtc2.sip2sip.net
Mobex
LAN Network or Voice VLAN
1023 - 65535
194.50.56.114
UDP 30000 - 50000
webrtc-drac1.sip2sip.net
Mobex (To be depreciated)
LAN Network or Voice VLAN
1023 - 65535
194.50.56.114
TCP 443 & 8443
webrtc-drac1.sip2sip.net
Mobex (To be depreciated)
LAN Network or Voice VLAN
1023 - 65535

TCP 443
sqs.eu-west-2.amazonaws.com
WebRTC Stats
LAN Network or Voice VLAN
1023 - 65535
194.50.56.26
TCP 21050 - 21051
uc.sip2sip.net
UC Plus (CTI)
LAN Network or Voice VLAN
1023 - 65535
194.50.56.26
UDP 21059
uc.sip2sip.net
UC Plus (CTI)
LAN Network or Voice VLAN
1023 - 65535
3.124.165.251
TCP 80 & 443
rpscloud.yealink.com
Redirect
LAN Network or Voice VLAN
1023 - 65535
119.28.67.228
TCP 80 & 443
fdps.fanvil.com
Redirect
LAN Network or Voice VLAN
1023 - 65535
52.221.130.73
TCP 80 & 443
fm.grandstream.com
Redirect
LAN Network or Voice VLAN
1023 - 65535
52.29.124.181
TCP 80 & 443
rps.yealink.com
Redirect

  1. Web Filtering

Please add add the following URLs to the list of permitted destinations if your organisation uses a Web Filtering service. Please also exclude the following URLs from HTTPS inspection.

*.sip2sip.net
rps.yealink.com
rpscloud.yealink.com
fdps.fanvil.com
fm.grandstream.com
  • DHCP

The preferred IP address assignment mechanism is DHCP as installations typically take less time to complete. Static address assignments are only used when absolutely necessary. Please also refer to the section relating to VLAN.

  • SIP ALG (Also known as SIP Transformations / SIP Helper / SIP Inspection)

SIP ALG must always be disabled on the sites router/firewall.


SIP Application Layer Gateway (SIP ALG) is common in many routers and in most cases enabled by default. Its primary use is to modify VoIP packets to aid NAT traversal. Active SIP ALG has been known to cause a plethora of problems caused by adjusting VoIP packets incorrectly, manifesting in a range of intermittent issues such as one way audio, dropped calls, problems transferring calls and handsets dropping registration.


For instructions on disabling SIP ALG, please refer to your router’s documentation.


B4BC will be unable to accept any faults or issues with its VoIP service if SIP ALG is enabled.

  • UDP NAT Session Timeout

B4BC configures its VoIP user agents to perform a SIP registration every 600 seconds with the ITSP. This is an outbound initiated connection utilising the UDP protocol. The purpose of the registration is to inform the ITSP how to route calls to the respective user agent.


Many routers terminate idle UDP sessions after only a few seconds.  The effect of this is that following SIP registration, inbound calls will only be successful for those first few seconds after registration. After this period, inbound calls will fail (Assuming the UDP connection has been idle) until the registration expires and the user agent re-registers.


To prevent this scenario, it is vitally important that the edge router’s UDP NAT session timer is set to a value of at least 620 seconds. Please refer to your router vendor’s documentation for instruction.

  • Quality of Service (QOS)

Quality of service (QOS) refers to the ability of your router to prioritize voice traffic (VoIP) differently than regular internet traffic on your network. VoIP is a real time protocol which means that if information is lost or delayed it will result in a noticeable drop in call quality or a complete loss of it. Symptoms of network congestion include garbled audio, dropped calls and echo.


B4BC recommend that all VoIP installations have QOS enabled, however in certain scenarios, QOS may not be effective due to insufficient WAN bandwidth, and a 2nd internet connection intended for the sole transmission of VoIP may be required.

  • Virtual LAN

We can accommodate VLANs if necessary. If your network has different subnets for various purposes, please let us know which network you would like us to use, or if you require the use of statically assigned IP Addresses.

We will need to know in advance which physical port to connect to in the case of port based VLANs, or any VLAN Tags which may be required for IEEE802.1Q type networks.


Disclaimer:

The information contained within in this document may change to keep abreast of current trends.  Best 4 Business Communications cannot accept responsibility for costs you may incur should it be necessary to modify your network as a result of an update to this information.


    • Related Articles

    • Wildix Firewall Requirements

      Your Wildix PBX will be hosted on Amazon's Web Services (AWS) and will be assigned a unique IP Address. Your firewall must be configured to permit the following ports and protocols to *.wildixin.com TCP 80 (HTTP) TCP 443 (HTTPS) TCP 5060 - 5061 (SIP) ...
    • Prerequisites for a VoIPSure deployment

      General requirements: Reliable high speed Internet Connection. Email Access - each user must have a unique and valid email address. The user must be able to retrieve their emails from wherever they intend using the VoIP service as onboarding ...
    • Prerequisites for a VoIPSure V2 deployment

      General requirements: Reliable high speed Internet Connection. Email Access - each user must have a unique and valid email address. The user must be able to retrieve their emails from wherever they intend using the VoIP service as onboarding ...
    • Prerequisites for a Xelion deployment

      General requirements: Reliable high speed Internet Connection. Email Access - ideally each user should have a unique and valid email address as this is used to create a user name. Content Filtering - VoIP traffic should not be subject to deep packet ...
    • Panasonic NS SIP Trunk Requirements

      Panasonic NS700 SIP Trunk Requirements 1. Introduction The purpose of this document is to define the firewall and general router configuration necessary to implement Voice over Internet Protocol (VoIP) communications using a Panasonic PBX across a ...