Showing changes from revision #5 to #6: Added | Removed | Changed

Setup SPA2102 Phone Adaptor behind OpenBSD firewall

Introduction

I use NetAtOnce operator for my VoIP phone. Previously I had an a dynamic IP addresses for internet using a combined ADSL modem and VoIP phone bridge. In this setup the router allocated (via DHCP) one IP address for the WAN internet connection and another IP address for the VoIP phone bridge.

 Internet --  (WAN IP) Bridge ----- -- Firewall -- Internal Network          |            -- (VoIP IP) VoIP Adapter -- Phone

In my current setup I use a static internet address. My operator does not support IP configuration (static or dynamic) of the VoIP phone bridge in combination with a static internet address. So the only solution is to move the VoIP Adapter behind the NAT/firewall where it will get a local IP address.

Internet --  (WAN IP) Bridge -- Firewall -- Internal Network
                                         | 
                                         -- (Local IP) VoIP Adapter -- Phone

VoIP communication over a NAT firewall proved to be non trivial. The problem arise from the fact that voice/media streams are allocated on dynamically chosen UDP ports. To ensure a secure firewall only used UDP ports should be open while unused are closed.

Additionally NAT does (by definition) hide IP addresses of internal SIP clients.

Different solutions exists to solve these problems.

• The firewall may understand the SIP protocol and adapt rules accordingly. Se e.g. intertex
• The firewall could be controllable from inside the NAT to open ports on request from internal clients. Proposed by Micorsoft using UPnP protocol.
• An external server could be used to mediate external ports opened from internal clients from inside of NAT. See STUN / TURN / ICE protocols.

My Setup

My setup is most likely simplified because I only use a single VoIP phone bridge behind by the NAT firewall. Because of this, I am able to forward all SIP/VoIP related traffic from the firewall to this single phone bridge.

The phone bridge, SPA2102, is configured as follows.

RTP Port Range: 10000-10111
SIP Port: 5060
VIA: No
STUN: No
External IP: <My Static WAN IP>
SIP Proxy: <VoIP/SIP Provider Proxy>
Subscriber Name: <My Name>
User ID: <My Phone Number>
Password: <VoIP/SIP Provider Password>

To allow SIP/VoIP traffic to pass through my OpenBSD (5.0) firewall I need to redirect all UDP traffic destined to external SIP port and RTP port range to my internal phone bridge. I added the following lines to /etc/pf.conf. voip is set to the internal IP address of the phone bridge.

ports_voip_udp = "{ 5060, 10000:10111 }"
pass in on $ext_if proto udp from any to $ext_if port $ports_voip rdr-to $voip

This finally worked!

References

• SIP / VoIP Overview
• How to Configure SIP and NAT
• SIP, NAT, and Firewalls
• Solving the Firewall/NAT Traversal Issue of SIP
  Traversal Issue of SIP
• NAT and Firewall Traversal with STUN / TURN / ICE