[SOLVED] Help understanding this voip (flowroute) firewall documentation page

Hardware Hub Networking
1

Hello,

I’m really new to VOIP in general, so please assume I know nothing.

Here is the page in question:
https://support.flowroute.com/859507-Set-firewall-for-direct-media-delivery

I have a GrandStream HandyTone 801 (HT801).

My router/firewall is pfSense.

The HT801 is on a subnet that only has WAN access. If I plug a laptop into that subnet it can browse the web just fine, so the subnet is at least mostly sane.

Following the flowroute documentation I have done the following:

  • Static port NAT mapping for the HT801 for ports 5060 (SIP) and 5004 (RTP).
  • Port Forwarded both those ports to the HT801.

The Problem:
One way audio.

  • If I make a call from the HT801 the other side rings, but I can’t hear the ringback
  • I can see tons of outgoing RTP data on port 5004
  • No incoming UDP packets at all <— probably the root cause of the problem

I assume I haven’t port forwarded the required RTP ports, but I can’t find any documentation as to what they are.

I called their support line (very friendly/helpful) and they said I should open (port forward?) all UDP traffic to the HT801. That sounds like a bad idea to me, but I can’t quite put on my finger on why. Security-wise it’s on an isolated network, so maybe that’s not terrible, but wouldn’t it break all other UDP traffic coming in for other devices?

What is a home user to do? I don’t have a dedicated public IP for this ATA.

thanks

2

So SIP phones really talk two protocols, SIP to control start/end of calls, and RTP for the actual audio. Normally SIP goes from phone <-> SIP gateway, and RTP goes directly between phones calling eachother. But for an online SIP trunk you usually use an SBC - so RTP goes to the SBC instead of to/from the other phone.

It sounds like flowroute here are instead letting RTP go directly between their client’s phones. Pretty stupid feature that causes lots of issues, but means they don’t need to run an SBC. I’d honestly recommend getting a better provider that proxies the RTP for you. Unfortunately I don’t have any good suggestions.

PfSense have a page showing common issues for SIP phones, and how to work around them. Maybe have a look at “Disable source port rewriting”. But that likely won’t fix your issue.

Are you by any chance on CG-NAT? That is likely going to entirely break the direct media routing, and prevent flowroute from working.

1 Like
3

switched to voip.ms

[SOLVED] :slight_smile:

1 Like