INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

SIP behind sonic wall firewall

SIP behind sonic wall firewall

(OP)
site running sip behind sonic wall and mikrotik router. Relevant ports setup but whenever stun is run, it returns the wrong port of 13265 instead of 5060
have manually set the UDP port and switch run stun at start off, this then gets calls working however, customer complaining that occasionally the calls drop out for a second - not sure if this would relate to the port issue seen on stun.

have tried multiple stun servers but exactly the same result, maintainer of the sonic wall claim they see the stun request go out on port 10000, but return back in on 13265. They have put a route in to push this to port 5060 which allows SIP to work, but still stun returns the wrong port.

We have requested all nat helpers have been switched off on the Sonic Wall/Mikrotik e.g. SIP ALG, but still no luck.

Any ideas?

RE: SIP behind sonic wall firewall

Turn off STUN and network topology on the IPO and turn on SIP transformations and consistent NAT on the VOIP Tab of the Sonicwall. Works for us.

| ACSS SME |

RE: SIP behind sonic wall firewall

You shouldn't need STUN on a Sonicwall if the right ports are open, I never use STUN for SIP trunks.

Using SIP transform in Sonicwall will limit the trunks for how many the Sonicwall can handle and could be less than the number of SIP trunks you have.

"Trying is the first step to failure..." - Homer

RE: SIP behind sonic wall firewall

Janni, how do you get the public IP address to the provider then, using network topology translates the internal IP address to the address in the network topology tab within the SIP packets if you use it, if not the provider receives the internal IP address and thus calls fail. SIP transformations does the same thing. Or are you saying set the trunk to use network topology but leave the STUN field blank and if so what do you set the firewall type to?

However what I would say is the simplest solution is to stick a nice sonus SBC in place and make it so simple to configure SIP trunks.

| ACSS SME |

RE: SIP behind sonic wall firewall

I set the Public IP in Network Topology, set Firewall/NAT Type to "Static Port Block" and turn off "Run STUN on startup".

"Trying is the first step to failure..." - Homer

RE: SIP behind sonic wall firewall

Ah that is what I thought you had done, does that work okay if you are using one-x mobile?

| ACSS SME |

RE: SIP behind sonic wall firewall

We never use One-X Mobile =) Only place I ever tried One-X Mobile was in lab.

In Sweden we have a service in the mobile network that let you route all mobile calls through the PBX, we also use a 3rd party mobile app that does that and a lot more.

"Trying is the first step to failure..." - Homer

RE: SIP behind sonic wall firewall

(OP)
thanks for the replies, just prior to us requesting the change, would you say this could highlight the cut offs in the calls?
Currently SIP works inbound/outbound full audio paths but with the occasional cut off.

RE: SIP behind sonic wall firewall

(OP)
also @ janni, do you manually set port 5060 UDP in the public port under network topology, or leave it blank?

RE: SIP behind sonic wall firewall

(OP)
have tried this now, I am using FNE mobile to test, now when I dial in, I get dial tone, but cant break it with DTMF - if I swap back to how it was with Stun it allows me to dial out ok..

RE: SIP behind sonic wall firewall

I set the public port to 5060.
With this settings they need to port forward 5060 from the SIP provders adress and the IPOs RTP ports.

Make sure you use the RTP range descibed in the 9.1+ Manager help files and not the old 49152-53246 range ss those ports are used for other IPO services.

"Trying is the first step to failure..." - Homer

RE: SIP behind sonic wall firewall

(OP)
if stun is changed to nothing, then it goes to one way audio. Putting the stun back fixes after reboot, though I don't have stun run at startup and set the port 5060 manually.

RE: SIP behind sonic wall firewall

Here's a document my company wrote for SonicWALLs using Flowroute SIP. You can use it as a guide.

https://support.flowroute.com/customer/en/portal/a...-

Note: you may need to ENABLE the options in step 2, not disable. Test and determine.

On the IPO, as others said, turn stun off. Also set network topology to none.

RE: SIP behind sonic wall firewall

The RTP range in this document should not be used.
IMPORTANT: The RTP Port Range will vary depending on your PBX. Please do NOT use Port Range 49152-65535 unless you have an Avaya system.

Recommended ports are as stated in Manager help

Port Range (minimum) IP 500 v2 default = 46750. Range = 46750 to 50750.
Linux default = 40750. Range = 40750 to 50750

Port Range (maximum) IP 500 v2 default = 50750. Range = 46750 to 50750.
Linux default = 50750. Range = 40750 to 50750

"Trying is the first step to failure..." - Homer

RE: SIP behind sonic wall firewall

Janni,

I had an open ticket with ipo support about vmpro audio issues, and they told me to infact change the rtp range to pre 9.x settings.

RE: SIP behind sonic wall firewall

Why would that fix VM Pro audio issues?
And it doesn't mean it's good advise =)

"Trying is the first step to failure..." - Homer

RE: SIP behind sonic wall firewall

I took the advice with a grain of salt. However, it did solve the problem we were having, so tough to call it bad advice.
Also, we've had no issues with our SIP trunks, which is the goal of the original poster.

I guess we wait and see if C0mmUN1cAt0r updates us with his findings.

RE: SIP behind sonic wall firewall

STUN and Sonicwall don't like each other, this has been confirmed by Sonicwall themselves. I've never been able to get our Gamma SIP working with STUN over a SW, but OXM works fine!! SIP ALG on Sonicwall works fine 99% of the time!!

Jamie Green

Avaya Registered Specialist Engineer

RE: SIP behind sonic wall firewall

The issue with that RTP range is that it includes other IPO ports that can be used for hacking, that's why they changed it =)

"Trying is the first step to failure..." - Homer

RE: SIP behind sonic wall firewall

(OP)
update is currently still looking into, if we make changes one side then it seems to break something else (mainly 1 way audio)

I thought the port remap setting providing in the document that DaveCT sent over could have been relevant though on the sonic wall the option is only available for inbound routes to change the source IP. In this scenario, I don't know how this could help? - sonic wall documentation on this below

When this option is selected, SonicOS preserves the source port of the connection while executing other NAT mapping. This option is available when adding or editing a NAT policy if the source IP address is being translated. The checkbox cannot be selected if the Translated Source is set to Original.

RE: SIP behind sonic wall firewall

It's pretty simple, but since you can't see what they've actually done in the FW it can be hard.

In IPO you set the RTP range to 46750 to 50750.
Set the public IP in network topology and set FW Type to Static Port Block.
Set SIP trunk to use Network Topology on LANx.

In the Sonicwall they port forward UDP/5060 (or TCP if the SP uses that) from the SIP providers IP to the IP Office.
They also port forward UDP/46750-50750 to the IP Office, it the service provider can say which server their RTP originates from only those should be allowed in the FW.
All SIP transformation / ALG / Policy-Inspection or whatever they call it should be turned off.

If they block outbound they need to open for traffic on 5060 and the RTP ports used by the service providers.

"Trying is the first step to failure..." - Homer

RE: SIP behind sonic wall firewall

(OP)
Hi janni,
its as you say, we can only presume features on the firewall have been disabled (9/10 they haven't and something somewhere is causing issue!!)

The only thing we cant do to what you mention above, is set Static Port Block - as soon as we do, we get 1 way audio, same if we turn off the stun - everything else you mention has been requested

We did have different ports configured initially and since these have changed things look better.

My gut instinct on this one is that the firewall isn't sitting purely on public internet, and something else could be causing the issue further down the line which we have no visibility of.

one other thing of note on this is that they played around with consistent nat - switching it off caused 1 way audio, switching it back on fixed, so maybe one for people to watch out for

RE: SIP behind sonic wall firewall

(OP)
still having problems, have managed to capture the issue on monitor (IP address masked for obv reasons)

is the firewall going to be causing this slight packet loss?

14:51:49 81691335mS H323Evt: SESS 29: RTP(END): 192.168.x.x/46750 x.x.x.x/21718 CODEC=Alaw64K(4) PKTSZ=160 RFC2833=on AGE=35551 SENT=1224 RECV=1582 RTdelay=0 jitter=0 loss=256 remotejitter=0 remoteloss=0

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close