Firewall config issues with Orange (ISP) and Sipgate (VoSP)

Hi all,

This was the top VoIP forum in Google, so I surfed on in! Hope you can help me. I have been a VoIP user (Sipgate) for a while now, had no issues with my old ISP when I lived in the UK. Used SJPhone as my softphone and everything worked great.

I have recently moved to France and signed up with Orange for broadband. Much to my dismay, they sent me out a router which I must use if I want their ADSL TV (I couldn't care less, but my wife wants the TV, so I'm stuck with it). Apparently this router is made by Thomson (it's the "mini" Orange Livebox) but regardless, Thomson offer no support and neither do Orange. The Orange support staff are clueless, as is the case with most ISPs.

Sipgate are much more helpful, but they are all out of ideas. The basic problem is the Orange router is locked down like Fort Knox when it is delivered. I know the VoIP *can* work, because if I set the security to "feeble" (love that setting name) then VoIP works again with SJPhone. For debug purposes (familiarity, etc.) Sipgate asked me to use PhonerLite, and again, it works fine when the router's firewall is off.

According to Sipgate "PhonerLite with the current configuration needs only the ports 5160 UDP and 5162 UDP", so I have allowed these two ports through the firewall, and a bunch of others that Active Ports showed PhonerLite was at least attempting to use. I also port forwarded these two ports (NAT) to my computer. PhonerLite can connect and make a call (as can SJPhone) but there is no audio in either direction. So clearly, since I have audio and all is fine when security is off, there is more to it than just these ports.

I noticed when a call starts PhonerLite opens two seemingly random UDP ports and closes them again when the call is finished. Could these be the connections carrying incoming and outgoing audio? If so, these may be the ports that need allowing/forwarding for audio to function correctly, but I have no idea what the range used by PhonerLite is and the Sipgate guys seem unable to help too. Without the range I have no chance of entering all the ports the softphone might try to use for audio.

I guess SJPhone will try to do something similar, but I never spotted the ports opening or closing.


Is anyone able to help me with this firewall config? At the moment I'm reduced to switching off the router's firewall when I need to make a call or the phone rings (no biggy, as the computers on the network all have software firewalls, but still - a nuisance!)

Thanks!

Hmmm, replying to myself here, but I found this on the PhonerLite support page:

Quote:

Local port The local signaling port you can choose here. For speech transmission (RTP) theport with a value of additional 2 will be used. So if the signaling port is 5060 the RTP port will be 5062. Any further call use the port increased by 2 again. If a configured port is used by a another application, a port given by the system is used then.

See Network on this page: http://www.phonerlite.de/config_en.htm

This tallies with what Sipgate tech support told me, and PhonerLite definitely has ownership of port 5162, so that should be carrying the audio. It is definitely forwarded AND allowed in all cases.

Is there any way the router could be stripping out the RTP traffic? Or rather, clearly the router *is* stripping out the RTP traffic, but how/why? It should be a normal UDP port as far as the router is concerned, which should be fine ... and 5160 is clearly ok or the calls wouldn't connect.

Welcome to Voipuser forums.

You have my sympathy! I had similar problems when my local ISP (Aliant) introduced TV over the internet (I do not have it!) and we were required to use the Aliant provided modem/router/wireless boxes (not the same as yours). Many of the functnions of the device were hidden but I eventually got it working. In your case it seems that Orange have had some problems with introducing TV over the internet. If you have UPnP you may find that enababling Internet Gateway Device (IGD) support might help.

RTP can and will use any available UDP ports. For SIP you need to be able to ultimately pass data in and out to the external internet on port 5060 UDP. You might find that running STUN helps.

gharvey :

I noticed when a call starts PhonerLite opens two seemingly random UDP ports and closes them again when the call is finished. Could these be the connections carrying incoming and outgoing audio? If so, these may be the ports that need allowing/forwarding for audio to function correctly, but I have no idea what the range used by PhonerLite is and the Sipgate guys seem unable to help too. Without the range I have no chance of entering all the ports the softphone might try to use for audio.

If you have a non-symmetrical NAT/Firewall router, you can use STUN and NAT traversal options on your softphone to automatically handshake with your router to open the necessary ports for your VoIP calls. This way, you don't have to manually perform the necessary ports forwarding. If you don't have any idea what kind of NAT/Firewall router you have, then give it a try to see if this will work. You can basically use any STUN server out there with 3748 default port. For UK SIPGate, you can use stun.sipgate.net on port 10000.

Thanks for the replies, folks. I was using STUN and Sipgate told me to try without it. However I haven't tried again subsequently and I haven't tried with any NAT port forwarding. Do I need to port forward 10000 to my computer for STUN to work? I already have port 10000 open to UDP traffic.

Well, PhonerLite is setup to use port 5160 (Sipgate's instructions), the firewall is set to allow TCP and UDP traffic on ports 5160, 5162 and 10000, the same ports are forwarded to my computer for both TCP and UDP, STUN server is set to stun.sipgate.net:10000 and still no audio. I tried PhonerLite in TCP mode too, no joy.

There is a TLS mode, but I don't know what that means. There is also a checkbox for UPnP, but again, I don't understand that or how it works, so I've left it alone. For now Multicast DNS is enabled in PhonerLite - this was default.

Weird! Everything is forwarded and allowed that can be, all works fine when I put my machine in the DMZ, but as soon as it is hardware firewalled it stops sending and receiving audio.

Even with DMZ set with my Aliant box voip would not work reliably. The fact that your works voip is OK with DMZ suggests that the firewall in the device is not behaving (and might be configured) not to behave as it should. You could turn on UPnP and see if it helps...turn it off if it doesn't. UPnp did help with a modem/router I was having problems with a couple of days ago. You should not run your machine in DMZ if you can avoid it.

FYI, temporarily given up on this - no time to spend messing with it - but I will return! Hopefully triumphant... but we shall see. Thanks for all the help so far.

I have never used Phonerlite. I have sipgate and it works OK with X-Lite so pehaps you might have more success with that. I also have Sipgate connected through MySipswitch and that also works.. it might be worth looking at that route. It might be a good reason to change ISP but if you are like me there is very little choice.