Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 27 subscribers
  • Views 64987 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SIP server on DMZ - how to set up working rules

MichalBorkowski

Hi.

I think I need assistance to understand fully the way how firewall and routing/forwarding is working in XG.


I have a question related to SIP server in DMZ.

So - to describe:

I have 3 ports: 1: WAN(bridge - public IP), 2: LAN (192.168.2.x) , 3:DMZ(192.168.100.x)

On DMZ I have SIP server - this server should be accessible for LAN users and internet users. It is not using 5060 as default port - so lets say for registrations it is using port 50808 (as example) - this is to limit access attempts.

I have set up some rules to that SIP server like:

Source: Host Any
Hosted Server: Zone Any, hosted address #Port1 

Protected Application Servers: Zone DMZ, Protected Application Server: created HOST pointing to 192.168.100.XXX address of the SIP server, forward all ports OFF

Port Forwarding: TCP, and defined ports - the same for mapped.(similar for UDP)

Routing MASQ ON

Reflexive Rule: ON


There are a few issues - I can register from LAN computers. Some connected to Internet (outside) can register (not all) - but in registration list I see internal IP of gateway 192.168.100.1 - (so it looks like they have registered from gateway - probably NAT) - normally I should see real IP of registered clients - and finally - if I use TRUNK to call I can hear IVR, but when I try to select number to call my internal number - no voice. So looks like voice is not passing.

To add - in rules I have created similar rules for ports 16384:32768 (UTP and TCP) used for final voice communication.

So question - how to configure XG to have this working? To have server behind firewall accessible? I had this working with CLEAR OS before - but as I want to switch to SOPHOS - I have to solve this ASAP - this server is used by me and my family as main communication platform.

Thanks for any suggestions

Mike....



This thread was automatically locked due to age.
  • 0

    If your SIP Server is not using Default Port (5060), then you should re-configure your SIP Helper in CLI, using the following command:

     console> system system_modules sip load ports 50808

  • 0 in reply to HuberChristian

    Hi Christian,

    I would try with SIP helper this evening. I did manage to get outside SIP clients working, incoming calls works now with used SIP trunks, most internal as well with some tricks, but still have some voice issues when calling from Internet to LAN connected phones - not when calling from LAN to Internet connected.

    Initially I have unloaded SIP Helper before to deal only with pure rules - but maybe this would solve all issues.

    I have a question - what if I use TLS - and actually this is using another port. Is SIP Helper handling multiple ports?

    Thanks

    Mike

  • 0 in reply to HuberChristian

    Christian,

    So I have loaded helper with SIP 52060 port defined (would this be a default after restart of the firewall?).

    In rules I set only one rule (2 actually - one for TCP, one UDP)

    To this VOIP server which in in DMZ I need to connect phones located in LAN (I have NAT from LAN to DMZ defined) - in that case I use internal address of the server.

    Outside clients connect using FQDN - so then dorward policy should forward those requests to VOIP server.

    Now - it is working sometimes. For internal clients in most cases - for Internet clients - not so good. Generally - calling from my mobile SIP client I have no voice. Calling from LAN to mobile client - there is voice. Calling from my LAN to Internet clients - some I have voice - some nothing. So sound is not passing gateway.

    Where did I make mistake?

    SIP server is in DMZ, LAN some phones, Internet - other phones connecting through port forwarding. ....

    My Sophos is connected to router which is set to BRIDGE mode - so public IP on WAN interface

    Any ideas?

    Thanks

    Mike

  • 0 in reply to MichalBorkowski

    Hi and Welcome to Sophos Community,

    Check out #2 & #1 in my guide. XG firewall follows TOP-DOWN approach while  searching for the  matching policy or a firewall rule.

    Configure Firewall Rules like: 

    1. LAN ANY DMZ - (no MASQ) 

    2. DMZ ANY LAN (no MASQ)

    In the Business application rule, forward all the ports on an additional alias IP address. Forwarding all the ports on the main static IP will cease the GUI access from WAN on port 443. 

    Source: Host Any

    Hosted Server: Zone WAN,

    Hosted address WAN Port (additional IP/ Alias)

    Protected Application Servers: Zone DMZ,

    Protected Application Server: created HOST pointing to 192.168.100.XXX address of the SIP server,

    forward all ports ON

    Routing MASQ OFF

    Reflexive Rule: ON

    -End

    Hope that helps.

  • 0 in reply to sachingurung

    Hi and thanks for info.

    So - I have a few limitations - one - I have only one IP. So forward all ports is not the best solution.

    I can't do that.....


    Second - it is not clear for me if I should use SIP helper with defined port?


    Next to know - I have LAN clients and INTERNET clients.

    Then - it is FreeSwitch based PBX - and server is connected to external providers. In FreeSwitch every provider is using different port to register (so my server has to register with provider - there must be NAT I think) - those are external profiles. So - I'm just not sure how to treat those.

    Additionally - id DMZ to WAN rule with nat is below Business rule - there is no connection from SIP server to Internet - no registration.

    In my previous router I had normal nat rules plus standard port forward:

    VOIP1    *    5058-5099    192.168.3.6:5058-5099    
    VOIP2    *    52060-52099    192.168.3.6:52060-52099    
    VOIP3    *    16384-32768    192.168.3.6:16384-32768  

    All rules using TCP and UDP.

    Unfortunately with XG I can't get this working. Whatever I do there is a problem.... One time I have registration - but no sound, when I manage to get sound - no registrations. I think there is something what I do not understand there....

    So far - this is not working as it should... Just stack with that....

    :(

  • 0

    So...

    I have decided to move the SIP server (FusionPBX container) temporary to datacenter to have the service working without interruptions - and to test this at home with different scenarios for sophos beta version. Just to see if there are changes in the future which can help.


    I hope I would find strict working solution and I would post this here. I think it could be useful for some people in the future.
    I did that kind of test in the pass for Asterisk and Elestix based servers - apparently not with SOPHOS - and I know that a lot of people would like to have tested and working solution. So far I didn't managed with XG firewall. I had that working with UTM9 - but sometimes there were issues - but in that case I think hardware related - as I was using old D525 router motherboard which was not so powerful.

    If somebody can provide tested solution for FreeSwitch with external trunks which are working on separate ports plus clients connecting from LAN to DMZ and Internet/WAN to DMZ - with full voice support - based on limitation that there is only one IP on the bridge - where SIP is not the only service to be forwarded and protected - please let me know.

    I'm fine to test this and to verify that all is working.

    Thanks for all suggestions. I like the SOPHOS XG functionality - and I see that as possible solution for some IT projects. As well as good solution for Home users. Today we all should be protected...


    Mike