VoIP with m0n0wall

Let me give some details about how I (finally) got VoIP working with multiple phones behind m0n0wall, which is a popular, open-source firewall appliance.

My setup here at home is quite normal: Cable modem for internet access, providing a single, changing internet IP address. Behind that, I’ve placed an ALIX-based m0n0wall version 1.34 with a private network (let’s say it is 192.168.1.0/24).

We have three physical IP phones, two Grandstream GXP2200 and one
DP715. Also, there are two separate sipgate.de accounts with multiple phone numbers each to route. For clarity’s sake, lets call the accounts SIP1 and SIP2.

Configuration information for sipgate.de, especially in respect to routers, is very sparse and sometimes unnervingly opposing. You’ll find infos on how to use STUN, you’ll find infos recommending not to use STUN.

You’ll find lots of people asking for help with setting up VoIP, with very few answers. A couple of really good content is linked to at the end.

We had a very strange issue with an older Grandstream (GXP2000) dropping calls after a few minutes (consistently!) - I’m still not certain wether the phone itself has a defect or what the problem is.

In any case, the setup I ended up using was to assign different RTP and SIP Ports for each phone and line that is configured.

Some basics:

GXP2200-1: 192.168.1.30 (only SIP1 numbers)
GXP2200-2: 192.168.1.31 (mixed SIP1 and SIP2 numbers)
DP715: 192.168.1.32 (only one SIP1 number)

I assigned the following ports:

GXP2200-1 RTP / SIP:
Account 1: 5004 / 5060
Account 2: 5008 / 5062
Account 3: 5012 / 5064

GXP2200-2 RTP / SIP:
GXP2200-1 RTP / SIP:
Account 1: 5104 / 5160
Account 2: 5108 / 5162
Account 3: 5112 / 5164

DP715 RTP / SIP:
Account 1: 5204 / 5260

The ports you choose are somewhat irrelevant, as long as you set them up for NAT and in the firewall rules.

All RTP/SIP traffic is via UDP, so when setting up NAT and the firewall rules, restrict yourself to this protocol (it makes the firewall a tad more secure and uses a tick less resources).

Since there is no real point in creating single entries for each individual port (remember that RTP may use odd-numbered ports for additional communication), I added NAT and firewall rules for port blocks in regard to the protocol and the phone.

I.e.: for GXP2200-1 I opened ports 5004-5059 for RTP and 5060-5099 for SIP.

The most important part in the config is to point the NAT entry to the right IP address; i.e. NAT for 5004-5059 needs to go to 192.168.1.30 and so on.

Once both NAT and firewall rules are set up, IP service works like a charm. I read several blogs that seemed to state that sipgate has issues with multiple IP phones behind a NAT firewall, but this simply doesn’t seem to be the case.

Since sipgate also has a proxy as part of their offering (sipgate.de), there is no need for a local proxy such as
siproxd. m0n0wall doesn’t offer “plugin” installation anyway, so if a local proxy was necessary, I’d probably have to switch to pfsense.

A really good article on VoIP over m0n0wall is
this one.
blog comments powered by Disqus