Sunday, February 10, 2008

Port forwarding and SIP

The overly cautious amongst us will refrain from port forwarding massive numbers of inbound ports, regardless of a stated need and especially if the box the ports are being forwarded to is not a single-purpose system. Port forwarding is a bad idea if more than two geek-level users live behind a single NAT box. The situation is much worse if the two are married. Where one wants his Asterisk server to run, the other wants to be able to listen to her radio stations or watch streaming videos. Port forwarding will allow the Asterisk box to accept inbound SIP calls but it also breaks the streaming media to the other system.

Ignoring SIP proxies and external routing of calls, the immediate compromise is often forwarding a smaller number of ports and this can cause other issues if you're not careful about your server configuration.

Hint: if you only forward UDP ports 10000 through 10100, make sure to edit /etc/asterisk/rtp.conf so that "rtpstart" and "rtpend" have the same values. Otherwise, you'll often end up not being able to hear any incoming audio on SIP calls.