How to Work with Firewall?

Security firewall is widely used in business environment to protect local network resources. The common behavior of firewall is to allow only certain outgoing traffic (such as web surfing and emails). VoIP calls can be initiated both inside and outside; they use dynamic port addresses. Generally, VoIP calls cannot go through firewalls if no special treatments are made on the firewall.
The strength of firewall, policies on the firewall, and accessibilities to the firewall are consideration factors when deploying IPX network.

Very Tight Security
Regardless whether you can access the firewall, some organization does not allow any VoIP traffic goes through the firewall. Instead, such organization could use SBC (session border controller) to have specialized VoIP firewall. This is beyond the scope of this document.

ITSP (VoIP Service Provider) Service to Internal IPX
An IPX is in a private network behind a firewall. The IPX has one or multiple VoIP accounts (VoIP trunks) from public VoIP service providers (ITSP). The IPX keeps a live contact with each ITSP server by sending registration messages periodically. Generally speaking the ITSP servers are able to traverse through the firewall so that VoIP calls either initiated from the IPX or terminated at IPX can be made. To help ITSP to traverse the firewall better, you may want to change the register interval to a short period, e.g. 30 seconds. It is a parameter in VoIP account configuration page.

Voice intranet: Peer to Peer Model
If you use peer to peer relationship to set up voice intranet, but the IPX can only be behind simple NAT/Firewall (e.g. ADSL modem with router capability), then you will have to set up port forwarding or DMZ on the ADSL router.

Give the IPX a static IP address in the range of LAN segment of the ADSL router;
Log on the ADSL router, either configure either DMZ or configure port forwarding.
Set the IPX's WAN (static) IP address to be the DMZ address;
Or set port 8060, 8080, 20000-25000 to be forwarded to the IPX.

In the IPX's page, "Advanced Voice > Voice Intranet > Intranet Option", manually set the VoIP signaling address to be the domain name of the IPX, e.g. abcd.myipx.net.

See "Howto set up DMZ and Port Forwarding" for more information.

Voice Intranet: Server and Client Model
A voice intranet can be formed in server-clients model instead of peer-peer relationship. In this model, the client IPX can be in private network. The firewall/NAT at the client site does not need any configuration changes. In other words, no DMZ or port forwarding setting would be needed. The server IPX will help the client IPX to traverse the firewalls when making VoIP calls from/to the server and other client IPX systems.
However, the server IPX should be placed in the public network so that every client can reach it.


Orionox Live Help