Network Firewall Configuration
It is always recommended to use a network firewall to protect your PBX from unwanted access. Please consult with your router/firewall vendor for further details.
The ipbx web interface uses standard port TCP 80 or TCP 443 (secure). It is not recommended to expose the web interface to the public internet with standard PIN based user authentication. See End User Panel Login.
If you are planning to use a SIP trunk configure the following ports to be forwarded directly to the server:
SIP Protocol UDP 5060 RTP Protocol UDP 18000-20000 (default range as set in RTP configuration)
Do not use SIP transformations or any other NAT traversal solutions on your network firewall unless you completely understand the implications of doing so. Ipbx is capable of handling far-end NAT traversal by setting the peer option to NAT in the channels configuration.
This applies particularly to Sonicwall 'SIP Transformations' and Netscreen/Juniper 'SIP ALG' settings.
It is highly recommended to have a public IP address available for your server if using SIP trunking or if you intend to connect SIP phones over the public internet. If you are using a private IP address or a combination of private IP address and public IP (multi-homed), then make sure the External IP Address externip value of your SIP General Settings is set to your PUBLIC IP address and that you define localnet parameter to include your VoIP LAN.
externip = 184.108.40.206 localnet = 192.168.33.0/255.255.255.0
IAX2 uses a single UDP data stream to communicate between endpoints, both for signaling and data. The voice traffic is transmitted in-band, making IAX2 easier to firewall and more likely to work behind far-end NAT scenarios.
IAX2 Protocol UDP 4569
Connecting Multiple Sites
Whether you are connecting a couple of phones in a remote office or connecting two ipbx systems, it is always recommended to use a VPN or similar which allows control over bandwidth and use. This can prevent NAT problems and increase your security.