Configuring NAT for a VoIP PBX

For VoIP there are typically a few components to get right for proper inbound and outbound audio from a local PBX.

  1. Port forward entries with firewall rules (Or 1:1 NAT with Firewall Rules)

  2. Manual Outbound NAT with a rule at the top set to perform static port NAT on traffic from the PBX (Or 1:1 NAT)

  3. On the PBX, ensure it is set properly for NAT with the correct external IP and local subnets defined.

Aliases to make it easy

It is easiest to start by making a few entries under Firewall > Aliases to make the rules easier to accomplish:

  • Host alias for the PBX itself, named PBX, containing the local IP address of the PBX.

  • Network or Host alias called SIP_Trunks for the upstream SIP trunk addresses, if known. If the SIP_Trunk address/network is not known or changes, do not make an alias and leave these values set to any.

  • Port alias called PBX_Ports containing all of the port numbers needed for SIP, RTP, and other control ports. (usually 5060 and 10000:20000, but varies from provider to provider and PBX implementation)

Port Forwards

Create a port forward:

  • Navigate to Firewall > NAT, Port Forwards tab

  • Create a new entry and configure it as follows:

    Interface:

    WAN

    Protocol:

    UDP (or TCP/UDP if needed)

    Source:

    Type Address or Alias: SIP_Trunks – or a Any for the type if the SIP trunk IP addresses are not known.

    Source Port:

    any/any

    Destination:

    WAN address or external VIP for the PBX

    Destination Port:

    PBX_Ports

    Redirect target IP:

    PBX

    Redirect target port:

    PBX_Ports

  • Click Save

  • Click Apply Changes

Outbound NAT

Setup Hybrid Outbound NAT.

  • Navigate to Firewall > NAT, Outbound tab

  • Select Hybrid Outbound NAT

  • Click Save

  • Click fa-turn-up to create a new rule at the top of the list.

  • Configure the rule as follows:

    Interface:

    WAN

    Protocol:

    UDP

    Source:

    Network, PBX

    Source Port:

    blank

    Destination:

    Network, SIP_Trunks – Or Any for the type if the SIP trunk IP addresses are not known

    Destination Port:

    PBX_Ports (or leave blank)

    Translation:

    Interface address if using the WAN IP address, or the external VIP for the PBX

    Port:

    blank

    Static Port:

    CHECKED

  • Click Save

  • Click Apply Changes

Reset States

After making the changes to NAT rules, the states for the PBX must be reset.

  • Navigate to Diagnostics > States

  • Enter the IP address of the PBX and click Filter

  • Click Kill

Once the PBX re-registers it test inbound and outbound calls and confirm inbound and outbound audio works as expected.