Configuring NAT for a VoIP PBX

For fully functional VoIP with inbound and outbound audio from a local PBX, many use cases require the configuration of several components:

  1. 1:1 NAT or port forward entries with firewall rules to direct inbound traffic

  2. 1:1 NAT or Manual Outbound NAT with a rule at the top set to perform static port NAT on outgoing traffic from the PBX

  3. Ensure the PBX itself is set properly for NAT with the correct external IP address and local subnets defined.

Aliases to make it easy

The best practice for ease of administration is to create firewall aliases which make the rules easier to create and maintain:

Start by navigating to Firewall > Aliases and then create the following aliases:

  • Host alias for the PBX itself, named PBX, containing the local IP address of the PBX.

  • Network or Host alias named SIP_Trunks for the upstream SIP trunk addresses, if known.

    If the SIP_Trunk address/network is dynamic or not known, do not make an alias and leave these values set to any.

  • Port alias named PBX_Ports containing all port numbers the trunk requires for SIP, RTP, and other control ports.

    It many cases, the list of ports is 5060 and 10000:20000, but it can vary between different providers and PBX implementations.

Port Forwards

Create a port forward:

  • Navigate to Firewall > NAT, Port Forwards tab

  • Create a new entry and configure it as follows:

    Interface:

    WAN

    Protocol:

    UDP (or TCP/UDP if needed)

    Source:

    Type Address or Alias: SIP_Trunks

    If the SIP trunk IP addresses are not known, use Any.

    Source Port:

    Any/Any

    Destination:

    WAN address or external VIP for the PBX

    Destination Port:

    PBX_Ports

    Redirect target IP:

    PBX

    Redirect target port:

    PBX_Ports

  • Click Save

  • Click Apply Changes

Outbound NAT

Setup Hybrid Outbound NAT.

  • Navigate to Firewall > NAT, Outbound tab

  • Select Hybrid Outbound NAT

  • Click Save

  • Click fa-turn-up to create a new rule at the top of the list.

  • Configure the rule as follows:

    Interface:

    WAN

    Protocol:

    UDP

    Source:

    Network, PBX

    Source Port:

    blank

    Destination:

    Network or Alias, SIP_Trunks – Or Any for the type if the SIP trunk IP addresses are not known

    Destination Port:

    PBX_Ports (or leave blank)

    Translation:

    WAN address if using the WAN IP address, or the external VIP for the PBX

    Port:

    blank

    Static Port:

    CHECKED

  • Click Save

  • Click Apply Changes

Reset States

After making the changes to NAT rules, the states for the PBX must be reset.

  • Navigate to Diagnostics > States

  • Enter the IP address of the PBX

  • Click Filter

  • Click Kill States

  • Click OK to confirm killing the states

Once the PBX re-registers, test inbound and outbound calls to confirm both inbound and outbound audio work as expected.