1300 726 889
Nehos Communications
Get in touch
Contact 1300 726 889
Nehos Communications
    Get in touch
    Get in touch

    Firewall / NAT settings to access Voice Services

    Nehos Communications
    11 November 2024
    Norman Howlett
    Wiki

    Firewall / NAT settings to access Voice Services

    Nehos voice services use the 180.94.236.0/27 (255.255.255.192) and 180.94.237.0/27 subnet for SIP signaling and RTP media. Please allow traffic using UDP on any port from this subnet to ensure that there are no interruptions to signaling or media.

    For sip.nehos.com.au your Domain & SIP Proxy will need to be set to sip.nehos.com.au.

    For the Cloud PBX voice network your Domain & SIP Proxy will need to be set to pbx.nehos.com.au or pbx1.nehos.com.au or pbx2.nehos.com.au or pbx3.nehos.com.au (dependent on the service you were assigned).

    Ports and Protocols

    The voice network supports the following protocols for SIP signaling:

    • UDP on port 5060 — standard SIP signalling (recommended for most deployments)
    • TCP on port 5060 — SIP signalling over TCP
    • TLS on port 5061 — encrypted SIP signalling

    For RTP media, Nehos supports both standard RTP and SRTP (encrypted media). SRTP is negotiated automatically when your equipment offers it — no additional configuration is required on the Nehos side.

    Please ensure the following ports are open in your firewall:

    • UDP 5060 — SIP signalling
    • TCP 5060 — SIP signalling (TCP)
    • TCP 5061 — SIP signalling (TLS / encrypted)
    • UDP 10000–60000 — RTP / SRTP media

    For CPE equipment that uses STUN the signaling will be TCP or UDP protocol on port 5060 on the same IP addresses listed above for the domain you connect to.

    Please ensure that any SIP ALG is disabled (except for Mikrotik routers) as this can interfere with proper SIP signaling. Also disable any “Deep SSL Inspection”.

    * Please note that sending SIP signaling to any IP within the 180.94.236.0/27, 180.94.237.0/27 that your equipment was not assigned to may result in your IP being blocked from accessing the Nehos network.

    STUN

    If your equipment supports STUN then you should enable and use the following address for the stun server:

    sip.nehos.com.au on port 5060

    Please note that our STUN server uses the same IP and port as the main SIP Proxy. This allows for a much better NAT traversal than other solutions that have STUN on a different IP and port than the main proxy.

    SIP OPTIONS should be turned off on your equipment. If our network detects your equipment is behind a NAT it will automatically send your equipment SIP OPTIONS requests to keep your NAT ports open for inbound traffic from our network.

    Asterisk STUN Configuration

    Asterisk supports STUN and can be enabled by editing the res_stun_monitor.conf as follows:

    [general]
stunaddr = sip.nehos.com.au:5060
    By Norman Howlett

    Leave a Comment