Network upgrade VoIP and OPNSense

Now that the dial-in is done with the help of a Draytek 167 modem via PPOe, my Fritzbox 7590 is logically behind the firewall, which may lead to a problem with Internet telephony.

Introduction

Aufr├╝stung im Netz VoIP und OPNSense

If you look at the network structure, the LAN and WLAN networks are neatly separated and I was even able to set up a DMZ. However, as the Fritzbox is no longer responsible for Internet traffic, but is only connected to the network as a client, I naturally had to ensure that Internet telephony (VoIP) is also handled by OPNSense.

To make matters worse, there are no standardized rules on how a provider handles this and even more problematic is the fact that there is hardly any documentation to be found on how which providers use which ports.

And that’s what I was most worried about when switching the network, that this is the point that I might not get configured.

Implementation

I really tried the search engines and then found what I was looking for in the OPNSense but administrator.de forum. First we have to take care of SIP, a protocol with which a session for Internet telephony is created.

Network upgrade VoIP and OPNSense

This allows network traffic from FritzBox to the VoIP server. This is regulated with aliases that can be defined in the OPNSens under the Firewll section. This makes the rules easier to read. The traffic then goes to the VoIP server

Network traffic from the FritzBox to the VoIP server is permitted here. This is regulated with aliases that can be defined in the OPNSens under the Firewll section. This makes the rules easier to read. The traffic then goes to the VoIP servers. I am with 1&1 and unfortunately there is no documentation on which servers or which IPs are involved here.

I was forced to share more or less parts of the network to make this work. And the OPNSense also recognizes port 5006 with SIP. However, this is actually only the entry required to ensure that the telephones or the phone numbers assigned by the provider are registered and can establish a connection.

Network upgrade VoIP and OPNSense

Only with this rule is the registration successful and the part is marked green.

The actual connection

The SIP protocol is used to register the telephone number, but also to communicate your own IP address on the Internet to the other party or their telephone. To do this, the WAN interface on the OPNSense must forward this network traffic directly to the FritzBox with a corresponding NAT rule.

Network upgrade VoIP and OPNSense

The aliases are also used here for the port and server definitions, which are really very practical.

VoIP works for me with these tight settings when the Fritzbox is operating behind an OPNSense firewall. The only time I had a problem with the connection dropping out was during a longer call where no music on hold was played. But so far this is the only problem that has arisen once.

Conclusion

The changeover was not so easy in some places, but the bottom line is that it was worth it. When I see how many requests from the Internet are now blocked and I have also separated the networks, security has simply increased. Of course, you still have to keep a watchful eye on log files.

ciao tuxoche

 

Add a Comment

Your email address will not be published. Required fields are marked *