I'm needing some help in setting up Nextiva Voip firewall access rules. See link below for Nextiva networking guidelines.
Nextiva Networking Guidelines | Nextiva Support
So, when adding firewall access rules, do I navigate to (/cgi-bin/luci/admin/network/firewall/snats) when using LuCI web interface?
Router Model: Netgear Nighthawk X4S R7800
Firmware Version: OpenWrt 24.10.4
It is "port forwards" in the interface to create DNAT and redirect rules.
alg (aka nat helper) assignment is reachable via firewalls 1st page -> edit each zone -> conntrack -> disable helper auto-assignment (unless you installed nat helper kmod list will be empty)
Under "Port Forwards" where do I enter the server addresses?
Also, under the WAN->Conntrack Settings, do I enable all the helpers except for the "SIP VoIP connections tracking"?
By default no helpers are installed, so settings do nothing. No helpers are normally needed at all, disabling auto-assignment just prevents them all from acvidentally ctivating.
you might need one for (windows) ftp, or one for (windows) pptp, but normally none
Those addresses are source address in advanced tab, in first screen - ip4 , port, directs to internal ip, no port specified to not change it.
Neither setting looks correct at all. Change minimal amount of settings as specified - port and protovol(s) and internal IP in first tab and sourcr addresses in second.
Do the updated pics look correct?
Destination IP should be pbx machine with asterix, not routers own IP
Destination zone should be EMPTY
Are you sure it is TCP AND UDP?
My reading of the doc... (254.50 is the supposed voip gateway)
Edit that in a text editor 4x
Append resulting file to /etc/config/firewall
Then find back and enable 4 rules
(a bit of discomfort to have MxN rules but will work)
config redirect
option target 'DNAT'
option src 'wan'
option src_ip '208.73.144.0/21'
option src_dport '5060-5090'
option dest_ip '192.168.2.181'
option family 'ipv4'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option src_ip '208.89.108.0/22'
option src_dport '5060-5090'
option dest_ip '192.168.2.181'
option family 'ipv4'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option src_ip '208.73.144.0/21'
option src_dport '16384-32768'
option dest_ip '192.168.2.181'
option family 'ipv4'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option src_ip '208.89.108.0/22'
option src_dport '16384-32768'
option dest_ip '192.168.2.181'
option family 'ipv4'
option enabled '0'
that is default l4 protocol set.... rules cover those.
That looks better... You can just add my 4 rules and enable them.....
You can cut half millisecond on redirected connection establishment by testing this PR https://github.com/openwrt/firewall4/pull/77
Edited the example 4 rules with your PBX "collector" IP
Why I doubted TCP+UDP - voip phones I ever saw used only UDP for (s)RTP, just checked that wikipedia disagrees
Thanks for your help brada4. Appreciate it!
You can see numbers of connections passing using nft list ruleset or in status/firewall.
