UTM9 NAT rule 60001 RTP problems

Hi,

in advance: absolute noob here, thanks for any help and your patience ^^.

I try to configure a server behind a sophos utm 9 that needs to be able to send and receive rtp on ports 30000 - 33000. The problem i have is that incoming traffic gets blocked by fwrule 60001. I understand that this is blocked traffic due to no request has been sent to the host from the server outbound.

What is your advice to configure this? I understand i could just DNAT the ports and done, but i dont know this would be right, and if there is a more restrictive way to make this work.

also, beside your recommendations, we have a signalling on a specific port, is it possible to make a rule a la "if i send a client on port x, then this client is allowed to send rtp and stun to port 30000-33000 of my server"?

the clients that connect do that via WebRTC in browser or WebRTC/IceLink from mobile phone, with custom signalling for browser and SIP via Icelink from mobile.

Thank you in advance,

Bim

Parents
  • Hallo Bim and welcome to the UTM Community!

    Is this a VoIP server?  Are the inbound packets sent from a small range of IPs belonging to your VoIP provider?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey Bob,

    thanks for your reply. It is a FreeSWITCH, and no, the clients can basically be any browser in the internet or via mobile app over mobile networks. Additionally, it is the Binding Requests (STUN) from TURN Servers that try to offer their services.

  • I would look on the websites of those products for their suggestions about configuring firewalls to work with them.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • OK thanks, thats also in the work ^^

    Can you tell me if there is a possibility to configure the follwoing (from my initial question):

    also, beside your recommendations, we have a signalling on a specific port, is it possible to make a rule a la "if i send a client on port x, then this client is allowed to send rtp and stun to port 30000-33000 of my server"?
  • I'm not sure I "see" what you're proposing, Bim.  You can make a DNAT that send a range of ports to your sever.  You could also limit that DNAT to traffic coming from specific IPs.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • I'm not sure I "see" what you're proposing, Bim.  You can make a DNAT that send a range of ports to your sever.  You could also limit that DNAT to traffic coming from specific IPs.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data