Server Behind Firewall


Enterprises frequently want to run the PBX on a private network while at the same time giving remote users access to the system. The requirements to achieve this are as follows:

  • A corporate firewall is available that filters traffic between intranet and Internet. This firewall is not SIP-aware, but it is able to send traffic to a DMZ (not performing NAT on this traffic).
  • Most of the phone calls occur internally, and the company is running its own small data center. Therefore, the PBX should run in the private network.
  • The firewall has at least one public IP address which is routable from anywhere in the Internet.

Solution with Public and Private IP Address

By running the PBX with two IP addresses, this problem can be addressed in a clean and easy way. The first IP address is the private IP address of the PBX that is used when phones from the internal network want to talk to the PBX. This ensures that for internal calls and calls to the PSTN, bandwidth or firewall issues are not a problem.

The second IP address is the public IP address of the firewall. Instead of exposing the entire computer to the public Internet, we expose only the SIP and RTP ports to the public Internet. This is done by port forwarding the necessary ports on the firewall. This must be done without using NAT because otherwise the PBX would be unable to insert publicly routable IP addresses for outgoing SIP messages. If you want to use only UDP transport layer, you can forward only the UDP port (typically port 5060). If you also want to support TCP or TLS transport layer, then you also need to forward the TCP ports (TLS is technically TCP). The situation is shown in the figure shown below.

If you are running Windows, make sure that there is no routing between the two interfaces. This functionality is not necessary and would raise security concerns. But you must make sure that the routing metric for the interfaces are set so that only requests to the private network use the private IP address, and all other requests leave the PBX through its public IP interface. You can do this the following way: Open your network connections, select the Advanced Settings menu and move the interfaces in the Adapters and Bindings section up and down until you have the right preference.

In Linux, we are talking about the "route" command. Before you do that, you should remove the old default route, e.g. "route del default eth0". Then you can add the new route, for example, "route add default gw". Needless to say—be careful changing stuff here and make sure that you still have access to the console!

Dealing with Routers that do DMZ with NAT

There are many routers that always NAT on DMZ. Although this scenario is not recommended for the usage with SIP and VoIP there are two workarounds that can deal with this situation. Usually you should use only one method and leave the other field empty.

Separation by IP Address

In the first case, you have a second IP address that is dedicated to route traffic to the public Internet. The routing is done by the operating system. Typically the PBX host has two NIC cards in this situation. This setup has the advantage that the NIC to the public Internet is physically separated from the private network—an important safety belt for many system administrators.

The key in this setup is that the PBX would send the request with the IP address of the NIC that talks to the public Internet. Because the PBX is in the DMZ, all that needs to be done is replacing the IP address of that NIC card in the SIP packets before sending it out (that is why the name for this setting is "SIP IP Replacement List"). For example, if your private IP address of the NIC that is connected to the router is and the s public IP address is, then you would use the setting "" in the replacement list.

It does not really matter if you have a second physical NIC card. The important part is that the operating system will choose a specific IP address when it sends a request towards the public Internet. You can also achieve this by adding an IP address and the respective routing entries to the IP configuration of your system. For example, you can set up a VLAN that is used to route the traffic to the public Internet. If you have other zones than the public Internet, you can of course do the same thing for these zones.

Separation by Route

If you t have a second IP address things are getting a little bit trickier, but you can still deal with this. You can add an additional IP routing entry in the PBX service (not in the operating system) that will tell the PBX that routing to a specific IP address will result in a specific IP address. This is done in the setting "IP Routing List" which is just below the "SIP IP Replacement List". These routing entries are processed by the PBX before the operating s routing table is being consulted. If there is a match, the PBX will not check the operating system tables.

Every entry says "if you want to send the request to the IP address that matches this netmask, then present the following IP address".

In order to make the PBX show the public IP address you need an entry that matches "every other IP address". In other words, the netmask must be (for example, ""). However this has the problem that it will block all calls on the private network, so that that there is also a rule necessary for the private network.

Example: Let's say the PBX is running on address, netmask is and the internal SIP phones have 192.168.x.x addresses. So the first part of the entry will be "". This part will take care of the internal phones. Now, if the phone and PBX have to talk to remote phones and servers, then you have add another part to the "IP Routing List". Consider the public IP address is the IP address provided/assigned by internet service provider. You can check the public IP using, then you will have "" as the other part of the entry.

Putting it all together, an entry of "" will make the PBX serve both internal and remote phones.

In this example the PBX would not look at the routing presented by the operating system.

Combining Both Methods

Usually you don't have to combine methods and you should not try to do that unless there is a strong need.

However, if you do that, the PBX will first process the IP Routing List and come up with an IP address in the SIP request. In a second step, it will go through the SIP IP Replacement List and replace the chosen IP address in the SIP packet

IP Address Changes

Instead of hardcoding the public IP address of the PBX, the PBX can also periodically check for it's public IPv4 address. For this you need an external server that returns the address in JSON format. Whenever possible it is recommended to operate the PBX on IP addresses that are not changing, as IP address changes will inevitably result in service interruptions when the change is happening. For more information see URL for polling the public IP address.