Page tree
Skip to end of metadata
Go to start of metadata

NAT issues

Some of the biggest problems that plague people such as "one way audio" or "Calls dropping after XX Seconds" are caused by NAT not being correctly setup.

Make sure you have a resolvable address on the Internet.

If you don't want to pay a few bucks to get a static IP address, and are served by an ISP that periodically changes your IP address, then get an account with a dynamic DNS service such as DynDNS . Your router may already have built-in support for one or more of these services, if so, use one that your router supports and then configure your router to automatically update your dynamic address when your ISP changes your IP address. Failing that, you can set up an updater program such as inadyn, there are instructions for doing that at this blog page

Adding NAT information in  FreePBX 

All of your settings will be under Settings > Asterisk SIP settings

Next Click Chan SIP in the right menu


This right menu is specific to FreePBX 12. In 2.11 all settings are on the main page


Set NAT as yes

Static IP from your ISP 

Select "Static IP" and enter your external IP

Dynamic IP Updated through dynamic IP service

Select "Dynamic IP" and put the Full host name in such as  ""



Whenever you make a change in the UI you need to "submit" the changes then click "APPLY" at the top


After clicking "submit changes" and the Red Apply click "General SIP Settings" on the right menu

Local Networks

Under "NAT" you will see a box for "Local Networks" 

In these boxes you will put your LAN information with the IP in the first box and the SUBNET in the second box

If your IP is you would put /

Click "Submit changes" And the red "APPLY" button.


RTP Port Range

Open the SIP and RTP ports to your Asterisk server

You must make sure that you open the correct UDP ports in your router's firewall and pointed at your Asterisk server. For SIP protocol, open UDP (NOT TCP) port 5060 (SIP) AND ports 10000-20000 (RTP, which must also be defined in /etc/asterisk/rtp.conf, see below). All these ports are UDP, opening the TCP ports will NOT help anything and may expose your system needlessly. While you are in your firewall configuration, you may as well also open UDP port 4569 (IAX), since sooner or later you'll probably want to accept IAX connections.

You can see the actual range under the "General SIP Settings" page.


If the port values are any different, change them.  These MUST match what you opened in your firewall



You may need to set this to start with 10001, as port 10000, conflicts with usage in Webmin. This only matters if you have installed Webmin


Some people feel the need to open fewer than 10,000 ports. I don't recommend this because six months from now when you start having audio problems you may not remember that you opened fewer than the recommended number of ports, and may spend hours troubleshooting the issue. But if you are simply obsessive about open ports, remember that each open SIP connection may require as many as FOUR concurrent ports, so don't cut it down to some ridiculously small number. For the non-paranoid, I suggest sticking with the recommendations above (and remember, if a hacker is looking at ports on your system, he's going to scan ALL of them, so having fewer UDP ports open really doesn't make you any more secure).

  • No labels

1 Comment

  1. You also sometimes need to to a Manual Outbound NAT (pfsense is one) (

    Routers/Firewalls need to know not to rewrite the port:

    NAT as we all know rewrites the source IP address for an outgoing packet.  So a packet addressed as asterisklocalIP:5060->providerip:5060 becomes wanip:5060→providerip:5060. However to increase security, pfSense also rewrites the source PORT. Thus the packet goes out as wanip:somerandomport→providerip:5060.

    I did not need to do the sip proxy recommended on the pfSense wiki here: