Overview

While trying to configure external VoIP systems, such as Grandstream, the audio transmission appears to be one-way (no outgoing audio). This might be an indication of packets being dropped because of the firewall misconfiguration.

This article provides information on how to allow SIP traffic flow for the on-premise SIP server behind Kerio Control.

Solution

Depending on the VoIP system, the different communication ports might be used. Some providers use wide SIP/RTP port ranges (i.e. 10000-20000) to allow flawless traffic.

Note: for detailed information, please contact your VoIP vendor.

The most common are SIP (5060 port) and SIP TLS (5061). Such traffic policy can be configured through Traffic Rules.

1. In Kerio Control Webadmin navigate to Traffic Rules and add a separate traffic rule with the following data:
   Source: Any
   Destination: Firewall or Firewall + WAN (depending on public IP address settings)
   Services: SIP, SIP TCP, SIP TLS
   Action: Allow
   Translation: Destination NAT <SIP_server_IP_address>
   Inspector: None
   

Testing

Verify the audio flow is bidirectional now. For troubleshooting purposes, enable "Connection tracking" and "Packets dropped for some reason" in Debug logs. For extended output, capture the packets using Packet logging with such or similar expression: daddr = x.x.x.x & (dport = 5060 | dport = 5061)