Fortigate 30D Configuration

guide for MRG with NS-1000

Panasonic System Networks Co.,Ltd

8 Apr. 2015
 -Table of contents-
Diagram of system configuration example with External Router ----------------------- 2
Basic configuration----------------------------------------------------------------------------------- 3
Accessing the Web-Based GUI Interface ------------------------------------------------- 4
Configuring LAN Interface Settings ------------------------------------------------------- 6
Configuring WAN Interface Settings ------------------------------------------------------- 8
Configuring Default Gateway Settings --------------------------------------------------- 11
Configuring DNS Settings ------------------------------------------------------------------ 12
ALG configuration ---------------------------------------------------------------------------------- 13
Disable the ALG function(MGCP/SIP) --------------------------------------------------- 14
Port forward Port forward configuration ---------------------------------------------------------18
Port forward setting for MRG feature with NS-1000 ---------------------------------- 19
Service configuration -------------------------------------------------------------------------- 21
Virtual IP configuration ------------------------------------------------------------------------ 33
Policy configuration ---------------------------------------------------------------------------- 44
Appendix --------------------------------------------------------------------------------------------- 52
Appendix 1: Hairpin NAT ------------------------------------------------------------------- 53
Appendix 2: Important notes for Media Relay Gateway --------------------------- 54
Appendix 3: Factory default settings ---------------------------------------------------- 57
Appendix 4: Enable the ALG function(MGCP/SIP) ----------------------------------- 58

Model : Fortinet FortiGate 30D

Version : v5.2.2,build642 (GA)
PBX : NS-1000
Version : 004.10060
This document has created by the testing result at PSN Lab. It does not guarantee the
actual performance, and PSN shall not be responsible for any problem and troubles.
PSN is not to control or grasp a hardware/firmware updates which should be offered by
manufacturer.
1
Diagram of system configuration example with External Router

Head office Remote office

DSP#1-1:192.168.0.102 WAN:10.0.0.1/29
DSP#1-2:192.168.0.103 LAN:192.168.0.254/24(Static) Global IP address
DSP#2-1:192.168.0.104 provided by ISP
DSP#2-2:192.168.0.105 NS1000 FG-30D
WAN: 10.0.0.2/29
Global IP address
LAN:192.168.0.101
Internet provided by ISP
Netmask:255.255.255.0
GW:192.168.0.254
このイメージは、現在表示できません。

Router

<Port forward setting>

RTP LAN:192.168.10.254/24(DHCP)
SIP
CWMP(HTTP)
CWMP(HTTPs)
UT Phone 3rd party SIP NT 54X/55X SIP MLT DATA(HTTP)
SIP MLT DATA(HTTPs)
NTP
MGCP
PTAP
NT 54X/55X UT Phone
Management PC

2
Basic configuration

3
Accessing the Web-Based GUI Interface.
Log into the FortiGate using a web browser.
1) Launch a web browser on your PCs and enter the URL assigned to your Fortigate.
e.g.) LAN address 192.168.1.99 <Default> https://192.168.1.99/login
The FortiGate login screen is displayed.
2) Enter your initial username in the field provided: admin
3) Enter your initial password in the field provided: <Blank>
4) Click Login

2
3
4

4
Accessing the Web-Based GUI Interface.
Login Succeed
The FortiGate Status page is displayed.

5
Configuring LAN Interface Settings.
1) Select Network
2) Select Interfaces
3）Click lan Interface
4) Click Edit

1 4
2

6
Configuring LAN Interface Settings.
1) Edit IP/Network MASK : e.g. 192.168.0.254/255.255.255.0
2) If you need DHCP function, select DHCP IP address range
3) Click : Edit
4) Enter an actual network range of the IP addresses : e.g. Start IP : 192.168.0.1 End IP : 192.168.0.100
5) Click OK
IP address has been changed
You should change the IP address on your PCs. (e.g. 192.168.0.10 / 255.255.255.0 or DHCP)

2
4

7
Configuring WAN Interface Settings.
1) Select Network
2) Select Interfaces
3) Click wan Interface
4) Click Edit

1 4
2

8
Configuring WAN Interface Settings.
1) Check : Manual
2) Enter IP Address/Network MASK : e.g. 10.0.0.1/255.255.255.248
3) Click OK

It sets actual WAN IP address.

1

9
Configuring WAN Interface Settings.
1) WAN IP address is changed

10
Configuring Default Gateway Settings.
1) Select Network
2) Select Routing
3) Click Create New

Shows New Static Route Screen

1) Enter the Destination IP/Mask : 0.0.0.0/0.0.0.0 (Default)
2) Select Device : wan
3) Enter the Gateway : 10.0.0.2
4) Click OK

1
2
3 It sets actual Gateway IP address.

11
Configuring DNS Settings.
1) Select DNS from the System Menu
2) Enter the DNS Server address : e.g. 10.1.1.1, 10.2.2.2
3) Click Apply

It sets actual DNS IP address.

12
ALG configuration

13
Disable the ALG functions
The FortiGate 30D is enabled ALG functions by default settings, hence you should be disabled
them according to CLI commands as below.
[ CLI Console ]
1) Select Dashboard
2) Select Status
3) Click CLI Console window on the Status Information
4) FortiGate will be on the screen of the command input wait

14
Disable the ALG functions
Step:1
By default FortiOS uses the SIP ALG for SIP traffic. If you want to use the SIP session helper you need to
enter the following command: ( FortiOS 5.2 or later )

# config system settings

(settings) # set default-voip-alg-mode kernel-helper-based
(settings) # end

# show system settings

config system settings
set default-voip-alg-mode kernel-helper-based
end

[ Note ] Default-voip-alg-mode :
kernel-helper-based Default VoIP ALG is kernel helper based.
Proxy-based Default VoIP ALG is proxy based.

15
Disable the ALG functions (MGCP-ALG)
Step:2
Enter the following command to find the MGCP session helper entry in the session-helper list.
This command output shows that the MGCP session helper listens in UDP 2427/2727 for MGCP sessions.

# show system session-helper

config system session-helper
:
edit 19
set name mgcp
set protocol 17
set port 2427
next
edit 20
set name mgcp
set protocol 17
set port 2727
next
:
Enter the following command to delete session-helper list entry number 20,19 to disable the mgcp session
helper.

# config system session-helper

(session-helper)# delete 20
(session-helper)# delete 19
(session-helper)# end
#:

16
Disable the ALG functions (SIP-ALG)
Step:3

Enter the following command to find the SIP session helper entry in the session-helper list.
This command output shows that the SIP session helper listens in UDP 5060 for SIP sessions.
# show system session-helper
config system session-helper
:
edit 13
set name sip
set protocol 17
set port 5060
next
:

Enter the following command to delete session-helper list entry number 13 to disable the sip session helper.
# config system session-helper
(session-helper)# delete 13
(session-helper)# end
#:

17
Port forward configuration

18
Port forward setting for MRG feature with NS-1000
3. How to program
Configure IP Port forwarding on near end NAT router for the following protocols
to allow receiving certain IP packets from phones placed on remote location.
1. Common setting : RTP
Protocol Range of port number Destination Description
RTP 16000-16511(UDP) 192.168.0.102 Send RTP to DSP#1-1

16512-17023(UDP) 192.168.0.103 Send RTP to DSP#1-2

17024-17535(UDP) 192.168.0.104 Send RTP to DSP#2-1

17536-18047(UDP) 192.168.0.105 Send RTP to DSP#2-2

*They are same configuration as port forward for SIP-Trunk .

19
Port forward setting for MRG feature with NS-1000
3. How to program
2. For UT Phone : SIP / TR069 / NTP and 3rd party SIP phones : SIP
Protocol Range of port number Destination Description
SIP 15060(UDP) 5060(UDP)* 192.168.0.101 Send SIP to PBX LAN
(PBX LAN IP Address)
CWMP(HTTP) 7547(TCP) 192.168.0.101 Send CWMP to PBX LAN
(PBX LAN IP Address)
CWMP(HTTPS) 37547(TCP) 192.168.0.101 Send CWMP to PBX LAN
(PBX LAN IP Address)
SIP-MLT Data 7580(TCP) 192.168.0.101 Send Data to PBX LAN
Download (HTTP) (PBX LAN IP Address)

SIP-MLT Data 37580(TCP) 192.168.0.101 Send Data to PBX LAN

Download (HTTPS) (PBX LAN IP Address)

NTP 123(UDP) 192.168.0.101 Send NTP to PBX LAN

(PBX LAN IP Address)

*SIP protocol needs port number conversion to 5060 from 15060.

3. For NT500 Phone : MGCP / PTAP

Protocol Range of port number Destination Description

MGCP 2727(UDP) 192.168.0.101 Send MGCP to PBX LAN

(PBX LAN IP Address)
PTAP 9300(UDP) 192.168.0.101 Send PTAP to PBX LAN
(PBX LAN IP Address)

20
Service configuration

21
Policy & Objects settings
3. How to program
The FortiGate 30D has firewall feature, hence it should be set several policy and objects.
1) Select Policy & Objects

22
Create a New Category(Service)
3. How to program
At first, it is better to make a PBX Category.
1) Select Objects
2) Select Services
3) Select Category
4) Enter the Name : e.g. PBX
5) Click OK

1 3

23
Create a New Service
3. How to program
1) Select Service from the Objects

1 1

< Create 12 Servises >

- RTP Range1 - SIP-MLT Data HTTP
- RTP Range2 - SIP-MLT Data HTTPS
- RTP Range3 - NTP PBX
- RTP Range4 - MGCP PBX
- SIP PBX - PTAP
- CWMP HTTP
- CWMP HTTPS

24
Create a New Service - RTP Range1, RTP Range2
3. How to program
[ RTP Range1 ] [ RTP Range2 ]
Policy & Objects - Services Policy & Objects - Services
1) Click Create New 1) Click Create New
2) Enter the Name : RTP Range1 2) Enter the Name : RTP Range2
3) Select Category : PBX 3) Select Category : PBX
4) Select Protocol Type : TCP/UDP/SCTP 4) Select Protocol Type : TCP/UDP/SCTP
5) Select Protocol : UDP 5) Select Protocol : UDP
6) Enter the Destination Port : (Low)16000 (High)16511 6) Enter the Destination Port : (Low)16512 (High)17023
7) Click OK 7) Click OK

1 1

2 2

3 3
4 4

5 6 5 6

7 7

25
Create a New Service - RTP Range3, RTP Range4
3. How to program
[ RTP Range3 ] [ RTP Range4 ]
Policy & Objects - Services Policy & Objects - Services
1) Click Create New 1) Click Create New
2) Enter the Name : RTP Range3 2) Enter the Name : RTP Range4
3) Select Category : PBX 3) Select Category : PBX
4) Select Protocol Type : TCP/UDP/SCTP 4) Select Protocol Type : TCP/UDP/SCTP
5) Select Protocol : UDP 5) Select Protocol : UDP
6) Enter the Destination Port : (Low)17024 (High)17535 6) Enter the Destination Port : (Low)17536 (High)18047
7) Click OK 7) Click OK

1 1

2 2

3 3

4 4

5 6 5 6

7 7

26
Create a New Service - SIP PBX
3. How to program
[ SIP PBX ]
Policy & Objects - Services
1) Click Create New
2) Enter the Name : SIP PBX
3) Select Category : PBX
4) Select Protocol Type : TCP/UDP/SCTP
5) Select Protocol : UDP
6) Enter the Destination Port : (Low)5060 (High)5060
7) Click OK

3
4

5 6

27
Create a New Service - CWMP HTTP, CWMP HTTPS
3. How to program
[ CWMP HTTP ] [ SIP-MLT HTTP ]
Policy & Objects - Services Policy & Objects - Services
1) Click Create New 1) Click Create New
2) Enter the Name : CWMP HTTP 2) Enter the Name : SIP-MLT HTTP
3) Select Category : PBX 3) Select Category : PBX
4) Select Protocol Type : TCP/UDP/SCTP 4) Select Protocol Type : TCP/UDP/SCTP
5) Select Protocol : TCP 5) Select Protocol : TCP
6) Enter the Destination Port : (Low)7547 (High)7547 6) Enter the Destination Port : (Low)7580 (High)7580
7) Click OK 7) Click OK

1 1

2 2

3 3
4 4

5 6 5 6

7 7

28
Create a New Service - CWMP HTTP, CWMP HTTPS
3. How to program
[ CWMP HTTPS ] [ SIP-MLT HTTPS ]
Policy & Objects - Services Policy & Objects - Services
1) Click Create New 1) Click Create New
2) Enter the Name : CWMP HTTPS 2) Enter the Name : SIP-MLT HTTPS
3) Select Category : PBX 3) Select Category : PBX
4) Select Protocol Type : TCP/UDP/SCTP 4) Select Protocol Type : TCP/UDP/SCTP
5) Select Protocol : TCP 5) Select Protocol : TCP
6) Enter the Destination Port : (Low)37547 (High)37547 6) Enter the Destination Port : (Low)37580 (High)37580
7) Click OK 7) Click OK

1 1

2 2

3 3
4 4

5 6 5 6

7 7

29
Create a New Service - PBX NTP
3. How to program
[ PBX NTP ]
Policy & Objects - Services
1) Click Create New
2) Enter the Name : NTP PBX
3) Select Category : PBX
4) Select Protocol Type : TCP/UDP/SCTP
5) Select Protocol : UDP
6) Enter the Destination Port : (Low)123 (High)123
7) Click OK

3
4

5 6

30
Create a New Service - MGCP PBX, PTAP
3. How to program
[ MGCP PBX ] [ PTAP ]
Policy & Objects - Services Policy & Objects - Services
1) Click Create New 1) Click Create New
2) Enter the Name : MGCP PBX 2) Enter the Name : PTAP
3) Select Category : PBX 3) Select Category : PBX
4) Select Protocol Type : TCP/UDP/SCTP 4) Select Protocol Type : TCP/UDP/SCTP
5) Select Protocol : UDP 5) Select Protocol : UDP
6) Enter the Destination Port : (Low)2727 (High)2727 6) Enter the Destination Port : (Low) 9300 (High) 9300
7) Click OK 7) Click OK

1 1

2 2

3 3
4 4

5 6 5 6

7 7

31
Create a New Service - Confermation
3. How to program
1) Confirm the created Service List.

32
Virtual IP configuration

33
Create a New Virtual IP(Port Forwarding)
3. How to program
1) Select Policy & Objects
2) Objects
3) Select Virtual IPs

1
2

< Create 12 Virtual IPs >

- WAN to DSP1-1 ( RTP Range1 ) - WAN to MPR( SIP-MLT Data HTTP )
- WAN to DSP1-2 ( RTP Range2 ) - WAN to MPR( SIP-MLT Data HTTPS )
- WAN to DSP2-1 ( RTP Range3 ) - WAN to MPR( NTP )
- WAN to DSP2-2 ( RTP Range4 ) - WAN to MPR ( MGCP)
- WAN to MPR( SIP ) - WAN to MPR ( PTAP )
- WAN to MPR( CWMP HTTP )
- WAN to MPR( CWMP HTTPS )
34
Create a New Virtual IP(Port Forwarding) - DSP1-1 RTP, DSP1-2 RTP
3. How to program
[ DSP1-1 RTP ] [ DSP1-2 RTP ]
1) Click Create New 1) Click Create New
2) Enter the Name : DSP1-1 RTP 2) Enter the Name : DSP1-2 RTP
3) Select Interface : wan 3) Select Interface : wan
4) Enter the External IP Address : 10.0.0.1-10.0.0.1 4) Enter the External IP Address : 10.0.0.1-10.0.0.1
5) Enter the Mapped IP Address : 192.168.0.102-192.168.0.102 5) Enter the Mapped IP Address : 192.168.0.103-192.168.0.103
6) Check Port forwarding 6) Check Port forwarding
- Select Protocol : UDP - Select Protocol : UDP
- Enter the External Service Port : 16000 - 16511 - Enter the External Service Port : 16512 - 17023
- Enter the Map to Port : 16000 - 16511 - Enter the Map to Port : 16512 - 17023
7) Click OK 7) Click OK

1 1

2 2

3 3

4 4
5 5
6 6

7 7

35
Create a New Virtual IP(Port Forwarding) - DSP2-1 RTP, DSP2-2 RTP
3. How to program
[ DSP2-1 RTP ] [ DSP2-2 RTP ]
1) Click Create New 1) Click Create New.
2) Enter the Name : DSP2-1 RTP 2) Enter the Name. DSP2-2 RTP
3) Select Interface : wan 3) Select Interface. wan
4) Enter the External IP Address : 10.0.0.1-10.0.0.1 4) Enter the External IP Address : 10.0.0.1-10.0.0.1
5) Enter the Mapped IP Address : 192.168.0.104-192.168.0.104 5) Enter the Mapped IP Address : 192.168.0.105-192.168.0.105
6) Check Port forwarding 6) Check Port forwarding
- Select Protocol : UDP - Select Protocol : UDP
- Enter the External Service Port : 17024 - 17535 - Enter the External Service Port 17536 - 18047
- Enter the Map to Port : 17024 - 17535 - Enter the Map to Port : 17536 - 18047
7) Click OK 7) Click OK

1 1

2 2

3 3

4 4
5 5
6 6

7 7

36
Create a New Virtual IP(Port Forwarding) - MPR SIP
3. How to program
[ MPR SIP ]
1) Click Create New
2) Enter the Name : MPR SIP
3) Select Interface : wan
4) Enter the External IP Address : 10.0.0.1-10.0.0.1
5) Enter the Mapped IP Address : 192.168.0.101-192.168.0.101
6) Check Port forwarding
- Select Protocol : UDP
- Enter the External Service Port : 15060 - 15060
- Enter the Map to Port : 5060 - 5060
7) Click OK

4
5
6

7
37
Create a New Virtual IP(Port Forwarding) - MPR CWMP HTTP,HTTPS
3. How to program
[ MPR CWMP HTTP ] [ MPR SIP-MLT Data HTTP ]
1) Click Create New 1) Click Create New
2) Enter the Name : MPR CWMP HTTP 2) Enter the Name : MPR SIP-MLT Data HTTP
3) Select Interface : wan 3) Select Interface : wan
4) Enter the External IP Address : 10.0.0.1-10.0.0.1 4) Enter the External IP Address : 10.0.0.1-10.0.0.1
5) Enter the Mapped IP Address : 192.168.0.101-192.168.0.101 5) Enter the Mapped IP Address : 192.168.0.101-192.168.0.101
6) Check Port forwarding 6) Check Port forwarding
- Select Protocol : TCP - Select Protocol : TCP
- Enter the External Service Port : 7547 - 7547 - Enter the External Service Port : 7580 - 7580
- Enter the Map to Port : 7547 - 7547 - Enter the Map to Port : 7580 - 7580
7) Click OK 7) Click OK

1 1

2 2

3 3

4 4
5 5
6 6

7 7

38
Create a New Virtual IP(Port Forwarding) - MPR SIP-MLT Data HTTP,HTTPS
3. How to program
[ MPR CWMP HTTPS ] [ MPR SIP-MLT Data HTTPS ]
1) Click Create New 1) Click Create New
2) Enter the Name : MPR CWMP HTTPS 2) Enter the Name : MPR SIP-MLT Data HTTPS
3) Select Interface : wan 3) Select Interface : wan
4) Enter the External IP Address : 10.0.0.1-10.0.0.1 4) Enter the External IP Address : 10.0.0.1-10.0.0.1
5) Enter the Mapped IP Address : 192.168.0.101-192.168.0.101 5) Enter the Mapped IP Address : 192.168.0.101-192.168.0.101
6) Check Port forwarding 6) Check Port forwarding
- Select Protocol : TCP - Select Protocol : TCP
- Enter the External Service Port : 37547 - 37547 - Enter the External Service Port : 37580 - 37580
- Enter the Map to Port : 37547 - 37547 - Enter the Map to Port : 37580 - 37580
7) Click OK 7) Click OK

1 1

2 2

3 3

4 4
5 5
6 6

7 7

39
Create a New Virtual IP(Port Forwarding) - MPR NTP
3. How to program
[ MPR NTP ]
1) Click Create New
2) Enter the Name : MPR NTP
3) Select Interface : wan
4) Enter the External IP Address : 10.0.0.1-10.0.0.1
5) Enter the Mapped IP Address : 192.168.0.101-192.168.0.101
6) Check Port forwarding
- Select Protocol : UDP
- Enter the External Service Port : 123 - 123
- Enter the Map to Port : 123 - 123
7) Click OK

4
5
6

40
Create a New Virtual IP(Port Forwarding) - MPR MGCP,PTAP
3. How to program
[ MPR MGCP ] [ MPR PTAP ]
1) Click Create New 1) Click Create New
2) Enter the Name : MPR MGCP 2) Enter the Name : MPR PTAP
3) Select Interface : wan 3) Select Interface : wan
4) Enter the External IP Address : 10.0.0.1-10.0.0.1 4) Enter the External IP Address : 10.0.0.1-10.0.0.1
5) Enter the Mapped IP Address : 192.168.0.101-192.168.0.101 5) Enter the Mapped IP Address : 192.168.0.101-192.168.0.101
6) Check Port forwarding 6) Check Port forwarding
- Select Protocol : UDP - Select the Protocol UDP
- Enter the External Service Port : 2727 - 2727 - Enter the External Service Port : 9300 - 9300
- Enter the Map to Port : 2727 - 2727 - Enter the Map to Port : 9300 - 9300
7) Click OK 7) Click OK

1 1

2 2

3 3

4 4
5 5
6 6

7 7
41
Create a New Virtual IP(Port Forwarding) - List
3. How to program
1) Confirm the created Virtual IPs List

42
Create a New Virtual IP(Port Forwarding) - Group
3. How to program
[ MPR Grpup ]
1) Click ： icon
2) Select : Virtual IP Group
3) Enter the Name : MPR
4) Select Interface : wan
5) Select Members :
- MPR (SIP, CWMP HTTPS, CWMP HTTPS, SIP-MLT Data HTTP, SIP-MLT Data HTTPS, NTP, MGCP, PTAP)
6) Click OK
7）Confirm created Virtual IP Group
1

4
5

43
Policy configuration

44
Create a New Policy IPv4 - MPR(Group)
3. How to program
1) Select : Policy & Objects
2) Select : Policy
3) Select : IPv4

1
2
3

45
Create a New Policy IPv4 - MPR(Group)
3. How to program
[ MPR ]
1) Click Create New 7) Select Services :
2) Select Incoming Interface : wan SIP PBX, CWMP HTTP, CWMP HTTPS, SIP-MLT HTTP,
3) Select Source Address : all SIP-MLT HTTPS, NTP PBX, MGCP PBX, PTAP
4) Select Outgoing Interface : lan 8) Click OK
5) Select Destination Address : MPR (Group)
6) Select Schedule : always

2
3

4
5
6
7

8
46
Create a New Policy IPv4 - DSP1-1
[ DSP1-1 ]
1) Click Create New 7) Select Services : RTP Range1
2) Select Incoming Interface : wan 8) Click OK
3) Select Source : all
4) Select Outgoing Interface : lan
5) Select Destination Address : DSP1-1 RTP
6) Select Schedule : always

2
3

4
5
6
7

47
Create a New Policy IPv4 - DSP1-2
3. How to program
[ DSP1-2 ]
1) Click Create New 7) Select Services : RTP Range2
2) Select Incoming Interface : wan 8) Click OK
3) Select Source : all
4) Select Outgoing Interface : lan
5) Select Destination Address : DSP1-2 RTP
6) Select Schedule : always

2
3

4
5
6
7

48
Create a New Policy IPv4 - DSP2-1
3. How to program
[ DSP2-1 ]
1) Click Create New 7) Select Services : RTP Range3
2) Select Incoming Interface : wan 8) Click OK
3) Select Source : all
4) Select Outgoing Interface : lan
5) Select Destination Address : DSP2-1 RTP
6) Select Schedule : always

2
3

4
5
6
7

49
Create a New Policy IPv4 - DSP2-2
3. How to program
[ DSP2-2 ]
1) Click Create New 7) Select Services : RTP Range4
2) Select Incoming Interface : wan 8) Click OK
3) Select Source : all
4) Select Outgoing Interface : lan
5) Select Destination Address : DSP2-2 RTP
6) Select Schedule : always

2
3

4
5
6
7

50
Create a New Policy IPv4 - Confirmation
3. How to program
1) Confirm the created Policy IPv4

51
Appendix

52
Appendix 1 : Hairpin NAT
1. Diagram of using the Hairpin NAT
(The hairpin NAT works on the Fortigate FG-30D without special settings)
Ext.301(Media5)
Over Wi-Fi
remote network

Ext.301(Media5)
WAN IP (Global IP)
3G/GSM/LTE
NS1000
10.0.0.2

MPR IP: 192.168.0.101

DSP1-1:192.168.0.102
Mobile DSP1-2:192.168.0.103
carrier LAN : DSP2-1:192.168.0.104
192.168.0.254/24 DSP2-2:192.168.0.105
Internet
WAN IP (Global IP)
10.0.0.1 Move to inside the office

Hairpin NAT Ext. 321 ～ 324

Ext.301(Media5)
Over Wi-Fi
Local network

Wi-Fi access point

The Media5Fone can access to NS-1000 via the remote WiFi router.
If move to 3G/GSM/LTE area, it is able to access with no configuration change of Media5Fone.
When it also moves to local Wi-Fi area, it is able to access with no configuration change of
Media5Fone, but the router must have hairpin NAT feature.
53
Appendix 2 : Important notes for Media Relay Gateway
FAQ40806 : 27/May/2014 : Important notes for Media Relay Gateway
Q.
I am going to connect the remote SIP Phone with NS1000 via the Internet by using MRG.
Is there any matter to have to note ?

A.
Yes, you have one.
There is a possibility of receive the damage of a malicious attack (hacking) from the Internet when the
service port of V-SIPEXT is opened in WAN with MRG etc.
The followings are the attacking procedure which we have actually confirmed.

(1) PBX/SIP-server is searched/discovered by the method of scanning the open-port for SIP service and
public IP addresses by using some automatic program.

(2) Registered SIP extension's ID/password is searched/discovered by sending the possible pair of it
with the brute-force search method.

(3) International phone calls that a cost large amount of money are made by using a searched out
ID/password.

If you can confirm it with SMDR etc that the frequent international phone calls of nobody knowing are
made, there is a possibility of hacking to the SIP extension.
Please read the following points for avoiding the attack, and protect the system from trouble.

54
Appendix 2 : Important notes for Media Relay Gateway

Knowhow to avoid attack from the Internet:

1) You must understand danger of hacking problem when you enable the connection of SIPEXT from
WAN with MRG etc.

2) You should avoid opening port 5060 (standard service port for SIP) to the WAN side.
Port 15060 of the MRG defaults is also dangerous. (see Note2 in below)

3) Program the Toll Restriction for the international call. (damage reduction in hacking)

4) For the password of SIP extension, use longer strings (16 maximum digits are recommended),
and use the mixed strings with alphabets, numbers, and others.

5) Change the password of SIP extension regularly.

6) If IP address (or the range of the address) of the SIP Phone user is known, setup the packet filter
on Firewall of router to prohibit the access from the unknown IP address.
(Only for an external router. )

55
Appendix 2 : Important notes for Media Relay Gateway

(Note1)
If long-term capture is done with wireshark, the capture of the hacker's scanning of (1) can be likely to be
done.
How to distinguish the attack to SIP is the following points.
- REGISTER message comes from unknown IP address. (src IP address is changed frequently)
- Messages such as REGISTER and OPTION come obstinately from IP address where no session of SIP
exists.
- In the message header, there is conspicuous agent name "User-agent : Friendly-scanner".
("Friendly-scanner" is the name of SIP tester very commonly used for SIP attack)
- In the message header, IP address in the Via/Contact header is 127.0.0.1.
(this is local loopback address, and can't be used in normal SIP communication)

(Note2)
Attention to the attacked port.
The main target of searching/discovering by step(1) is the IP devices that opens port 5060 to the Internet.
In the default configuration of MRG, the port used on the WAN side of the router specifies not as port
5060 but 15060. The possibility of searching/discovering by step(1) would be slightly lower in port 15060.
However, all the port numbers that relates to 5060 (15060, 25060, and 35060, etc.) can be the target of
the scanning of (1).
(There are some results of actual attack on them)
There is similar danger for 5060 port surrounding (5061,5062,5063 etc.).
When you change the port number on the WAN side, you need to select the port number not related to
5060 at all.
Moreover, it is commonsensible necessary to avoid Well-known ports(0-1023) and
Registered ports(1024-49151), and to use Dynamic and private or ephemeral ports(49152?65535).

56
Appendix 3 : Factory default settings.
[ Reset Button ]
Turn on the Fortigate 30D
Press and hold when Status LED flashing to reset device to factory default.
This will reset all passwords and erase all prior configurations.
The default LAN address will be set to 192.168.1.99.

DHCP server :Enable <Default> Range 192.168.1.110 – 192.168.1.210

Front Panel

Status LED

Back Panel

Reset buttan
57
Appendix 4 : Enable the ALG functions (MGCP-ALG/SIP-ALG)
[ CLI Console ]
If the SIP/MGCP session helper has been disable by being removed from the session-helper list you can
use the following command the enable the SIP/MGCP session helper by adding it back to the session
helper list.

# config system session-helper # show system session-helper

(session-helper)# edit 0 “0 “means the lowest available id. :
new entry '0' added :
(0) #set name sip edit 18
(0) #set protocol 17 set name sip
(0) #set port 5060 set protocol 17
(0) #end set port 5060
next
# config system session-helper edit 19
(session-helper)# edit 0 . set name mgcp
new entry '0' added set protocol 17
(0) #set name mgcp set port 2427
(0) #set protocol 17 next
(0) #set port 2427 edit 20
(0) #end set name mgcp
set protocol 17
# config system session-helper set port 2727
(session-helper)# edit 0 next
new entry '0' added
(0) #set name mgcp
(0) #set protocol 17
(0) #set port 2727
(0) #end

58
End of document

59