If your PBX is being placed on a Local Area Network (LAN), it will have a static local address (see PBX network settings HERE) and you will need to forward the ports listed above from the WAN (public internet) address to that LAN address.  


The router-based controls for creating port forwarding rules are generally located in the "Advanced" section of your router.  Depending on the router, these controls may be under a  "Gaming", "Applications" or "Virtual Servers" label.  Here is an example of the forwarding rule entries in a TP-Link router, under Advanced/Forwarding/Virtual Servers:



If you intend to connect the PBX to a nexMatrix or other provider’s SIP trunk, you must forward the SIP signaling port.  If you request support from nexMatrix for your PBX, you must also forward the SSH and HTTP ports. Sometimes, the default HTTP (Web page) WAN port (80) is already in use on some networks, usually for remote access to another device.  You can assign any alternate port number, such as 8080, on the WAN side, as long as it connects to port 80 on the LAN side connection to the PBX.  The same is true with SSH port 22.  You cannot use an alternate port for SIP traffic, however.  You must assign port 5060 on both the WAN and LAN sides.  If you assign an alternate HTTP or SSH port, you must inform nexMatrix support so that this can be noted in the PBX licensing file.


If you are connecting extensions to the PBX through a static public WAN IP address - from remote locations, or from mobile smartphone apps - you should forward the entire range of 10,000 RTP ports that the Protel PBX uses by default.  If it is not possible to forward such a large range, our support staff can customize your PBX with narrower settings, or by using an entirely different port range, upon request.   Each active telephone connection uses a set of 2 ports between the phone and the PBX (1 in each direction), and another set of 2 ports between the PBX and the receiving phone - regardless of whether it is an internal extension call or an external telephone trunk call.  Furthermore, the RTP (Real Time Protocol) media streams only use even numbered ports, so only 50% of the numbers in a range are actually usable.   If you intend to narrow the range, make sure you allow for more even numbered ports than you expect to need for audio channels in each direction.  For example, if the range is narrowed to 10000 - 10200, there are only 100 usable port numbers, or 50 maximum two-way audio port pairs, or 25 concurent phone calls. This limitation will apply to ALL calls going through the PBX, regardless of whether the phone connects through the WAN or LAN address.


The PBX detects whether an extension is connecting from a LAN address or an external WAN address and applies the appropriate contact header IP address to the RTP request packets that get sent to the phone when a call is being established.  For this to work correctly, you must enter the PBX WAN IP address on the "Server NAT Settings" page, under the Networking tab.  Incorrect NAT settings cause audio streams to be misdirected, resulting in one-way audio or no audio at all.