Your best shot is to use the packet capture feature on the LAN (at the IP of the phone) and grab a capture of the call.  Then open it up in wireshark and go to Telephony -> VOIP Calls (I think that's where it is).  Don't limit it to port 5060, just grab the whole thing.  In there you can look at the flow and see which side hangs up.  I'm assuming you are using a hosted system and not just SIP trunks.  If it's a hosted system this should give you a place to start.  Also, don't rule out firmware.  If this is the only one of this model you have then you can't really compare it to the others.  All you know is that your rules are likely OK in the firewall but capturing the packets is the next step that I would do.

@pfcode: @johnpoz: my guess would be its something pulling a crl for a digicert http://crl3.digicert.com/sha2-ha-server-g5.crl Is on that IP.. Should I suppress it?  What is pfSense doing to issue a connection to this IP? Like already noted it's pulling a certificate revocation list (CRL) to update it in case the certificate has been revoked for whatever reason. You should be able to make your own call if you want this to happen or not.

its a smart switch, I have plenty of ports left I'm just trying to get the most out of my network with the least amount of trouble. I want to keep the same subnet for all the ports on the pfsense box so all of my network can see everything but my guest. I have the guest access part figured out, my one airport will have the guest access turned on. that same access point I want to be able to throttle the bandwidth, my other airport access point will be wide open for bandwidth. my switch I have setup into four groups of 6, one group does one 4 port card in my ftp server group 2 does the other 4 port card in that same PC, I have 3 NAS's on the 3 group, and the last group has my pfsense box and wifi access points. my network is probably broke up in a bad way but it does work for now I would just like to simplify it and have better control and network information. im not all that great on networking but I can get around and figure things out. one thing I don't know is vlans, are you referring to port bridging?

@webtyro: Possible issue? https://forum.avast.com/index.php?topic=160822.0 The post date was 2014 and now its 2017 and avarst still have this problem  ??? Thanks for the link it help me out, if I want there avast cert installed I think I will have to go to the avast forums to get a little more information on how to set it up right. @doktornotor: Remove Avast. Alternatively, at least disable the horrible SSL scanning "feature". I disabled the ssl in avast but when I clicked on web config page to log in it asked if I should "continue anyway" I clicked on the cert this time not blocked by avast and I installed the CA for pfsense so far it is working fine Thanks webtyro and doktornotor for your help.  8)

You emailed us 27 Jan.  Obviously(?) we received it.  Today is 30 Jan, and there has been a weekend in-between.  Your "I've emailed core team but no response yet." from early this morning doesn't seem to be, to use a British idiom, "fair play". We don't block specific prefixes. Things seem to (nominally) work from here: [jim@nfs4 ~]$ traceroute 185.184.156.1 traceroute to 185.184.156.1 (185.184.156.1), 64 hops max, 40 byte packets 1  fw1-office (172.27.32.2)  0.227 ms  0.200 ms  0.124 ms 2  gw1 (208.123.73.2)  0.290 ms  0.409 ms  0.354 ms 3  rrcs-67-78-98-145.sw.biz.rr.com (67.78.98.145)  0.717 ms  2.274 ms  0.724 ms 4  ae15.AUSUTXLA02H.sw.twcbiz.com (24.73.240.204)  8.199 ms  3.823 ms  7.968 ms 5  agg50.ausxtxir02r.texas.rr.com (24.175.43.183)  7.420 ms  7.531 ms  7.598 ms 6  agg22.hstqtxl301r.texas.rr.com (24.175.41.48)  13.863 ms  14.521 ms  10.416 ms 7  ge-2-1-0.a0.sea90.tbone.rr.com (66.109.1.218)  10.919 ms  13.587 ms  7.981 ms 8  * * * 9  ae-129-3515.edge6.London1.Level3.net (4.69.166.73)  106.627 ms  105.456 ms  105.546 ms 10  rtr-152-3356.cdc.custdc.net (109.74.255.84)  107.226 ms  107.149 ms  107.148 ms 11  rtr-151.cdc.custdc.net (109.74.255.241)  108.249 ms  107.081 ms  106.825 ms 12  mai-core-rou1.vooservers.com (109.74.246.106)  106.870 ms  106.711 ms  107.065 ms [jim@nfs4 ~]$ ping 185.184.156.1 PING 185.184.156.1 (185.184.156.1): 56 data bytes 64 bytes from 185.184.156.1: icmp_seq=0 ttl=239 time=107.213 ms 64 bytes from 185.184.156.1: icmp_seq=1 ttl=239 time=107.341 ms 64 bytes from 185.184.156.1: icmp_seq=2 ttl=239 time=106.871 ms ^C –- 185.184.156.1 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 106.871/107.142/107.341/0.198 ms [jim@nfs4 ~]$ ping 185.184.157.1 PING 185.184.157.1 (185.184.157.1): 56 data bytes 64 bytes from 185.184.157.1: icmp_seq=0 ttl=241 time=37.913 ms 64 bytes from 185.184.157.1: icmp_seq=1 ttl=241 time=37.818 ms 64 bytes from 185.184.157.1: icmp_seq=2 ttl=241 time=37.710 ms ^C I'm having staff contact you for more details. Jim

@NOYB: Re: Install Wireshark on 2.3.1 https://forum.pfsense.org/index.php?topic=112719.msg627778#msg627778 Remote Packet Capture https://forum.pfsense.org/index.php?topic=89917 Re: Wireshark on WAN https://forum.pfsense.org/index.php?topic=123836.msg683895#msg683895 Thank you NOYB

Thanks Stephen I appreciate the clarification as well as the suggestions.  And thanks for your work as I am still able to use your script in most of its capacity.

SOLVED! The issue was my ISP, they had problems down stream and after a month of fighting with them they finally worked on the lines in my neighborhood and it fixed the issue, thanks to all who helped.

@kpa: Pretty sure he means the "pass" option in the filter rule association selection box. This is on 2.3.2-RELEASE-p1. I would just use the associated firewall rule and forget the pass option exists. yes, thats what i mean, sorry i thought it was obvious.

I still use the machine for other purposes (file server, Plex, etc), so when I bought it I thought I would be able to setup PFsense in a VM for a powerful router as well. When I bought the server, it came with the extra NIC card so I thought it would act just like more ports in the back like any other router. Guess I was wrong on that haha. There are some people who try to utilize extra interfaces by bridging them together, but it's not recommended and you'll pull your hair out trying to get it working.  Not to mention, it's not going to perform like a dedicated switch. So, what can you do with extra NIC's on your ESXi host?  For home use, I would say people typically utilize them for other VM's.  There are a bunch of options for extra NICs… including, but not limited to: Manually load balance your VM's between the extra NIC's NIC Team the extra NIC's and allow ESXi to load balance the VM traffic for you Dedicate a NIC for iSCSI traffic to a NAS or SAN If you have multiple ESXi hosts,  you can dedicate a NIC for vMotion traffic

Hi all I have been running into walls trying to install this, and I don't now if it because of my lack of FBSD knowledge or its pfsense not have some need packets installed that I need. I have read this tut on how to add a new user.  "Note the only thing I changed in this tut was the password". Link: https://www.digitalocean.com/community/tutorials/how-to-add-and-remove-users-on-freebsd I did that and named it netdisco like the netdisco installer says, but when I try the netdisco create user steps in Dependencies it says: Dependencies Link: https://metacpan.org/pod/App::Netdisco#Dependencies ========================================== #useradd: command not found %wheel:    Too many arguments pw:            unknown keyword 'groundmod' #:              command not found and so on… Is it me? or are there packets I have to download to be able to use these functions? Any help I would be ever so great-full.

Hell I have been getting the same problem, and I have to restart the pfsense computer dew to 504 gateway fail. I do not use  Sync and CARP like you, I have pfsense PC quad core 3.2 gig 6gig ram 120 HDD it has 1 WAN in and 2 Lan out with load balancing to a dual wan router that also has load balancing as well for my internal network, but primary Lan1 on pfsense PC drops out and then I have to reset pfsense computer to get it back. If I was a business running servers I would find this a big problem.

The logo was created by hoba back then, IIRC. There was talk about it in this forum so try a search. Participants might have been hoba, cmb and sullrich.

Cool! Would I be right in concluding that Wolf666’s suggestion may not bear fruit because.. That document seems to only deal with inbound towards a PBX server. If you end up with issues such as one way audio or phone calls going to VM immediately, keep in mind that if you need to make inbound firewall rules to point them at your "WAN address".. (SIProxd) or client LAN address (no SIProxd). I personally like SIProxd when I have more than one SIP device on a given network.  Makes less work for me.  But should be possible without it. With "normal" voip there should Never be a reason to port forward to the client device(s).  Although firewall rules might be needed you can make inbound rules on the WAN interface that points to each device(without SIProxd)(or a small subnet of devices if you choose) which will allow the SIP server to reach your device at will.  (source- SIP Server  destination- your sip client or device(s)).  (with SIProxd-  source- SIP server  destination- WAN address.)

I can ping the gateway from pfSense, but not the client. It doesn't matter if pfSense is on a different port on the switch. I tried to find posts from other people with similar problems or "problems separating traffic"  with the TL-SG108E and there are none. My configuration is identical to that used by others. This switch appears to work fine with pfSense with very little configuration. To check if the long-frame BFE VLAN interface (Broadcom BCM4401) is the problem I tried a new pfSense install on a different computer with a hardware-VLAN ALC interface and had the same issue (along with many other issues I didn't look into). People are using the BFE interface for VLAN on BSD and pfSense successfully, but I still have suspicions on the BFE / TL-SG108E combo. I monitored everything in var/log but no error messages appear at all when the WAN is connected/disconnected other than a DHCPREQUEST in dhcpd.log. Is it possible to get BSD to more finely log ethernet and networking errors?

Settle on LAN subnet that's not 192.168.0.0/24 or 192.168.1.0/24. Replace the Linksys with PFsense, assign the first available IP in your new range to the LAN interface and enable DHCP Assuming you want to reuse the Linksys for wireless, give the Linksys a static IP in your new LAN subnet that's outside of your new DHCP range, disable the DHCP server on the Linksys, attach the Linksys to your switch via the LAN port on your Linksys (Not the WAN port) That is a basic setup and will look like this: Modem -> PFsense -> Switch -> LAN                                       |                                       |–---> Linksys -> Wireless Anything more complicated will involve managed switches, VLANs and/or extra NICs.

here is a neat thing that fios does not tell you…. :'( :o :o so if for some reason your account is disabled (non-payment, changes made, or something on their end..which is what my case was..the card on file name was changed) you can actually still access https and other secured connections, but you can not access ANY other connections. makes a hell lot of sense does it not? screw residential internet access..im going business! just a little FYI for those who may run across such an issue.