I tried it this morning and it's working from that location now.

Thank you for the ideas/explanation.

Here you go…this guide should help you....

http://www.3cx.com/blog/voip-howto/pfsense-firewall/

Thank You

Fix turned out to be easy. Pull request https://github.com/pfsense/pfsense/pull/1341

Yeah there isn't a direct equivalent for the source IP per-domain override that's in dnsmasq.

Ideally that won't be an issue because #1 will work, but that isn't the case at times and fixing that can be a significant undertaking.

The best alternative I've seen is #2, picking only a single interface for the outgoing interface option. I don't think there are any caveats to that. Any queries that go to an Internet destination will have that IP source NATed. The only potential issue I can think of there is if you need one domain override to use one source IP, and a diff domain override to use a diff source IP. I've never seen anyone have such a requirement so it's likely exceptionally rare. Choosing only LAN for the outbound interface should be safe in most every scenario.

@cmb:

I'm not sure what the issue was, and probably won't know until we can discuss on Monday.

Any further info on what the problem was?

the root of that issue is this. https://redmine.pfsense.org/issues/4019

to work around, run the following at a command prompt before installing the package.

The "embedded" choice error is fixed in current snapshots now. Though there are still some issues (check redmine)

Thanks for the logs.
I fixed for new snapshots the certificates will be there now.

I already found this link but am not able to understand correctly what is written there.

I could understand the parts with

"Set Conservative state table optimization"

and

"Disable scrub".

I installed siproxd but the  configuration is way to complicated to me.

And I did not understand the part about

"Disable source port rewriting".

What I did was giving the Phone a static dhcp lease.

Then I set up udp forwarding per the directions my provider is handing out.

See:

http://hilfe.telekom.de/hsp/cms/content/HSP/de/3378/FAQ/theme-45859561/Telefonie/theme-45859560/Anschluss-und-Tarife/theme-45859549/Telefonieren-und-Surfen/theme-82239611/IP-basierter-Anschluss/faq-350884716

In short:

UDP (out): Ports 5060, 30000-31000, 40000-41000, 3478, 3479
UDP (in): Ports 5070, 5080, 30000-31000, 40000-41000
TCP (out): Port 80, 443

I only have one phone,
so port forwarding should to the job.

I still have not found how i could forward port ranges,
if someone told my how to do this I would be glad.

Because the wan voip adresses change frequently with my provider I can not use static adressing voip server wise.

Any help would be appreciated.

OK.

But:
230 Guest login ok, access restrictions apply.
ftp> ls
500 Illegal PORT rejected (address wrong).

That's what I was thinking! Thanks!

It's not two v6 gateways, it's one v4 and one v6. I fixed the description so it shows correctly. For gif and GRE it should only have either a v4 or a v6 gateway depending on which is in the tunnel network, but it doesn't hurt anything having both, one is just not going to do anything.

The code Phil referenced was a copy/paste from dnsmasq, which uses its advanced field differently since it needs those as command line arguments, not in a conf file. The problem was your advanced options were never used prior to a few days ago, and once that was fixed, they were put in wrong. That did need to be output differently.

I just pushed a fix for that. gitsync or upgrade to a snapshot on the 16th or newer and you should be in good shape.

Thanks for explaining. I remember having seen other posts regarding the issue.
Squidguard is indeed working.

Cheers.

There was a note on that linked commit internally that apparently got overlooked, I just now pushed a fix. Thanks for the report

Here is my current setup on Riverbed  Steelead 100 with mikrotik R52hn

pfwifi.jpg
pfwifi.jpg_thumb