IP Phone on LAN - how to DMZ it out?

megawatt

I have Panasonic IP phone at static 192.168.0.20. Pfsense is my gateway at 192.168.0.1. With Walmart level routers I was usually assigning the IP to DMZ and had it working. With PFSense I do not have DMZ option, tried all night to play with Firewall or NAT rule and the phone still not working. I see that VOIP ports like 2427 or 68 are blocked by firewall and logged but cannot unblock them. Please point me at the right direction (but please not to the useless https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting or https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks). I am in lost with pfsense way of doing things and need some kind of walk through if possible for IP phones.

johnpoz

you can not understand how to forward a port?  You sure and the hell do not need 68 forwarded.. That is dhcp.

You click nat under firewall, is the port tcp/udp/? put in the port, and the dest IP which would be 192.168.0.20 in your case and the port for dest port almost always going to be the same.

It really is like 3 clicks.. Pretty much everything can be left as default.  You just need the port and where you want to send it.

megawatt

Nice people here… Yeah, I might not understand something, not a big deal.
So, I found this article http://www.3cx.com/blog/voip-howto/pfsense-firewall/ right after I created the forum post. So the issue is resolved.

johnpoz

Not understanding and expecting to use a firewall, kind of big deal ;)

That listed the ports used, I guess but other than some pictures of what to change ie port and IP..  So you just blindly clicked on the stuff they showed without any clue to what any of it means??

They don't show you forwarding 2427 so why are you showing that blocked?  Are you using mgcp?  Media Gateway Controllers, guess you don't know and not a big deal ;)

megawatt

Panasonic phone system PDF is saying that it uses port 2427 and the explanation is "Media Gateway Control Protocol.Used for call control command data and LCD/LED data transmission."
Port 67, 68 are for "Dynamic Host Configuration Protocol.  Used for receiving an IP address from a DHCP server."
Do you see this as not needed for normal phone operation? When phone was assigned to DMZ I did not need to think about this details, it was just working. Looks like with pfsense I need to dig into every detail trying to decide if it needed or not.

KOM

You don't need to forward 68 since DHCP is coming from your LAN, not from outside, and even then your phones are static IP.  Do you even really need to forward any ports?  I'm running a bunch of Polycom VoIP phones and they all work without any firewall magic.  I don't know why you want to DMZ them when they're literally no different than any other client on your network.  DMZ is usually reserved for services that receive unsolicited requests and require security isolation.

megawatt

Disabled port 68 rule, thanks. Yes, I have to forward ports, otherwise there is no sound and phone will be rebooting constantly after every 3 minutes.

KOM

With my Polycoms, when the boot up, they reach out to their head end (my VoIP provider) and then maintain an active state throughout.  Incoming calls just use that open state to talk to the phones so there is no need for a forward through the firewall.  IMO this is a much more elegant solution than having to forward ports, but at least you got it working.

For the record, those two pfSense links are far from useless.  The 'WAN from LAN' question comes up weekly, and the port-forward troubleshooting page lists all the common mistakes people make.

johnpoz

Dhcp is used pretty much for any device.  But your pfsense should be providing dhcp, or some other device on your network.  Eitherway there would be no reason to have to create a rule for this in pfsense.  Since if you enable dhcp the rules are created for you automagically.  If your running it elsewhere on that network pfsense has nothing to do with dhcp.  It might be noise in your logs would be all.

No you don't need to dig into every little detail, but you do need to understand the operation of the device you want to put behind a natting firewall.  Or yeah your going to have issues..

"Panasonic phone system PDF is saying that it uses port 2427"

So did you forward that port, it was not in the list of the link you provided?  So either you forwarded and your working fine, or you didn't and its not actually needed since again you said your working fine.

Placing a box in dmz as per your walmart routers setup is BAD idea no matter how you look at..  And its not really a dmz with those devices, it just forwards all unsolicited traffic to that IP.  A dmz'd box would be firewalled off from the rest of your network, etc.

That little feature is great for those types of routers, since they are designed for your typical user that has not a clue.  So they give them a easy way to just forward everything to a box if they are not bright enough to figure out which ports they need.  Pfsense is not designed with these sorts of users in mind.  But you could do the same thing if you so desired.  Just forward all the ports to your box both tcp/udp and there you go same mode of operation as your walmart routers dmz host function.