Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wifi calling setup in PFSense

    Scheduled Pinned Locked Moved Firewalling
    13 Posts 5 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JT40
      last edited by

      Hello,

      I have a couple of questions about WiFi calling on PFSense:

      1. I have an iPhone and I need to enable the ports 500 and 4500 with UDP, but honestly, it works with just one of them...

      I noticed a strange behaviour though, I need to disconnect the iPhone from WiFi to see the changes applied to those rules, I tested it multiple times, do you know why?
      Is it an accident due to other reasons or is it really how PFSense behaves?
      I mean, in my case, the PFSense router is managing the routing and firewall, I would expect such stupid issues if the AP was responsable for it, like in an All-in-one solution.

      1. My FW by default blocks everything, I'm not sure if I've set it up in that way, also in local network, which is due to my setup though.
        Anyway, I assume that I need to enable the inbound rule to receive calls, right?
        At the moment I can't test it, so I'm asking :D .
        To clarify, I was able to make calls, I need to test the call reception, but also the drop out from WiFi and rejoin, any remark on this?
      JKnottJ R S 3 Replies Last reply Reply Quote 0
      • JKnottJ
        JKnott @JT40
        last edited by

        @jt40

        I use WiFi calling and it works fine. I didn't have to do anything to enable it.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        J Bob.DigB 2 Replies Last reply Reply Quote 1
        • R
          rcoleman-netgate Netgate @JT40
          last edited by

          @jt40 said in Wifi calling setup in PFSense:

          I have an iPhone and I need to enable the ports 500 and 4500 with UDP

          Is this for a VOIP system run over a VPN?
          Those ports aren't needed for carrier calling over WiFi

          Ryan
          Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
          Requesting firmware for your Netgate device? https://go.netgate.com
          Switching: Mikrotik, Netgear, Extreme
          Wireless: Aruba, Ubiquiti

          1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @JT40
            last edited by

            @jt40 said in Wifi calling setup in PFSense:

            I need to disconnect the iPhone from WiFi to see the changes applied to those rules,

            If there are open states those need to be terminated.
            https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#check-the-state-table

            Define "enable the ports"?

            You don't need any inbound NAT or firewall rules for the phone to connect out.

            There have been past threads about Wi-Fi calling problems but I have never had to do anything special.

            What cellular company do you have?

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote ๐Ÿ‘ helpful posts!

            1 Reply Last reply Reply Quote 0
            • J
              JT40 @JKnott
              last edited by JT40

              @jknott said in Wifi calling setup in PFSense:

              @jt40

              I use WiFi calling and it works fine. I didn't have to do anything to enable it.

              Very strange, you need to allow the inbound, I just tested it.
              Inbound communications are blocked by default, it would be VERY STRANGE if it wasn't like that, especially for traffic coming from WAN.
              Anyway, my WAN is nothing else than another LAN, but the router above doesn't block anything :D .

              @rcoleman-netgate said in Wifi calling setup in PFSense:

              @jt40 said in Wifi calling setup in PFSense:

              I have an iPhone and I need to enable the ports 500 and 4500 with UDP

              Is this for a VOIP system run over a VPN?
              Those ports aren't needed for carrier calling over WiFi

              It's for WiFi calling, no VOIP, probably the protocol is the same, but it's called WiFi calling and it requires ports 500 and/or 4500 with UDP, I just tested it.

              @steveits said in Wifi calling setup in PFSense:

              @jt40 said in Wifi calling setup in PFSense:

              I need to disconnect the iPhone from WiFi to see the changes applied to those rules,

              If there are open states those need to be terminated.
              https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#check-the-state-table

              Define "enable the ports"?

              You don't need any inbound NAT or firewall rules for the phone to connect out.

              There have been past threads about Wi-Fi calling problems but I have never had to do anything special.

              What cellular company do you have?

              Thanks for that link, I'll verify if it was my case.

              I don't need Inbound rules to connect out, but I need both :D , that is:

              OUTBOUND AND INBOUND rules for port 500 and 4500 with UDP
              

              My setup is the following:
              ISP modem/router
              PFSense Router
              L2 Switch
              AP

              Basically, the PFSense WAN points to another LAN.
              Due to my Private VLANs, I need those rules, but by default, my FW always blocked every communication, in inbound and outbound.
              In fact, without an ALLOW ALL OUTBOUND I was never able to leave the VLAN, for internal and external communications.
              I don't have doubt on the INBOUND because this is always blocked by default, hence, without an INBOUND rule no one can call me.

              Thanks everyone, we may close this thread, unless someone wants to add something, your answers are suspicious, quite different from my testing, no offense, I'm just trying to fully understand if it was me not explaining the problem well, or having wrong knowledge about firewalls (I'm not an expert), or I made some weird setup initially.

              JKnottJ 1 Reply Last reply Reply Quote 0
              • JKnottJ
                JKnott @JT40
                last edited by

                @jt40 said in Wifi calling setup in PFSense:

                Very strange, you need to allow the inbound, I just tested it.

                Normally, the firewall recognizes the inbound as part of the same connection as the outbound.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                J 1 Reply Last reply Reply Quote 1
                • J
                  JT40 @JKnott
                  last edited by

                  @jknott said in Wifi calling setup in PFSense:

                  @jt40 said in Wifi calling setup in PFSense:

                  Very strange, you need to allow the inbound, I just tested it.

                  Normally, the firewall recognizes the inbound as part of the same connection as the outbound.

                  I think you're right, I just tested it after having rebooted the router, just to be sure.
                  I have a question, I understand that point, but is this not in direct contrast with DENY all in INBOUND by default?
                  Or is it just an automated way to process rules in order to avoid to do it manually?

                  S JKnottJ 2 Replies Last reply Reply Quote 0
                  • S
                    SteveITS Galactic Empire @JT40
                    last edited by

                    @jt40 Denying inbound on WAN handles unsolicited connections. If a device connects out, then it is expected the server response should be allowed. The open "state" of the connection allows this.

                    Some don't even hold the connection open, for instance the app may subscribe to a "push notification" which despite its name, isn't a direct connection from some random server on the Internet to the device. The notification tells the app to connect out and process the call, for example. (or retrieve an email, etc.)

                    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                    Upvote ๐Ÿ‘ helpful posts!

                    1 Reply Last reply Reply Quote 1
                    • Bob.DigB
                      Bob.Dig LAYER 8 @JKnott
                      last edited by Bob.Dig

                      @jknott said in Wifi calling setup in PFSense:

                      I use WiFi calling and it works fine. I didn't have to do anything to enable it.

                      Same.

                      A VPN on the phone might be the problem.

                      R 1 Reply Last reply Reply Quote 1
                      • R
                        rcoleman-netgate Netgate @Bob.Dig
                        last edited by

                        @bob-dig said in Wifi calling setup in PFSense:

                        A VPN on the phone might be the problem.

                        That's the only logical reason 500 and 4500 would be in play.

                        Ryan
                        Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                        Requesting firmware for your Netgate device? https://go.netgate.com
                        Switching: Mikrotik, Netgear, Extreme
                        Wireless: Aruba, Ubiquiti

                        J 1 Reply Last reply Reply Quote 1
                        • JKnottJ
                          JKnott @JT40
                          last edited by

                          @jt40

                          It depends on where the connection originates. With outgoing connections, incoming is matched to it. With incoming, there is no outgoing to match with and so it's dropped.

                          PfSense running on Qotom mini PC
                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                          UniFi AC-Lite access point

                          I haven't lost my mind. It's around here...somewhere...

                          1 Reply Last reply Reply Quote 1
                          • J
                            JT40 @rcoleman-netgate
                            last edited by JT40

                            @rcoleman-netgate said in Wifi calling setup in PFSense:

                            @bob-dig said in Wifi calling setup in PFSense:

                            A VPN on the phone might be the problem.

                            That's the only logical reason 500 and 4500 would be in play.

                            Auch, I have a VPN, but it's the stupid VPN for filtering the traffic by my AV, which honestly seems doing nothing...
                            Definitely it doesn't tunnel my traffic, it's called VPN but I think it's just a proxy for traffic monitoring, that can eventually block your traffic if you visit unsafe remote addresses.

                            I noticed that not only with iPhone, but also with Android if I remember well.

                            In any case, the ports 500 and 4500 are required by Apple, not even my carrier: https://support.apple.com/en-us/HT202944

                            Switching scenario, I think that the port requirement is the reason why I can't record my calls with iPhone, unless I install some third party applications and give App permissions... Apple doesn't allow you to record calls, you don't even have a way to set permissions...
                            (The cost of these apps is unbelivable...)

                            R 1 Reply Last reply Reply Quote 0
                            • R
                              rcoleman-netgate Netgate @JT40
                              last edited by

                              @jt40 said in Wifi calling setup in PFSense:

                              In any case, the ports 500 and 4500 are required by Apple, not even my carrier: https://support.apple.com/en-us/HT202944

                              " IKEv2"

                              It's for a VPN.
                              You initiate it locally, it goes out and locks on to the Carrier's system.

                              Screenshot 2022-11-01 at 5.49.38 PM.png

                              Ryan
                              Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                              Requesting firmware for your Netgate device? https://go.netgate.com
                              Switching: Mikrotik, Netgear, Extreme
                              Wireless: Aruba, Ubiquiti

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.