PFsense getting digital voice to work?
-
@stephenw10 said in PFsense getting digital voice to work?:
Hmm, you really shouldn't need anything just for internal phones. The phone should open an outbound SIP connection to the Zen server when it registers and that should remain open. The server then uses that to send SIP signals to the phone. If that's not happening without a forward I'd check for the server using different source ports. Or for the UDP SIP states timing out.
Zen uses a different server address (voip.zen....) for incoming calls vs outgoing calls/registration (voip2.zen...).
-
Zen uses a different server address (voip.zen....) for incoming calls vs outgoing calls/registration (voip2.zen...
Voip.zen.co.uk resolves here to 212.23.7.228
Don't port forward anything but-
Create an incoming firewall rule on your WAN from 212.23.7.228 to the LAN address your sip device(s) reside at. Use whatever SIP ports that your service and devices use.
I can provide some screenshots if you need.
What RTP ports does your system use? They will most likely be different. Make the same kind of rules for those as well. Make a couple of phone calls and look at your states tab. Search for your client device IP address and take a screenshot of all its connections during that call for reference.
Alternatively use the SIProxd package. In that case you would forward these rules to your WAN address.
-
Actually this page has all the IPs you need.
https://www.zen.co.uk/help-support/general-sip-settings/
Look at firewall settings. They already know this will be an issue with real firewall devices.
Once again.. you do not need to port forward. The server will find you.
-
The phone is behind NAT so a firewall rule without a port forward isn't going to do anything.
-
@chpalmer Thanks for that reminder of the official settings!
I went back and checked my config - I had essentially copied the default settings of the Zen supplied router (FRITZ!box AV7530AX) which is preconfigured for their digital voice service to use voip2.zen.co.uk as the SIP registrar. As incoming calls come from a different server, voip.zen.co.uk, I had needed rules in place to use the Zen device (in its default settings), or the N300A configured with the same settings, when placed behind pfSense.
I have now reconfigured the N300A to connect to voip.zen.co.uk and that has allowed me to disable the port forwarding and WAN rules I had in place. The only thing I had to do was enable the static port option in the outbound NAT for the N300A.
Much cleaner, thanks again.
-
Ah, so it's registering against that server too?
-
@bigsy I could/probably be wrong but without port forwards on the WAN, I think a situation can arise where, if you reboot the router, you won't receive any incoming calls until client re-registers. With the N300's default setting, that could mean up to an hour with no incoming calls?
-
@stephenw10 said in PFsense getting digital voice to work?:
Ah, so it's registering against that server too?
Yes.
-
Hmm, I would expect the timeout to be far shorter than that. The UDP state timeouts are 60s by default. The keep-alive packets have to be more frequent than that to allow incoming SIP signals to use them.
-
@darcey Thanks, I'll keep an eye out for that, although this router is very seldom rebooted and for this particular situation a short delay before incoming calls could happen wouldn't be an issue.
The N300 is set to for registration refresh every 180s but from a pcap it looks like re-registration is taking place every 135s and a keep alive every 20s.
-
@bigsy It sounds fairly immune to that scenario then. What I notice here, with my n300 is, that after SIP registration, the only SIP traffic from the N300 are SIP OK responses to SIP OPTIONS from the server (local asterisk). This I took to be a keep-alive mechanism.
When the firewall state's lost for whatever reason, some form of SIP packet is needed from N300 to recreate the state. That didn't come until the next SIP REGISTER and my unit's was set at 3600.I have pf states set to conservative, which AIUI keeps UDP states for 900s.
Having said all that, N300 and two handsets have worked quite well for me. Android softphones are another matter!
Thanks for the discussion.
