Strange problem with VoIP adapter
-
Sorry to reply to myself, but Wikipedia can be your friend sometimes…
My adapter apparently calls a STUN server to establish a connection between clients behind NAT. Quoting Wikipedia, "It will not work with symmetric NAT" and quoting the adapter status page, "detected NAT type is symmetric NAT".
I have now tried disabling STUN on the adapter and using NAT to forward the WAN ports 5060, 5061 and 5004 to my adapter:
If Proto Ext. port range NAT IP Int. port range
WAN UDP 5060 - 5061 192.168.0.9 5060 - 5061
WAN TCP/UDP 5004 192.168.0.9 5004My state table now reads:
self udp 192.168.0.1:53<-192.168.0.9:26789 MULTIPLE:MULTIPLE
self udp 212.130.74.56:5060<-192.168.0.9:5060 NO_TRAFFIC:SINGLE
self udp 192.168.0.9:5060->85.233.238.191:52855->212.130.74.56:5060 SINGLE:NO_TRAFFIC
self udp 85.233.238.191:5060<-212.130.74.56:5060 NO_TRAFFIC:SINGLEStill no luck, though. Why is the last state not going through to 192.168.0.9 when I have the above NAT rules?
Erik
-
Maybe the sip-proxy (siproxd) package is worth a try. Give it a shot.
-
Damn, there is no package support for embedded platforms. I'm on a WRAP board :-/
I tried loading my working m0n0wall config file into pfsense, and the VoIP adapter still reports "symmetric NAT" as the NAT type, whereas it was "(port?) restricted cone" in m0n0wall. Is there any way to change the NAT type in pfsense?
Erik
-
Did you get this working ever?
-
No, unfortunately I had to switch back to m0n0wall since I lacked the time to investigate further. But I've aquired another CF card so testing is easier now, if anyone has suggestions.
Update: apparently Phil Regnauld from BSD-DK has it working with a Grandstream adapter by adding
set timeout { udp.first 60, udp.single 60, udp.multiple 60 }
nat on $ext_if from $int_net to any -> $ext_ip static-portto /etc/pf.conf - the important part being the keyword "static-port". I'll try it when I have some spare time in the weekend.
-
Beta 2 will include a static-port option in advanced outbound-nat.
-
Cool! Thanks for the notice, I'll let you know how it works out when beta2 is out.
-
I was able to get my asterisk SIP server working behind the pfsense firewall by using 1:1 NAT for that box.
It looks like regular NAT is symmetric while 1:1 uses cone NAT, which is what SIP needs.
-
Newer testing versions are available at: http://www.pfsense.com/~sullrich/?M=D
Look for "TESTING" dirs.
-
Newer testing versions are available at: http://www.pfsense.com/~sullrich/?M=D
Look for "TESTING" dirs.
What does this version have do make SIP work better?
Will it support multiple SIP devices connecting through the router? Such as multiple ATAs with multiple VoIP lines.
-
It includes the static port option.
-
So, I finally managed to get time to look at the problem. I installed BETA2 (leaps and bounds better than BETA1 in almost every area, thanks everybody!), and I'm glad to say that the static-port did the trick. Quick summary:
Enabled advanced outbound NAT, changed the default outbound rule to enable static-port. Reboot adapter. That's it!
I'm not sure if I still need the following rules on the NAT: port forward page:
WAN UDP 5060 - 5061 192.168.0.9 5060 - 5061
WAN TCP/UDP 5004 192.168.0.9 5004Will have to test that.
Thanks to everybody who replied, end everyone who has worked so hard to make pfsense better!
Erik