VoIP Phones losing connection thru NAT
-
Running Polycom IP501 telephones thru an PFsense box, to a hosted PBX service (Nuvio). After some period of inactivity, the phones lose their connection thru the NAT and inbound calls won't ring. The state has to be re-established manually either by making an outbound call or rebooting the phone. Is there a way to adjust for this? The phones worked perfectly through a Cisco 2611 router, but this router blew up a few days ago and I'd rather stick with the PFsense which is easier to manage and certainly a lot cheaper.
Thanks!
-
Search the forum for static port.
-
Thanks for the reply. I searched for "static ports" and was deluged with information. Can you help narrow this down for me? I'm experienced with firewalls and am a CISSP, but I'm new to pfsense and would like to avoid playing guessing games with the box. The ONLY thing on this particular network are the IP phones, so the only purpose of the pfsense box is to serve those phones. I'm not running an Asterisk box, the service is an external PBX service (Nuvio). I've created two firewall rules: one allowing anything from the LAN out to the Nuvio IP block, and another allowing anything from the Nuvio IP block to the LAN. Very basic. I did go into those rules and greatly increased the connection timeout but I'm not sure that will resolve this issue. You seem to be leading me down the path of altering the way the NAT is utilized, which would make sense, I just need a few hints if you can spare the time.
Thanks.
-
Setup a static-port advanced outbound nat entry for the voip traffic. Make sure the rule appears before all other rules.
-
Setup a static-port advanced outbound nat entry for the voip traffic. Make sure the rule appears before all other rules.
Sullrich, I did as you suggested and the results are confusing. The situation actually became much worse – it was impossible to establish outgoing calls altogether with that advanced nat rule in place. Possibly, I've constructed the rule incorrectly. Here's the situation: the phones use port 5060 for SIP and ports 2200-2300 for RDP. When I created the rule, I saw it only permitted one port, not a range of ports, in the definition. So I created a static port outbound rule that looked at anything going to the VoIP service provider's server bank. I also tried creating just a rule for the SIP and that didn't work, either. This is getting messy but I'm sure it's something I'm not doing correctly in setting this up. For now, I've turned off the advanced NAT and set the connection timeout for the VoIP rules to 12 hours. The phones do work this way but I might be back to the same problem -- after several hours the connection times out. Suggestions?
-
What did the summary screen look like? Can you post a screen shot? Summary screen is where you add/edit/delete advanced outbound nat items.
-
Sorry for the late response, I've been doing as much reconfiguring and testing as possible before coming back here with further questions. The last thing you need is some newbie clogging the pipes with uninformed questions.
OK, so here's the latest: after reading as many of the postings as I could related to the use of static ports, I turned on Advanced NAT and then switched the default rule to static port. The result was a mess – outbound calls would only work sporadically (about 50 percent success) and inbound calls barely worked. The only thing that seems to be working is to switch off the Advanced NAT and dramatically increase the connection timeout for the packet rules affecting VoIP. I've got the timeout cranked up to 24 hours and it seems to be holding. Still, I can't help but wonder if I'm missing something in this process.
Thanks.
-
Create a firewallrule that covers the voiptraffic (ports or IPs or whatever is the easiest way to sum them up) at the top of your LAN rules and try to use statetype "none" (this setting hides behind one of the advanced buttons). Other option worth a try is to set the firewalloptimizations to "conservative" at system>advanced.
I once had a similiar problem with SIP-hardware behind a m0n0wall, however I was able to solve this by checking an option at the SIP-hardware "keep connection through router alive". Btw, m0n0 doesn't have all these options as it uses a different filter.
-
Thanks, Hoba, I'll give those things a try. One other thought that might help in diagnosing this: if I use a Cisco router (such as a 2611) everything works perfectly. An idea to explore, if someone here can do it, is what is unique about the Ciscos that makes them so compatible with these VoIP services? There's a lot to dislike about Cisco – the cost, and overall their mean-time-between-failures leaves a lot to be desired. So, what is Cisco doing that pfsense isn't?
Thanks.
-
it looks like i can only have either ipsec passthrough or advanced NAT needed for VoiP?
i really like this soft.. best router interface i had, because of the many options. but that comes with some simple stuff like NAT, Starcraft or Zattoo not working out of the box.. ;)
well..
question: how can i continue to use my Cisco VPN client and use static port for SIP?
regards
luxirom -
Have you tried if it still works after enabling advanced outbound nat?
-
nope. but i think thats the only option. allthough i have to see if nat-t with cisco works then too.
so i just have to give the phone a static ip and configure a static port rule to my voip provider. will try that :)
-
Thanks, Hoba, I'll give those things a try. One other thought that might help in diagnosing this: if I use a Cisco router (such as a 2611) everything works perfectly. An idea to explore, if someone here can do it, is what is unique about the Ciscos that makes them so compatible with these VoIP services? There's a lot to dislike about Cisco – the cost, and overall their mean-time-between-failures leaves a lot to be desired. So, what is Cisco doing that pfsense isn't?
Thanks.
Was this ever resolved? I have exactly the same issue with the same VoIP provider. Nuvio does use proxy servers on the connection from my phones to them, but my phone ringing is still sporadic. I have 2 IP phones in my office and I have them set to 192.168.100.50 and .51. I have enabled Advanced Outbound NAT and set up a rule for static port on the WAN interface for 192.168.100.50/31 which should cover me, but that does not seem to be a total cure. I was using a Snapgear router (based on Linux IP Tables) and did not need any special settings for things to work. I do not mean that as a knock, I just think there is maybe something simple that we're missing here.
Anyone have any other thoughts?
Also, related to this, are Advanced Outbound NAT and Enable IPSec Passthrough mutually exclusive since they are on a radio button together?