Asterisk behind pfSense 1.01
-
Also, FYI, this is where I found some detail on types of NAT (though there are certainly many more with more detail):
http://help.yahoo.com/l/us/yahoo/messenger/messenger75/phoneout/phoneout-18.html
Mark
-
Some additional background info. Here is an excerpt from the Slashdot threads from the pfSense 1.0 announcement posted there back in October that got me looking at this whole symmetric NAT versus full coned NAT (sorry it is not very structured):
http://bsd.slashdot.org/article.pl?sid=06/10/13/2325255&from=rss
Excerpt:
PFsense NAT is symmetric, result: no SIP (VoIP)
(Score:0)
by Anonymous Coward on Saturday October 14, @09:44AM (#16436535)
I have played quite extensively with PFSense because I wanted some of the traffic-shaping features but I had to come to the conclusion that PFSense NAT does not work with SIP (VoIP).The symmetric NAT of PF is simply a pain - most SIP VoIP things do not work. Anyone who considers to use SIP should not use symmetric NAT and should go for fully coned NAT.
IPCop does fully coned NAT. Traffic shaping features are also available as add-ons.
In short: PFsense is a nice idea but unfortunately useless for SIP users.
Cheers
GeeJay
*
Re:PFsense NAT is symmetric, result: no SIP (VoIP)
(Score:3, Interesting)
by SiliconJesus101 (622291) Alter Relationship on Saturday October 14, @10:33AM (#16436907)
(http://www.toodrunktodrive.com/)
Lacking the knowledge of the internal workings of PF, I do have to say that I have never had a problem with SIP. My home phone is through Vonage behind pfsense and I routinely connect while on the road to a friends Asterisk box to make phone calls with a soft phone and bluetooth headset on my laptop. He has a pfsense router and all of his trunks are SIP. Several users are simultaneously connected using SIP from remote locations and properly routed out the SIP trunks. Not to doubt that you have had things that do not work; I am only relating my experiences. I must also state that the SIP traffic shaping appears to work beautifully there as I really don't have any call issues that are not related to the bandwidth available at my remote location(s).
–"The strong will do what they want, the weak will do what they must."
-Thucydides
[ Parent ]
*
Re:PFsense NAT is symmetric, result: no SIP (VoIP)
(Score:3, Interesting)
by TCM (130219) Alter Relationship on Saturday October 14, @11:50PM (#16441717)
The underlying pf seems to have more flexibility than the interface on top then.I suppose you mean something like the following?
# XXX: hardwire SIP and RTP source ports
nat on $ext_if inet proto udp from $asterisk port { 5060, 10000:20000 } to any -> ($ext_if) static-port
nat on $ext_if inet from $int_net to any -> ($ext_if)
rdr on $ext_if inet proto udp from any to ($ext_if) port { 5060, 10000:20000 } -> $asteriskWhich means that traffic from an internal Asterisk that has source ports 5060 and 10000-20000 leaves NATed but with the source ports intact. Together with the ability to let Asterisk enter arbitrary IP addresses in SIP messages[1], this makes it look like it was directly connected and not behind NAT at all.
All other traffic - even HTTP from the Asterisk server for example - gets the source port replaced as usual.
[1] Who TF thought that entering layer 3 addresses in application layers was a good idea anyway?
–
Of course it runs NetBSD [netbsd.org]. -
Hi I have basicly the same problem.
I did this:
http://faq.pfsense.com/index.php?sid=120897&lang=en&action=artikel&cat=1&id=177&artlang=en&highlight=asterisk
I also tried many other things… but I just dont get audio. I also have cisco phones with sccp protocol and they work fine.
This is the problem
PC (with SJphone SIP) to SIP Asterisk SIP to Voipuser.org SIP <---- This doesnt work no audio
Cisco Phone SCCP to SCCP Asterisk SIP to VOIPuser.org SIP <----- That works.
I did some sniffing from the pfsense box please see the out.txt file attached and I dont really see anything wrong.
The phone rings and when it supposed to connect it says trying then it says operational and no sound. I been trying to get this to work for 2-3 days now with no luck. This used to work with WRT54g and IPtables firewall.
Please, any help is appreciated.
-
Also sniffing on the lan side I see this strange message right before the phone call establishment
484 Address Incomplete
That seems strange
-
Here is another update which is complitly got me confised.
I just tried X-Lite from inside and from outside the lan the X-Lite from ouitside the lan works ok.
BUt from inside it doesnt. isnt that something ?
I dont understand why the X-Lite work and SJphone doesnt.
-
OK now both the SJphone and the X-Lite work from outside, still no luck from inside. I did find that using IAX2 for FWD and going back the sjphone works.
SO its something with going back to the SIP softphone phone on my LAN, which is really strange cuz if it works from outside I dont understand how it doesnt work from inside. If anyone can help I would really appreciate. Oh also the audio works one way, meaning that People can hear me, but I cant hear People.
-
SIP sucks. Repeat: it SUCKS!!! This protocol was never designed to be used through NATs and everything that has been introduced to make it work (like STUN or proxies) are just attempts to fix a crappy design. Additional to this all Serviceproviders use different settings which makes calls to some destinations work whereas it might fail to other locations that run different settings.
Guess it was done by the same people that invented ftp ;)
-
Yeah you absolutly right I hate SIP also, I guess I can use SCCP softphones. since it works or maybe even an IAX2 softphones. I Still want to find out why it doesnt work, but I guess I never will.
-
Hello all,
One week ago a company installed on my site an asterisk server and a pfsense based firewall. We do not have any troubles. The only thing (that I can see) is a Firewall rule WAN) to the asterisk server TCP/UDP source * port * <serverip>port 4569 gateway *. On the lan site we do not have any rules yet. No NAT rules what soever.
Free pbx is is the asterisk version on my sip server. Maybe you have some help with this comment. Good Luck :)</serverip> -
Then your provider either uses a proxy to fix it at their end or uses IAX which is NATfriendly.