Firewall HELP, VOIP wont work!
-
I get the following in the log (raw)
and our Cisco 7940G wont work…. Our provider brought us a cheap d-link for them to work but seems wont work with anything else. I made rules even and didnt help. We dont have any other problems. I am on latest build of 1.2 dated today, have tried traffic shape and all and it wont work. They did work on skinny but we just got changed to Sip and now they wont work on pf.Sep 21 16:16:43 pf: 582619 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 49, id 32373, offset 0, flags [DF], proto: UDP (17), length: 58) 208.67.249.67.33673 > 67.79.181.215.56408: UDP, length 30
Sep 21 16:16:43 pf: 000317 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 50, id 24665, offset 0, flags [DF], proto: UDP (17), length: 136) 208.67.249.67.33674 > 67.79.181.215.58860: UDP, length 108
Sep 21 16:16:43 pf: 019943 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 50, id 56327, offset 0, flags [DF], proto: UDP (17), length: 136) 208.67.249.67.33682 > 67.79.181.215.58860: UDP, length 108
Sep 21 16:16:43 pf: 000362 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 50, id 40472, offset 0, flags [DF], proto: UDP (17), length: 58) 208.67.249.67.33683 > 67.79.181.215.56408: UDP, length 30
Sep 21 16:16:43 pf: 391922 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 50, id 25617, offset 0, flags [DF], proto: UDP (17), length: 544) 208.67.249.67.33669 > 67.79.181.215.56821: UDP, length 516
Sep 21 16:16:44 pf: 612534 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 50, id 43813, offset 0, flags [DF], proto: UDP (17), length: 58) 208.67.249.67.33675 > 67.79.181.215.56408: UDP, length 30
Sep 21 16:16:44 pf: 000257 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 49, id 47194, offset 0, flags [DF], proto: UDP (17), length: 136) 208.67.249.67.33681 > 67.79.181.215.58860: UDP, length 108
Sep 21 16:16:47 pf: 2. 989800 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 50, id 14102, offset 0, flags [DF], proto: UDP (17), length: 58) 208.67.249.67.33684 > 67.79.181.215.56408: UDP, length 30
Sep 21 16:16:47 pf: 002443 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 50, id 60687, offset 0, flags [DF], proto: UDP (17), length: 136) 208.67.249.67.33685 > 67.79.181.215.58860: UDP, length 108
Sep 21 16:16:47 pf: 397542 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 50, id 65352, offset 0, flags [DF], proto: UDP (17), length: 544) 208.67.249.67.33672 > 67.79.181.215.56821: UDP, length 516Thx
-
How is your network setup? What rules do you have?
This logoutput says only that some traffic is being blocked and nothing else. -
That is the traffic being blocked is what I need. I have everything wide open right now, allow all in and allow all out, and I have even tried direct individual to and from's.
What is being logged is below, nothing else as all else is passing and whats being logged is what makes it stop. From my VOIP provider, its just these Cisco 7940 phones and sip dont work well with firewalls but I would hope that with how flexable pf is we could determin what needs to be done.
What can I do to make the box not block the below?
Thx
-
Could it be that your allow rule only allows TCP traffic and no UDP?
If you say you have a rule that allows anything then i assume that the rule 191 is the default invisible block everything rule that is below every other rule. -
I have it set to ANY, but have also tried TCP/UDP, and also just UDP.
It seems that these phones do something that make the box still block it.
I have even tried just for kicks to forward an entire public IP to one phone with everything allowed in and out and still same problem.
The system the phones trys to talk to uses only UDP and I have the server IP and all the ports and no matter what it wont work. Its a Trixbox VOIP server that our provider is using right now. Any other phones work and the software based ones do which all use the same ports, but these Cisco 7940g's wont. Yet they work on a cheap d-link. They told us they cant get the cisco phones to work with anything but this one d-link and they even hope I can find a way around this.
Anyone else have any idea? Got to be something that can be changed to make it happy. I did a few google searches and find a few people with same issue and no one answering how to correct for them also.
Thx
-
try change … Clear DF bit instead of dropping on system advanced menu ..
the voip packets can be fragmented ..
to see what the rule blocking
use the command pfctl -sr on shell
-
Still no luck…
I heard from a friend who said they talked to scott and it was said to be a known issue that pfsense is doing something to the packets. It only affects certain phones and I guess our Cisco phones are one of them.
Can anyone confirm this and any idea if it will get fixed? It is said this was not an issue with 1.01 but with all the version changes in the code for 1.2 it was broke with something new..
-
i have a dual wan set up with a trixbox set up behind the lan. i was able to get a remote extension ported though the firewall to my home. i have ports
10000-20000 udp open
5004-5090 tcp/udp
4569 udp openalso make sure you have the NAT pointing correctly
i did have this set up working on a cisco 7940\60.
the 7912 was giving me a little attitude but it worked… sorta -
Well we have multiple phones but I cant even get it to work with one… I even set all ports udp/tcp open and to forward to the one phone and no go.
What firmware did your 7940/7960 have? Ours worked with pfsense also until our provider switched over to sip, than it stopped... It seems that these phones do something on sip that the firewall dont like or is not doing right itself.
It all worked fine when the phone was aeg but the sip just did it in... They are on latest firmware and the firewall is on 1.2RC3...
-
I heard from a friend who said they talked to scott and it was said to be a known issue that pfsense is doing something to the packets. It only affects certain phones and I guess our Cisco phones are one of them.
Can anyone confirm this and any idea if it will get fixed? It is said this was not an issue with 1.01 but with all the version changes in the code for 1.2 it was broke with something new..
This is absolutely not true, don't spread FUD.
It's actually much less likely that VoIP gets broken in the 1.2 snapshots because normal SIP port 5060 traffic isn't source port rewritten by default. Yours doesn't use 5060 though. You probably need static port, which is what everybody needed in 1.0 but now only systems that use atypical ports require it.
http://doc.pfsense.org/index.php/Static_Port -
Anyone have any update on this?
I still have no luck… I have a trixbox server setup at a colo working, all remote phones can connect to it except ones that are behind pfsense... They cant download the configuration and do not register.. They connect just enough to get the time/date...
I have opened all ports, the firewall log shows nothing blocked so I am just lost... Our softphones work fine though pfsense, just these darn Cisco 7940 phones wont....
The phone if I go to status just says W250 TFTP Error: Timeout
If I put it behind a cheap dlink router it will work though... ( I know the dlink dont filter crap which is why it works I am sure)
And I still have it setup to do static ports even as suggested... That does not seem to matter either way it wont work, lol
-
Ssh in pfSense
open for editing /etc/inc/filter.incfind this in that file:
#–-------------------------------------------------------------------------default rules (just to be sure)
#---------------------------------------------------------------------------
comment out these 2 lines
block in $log quick all label "Default block all just to be sure."
block out $log quick all label "Default block all just to be sure."Save and see if it blocks packets!
Try even to see if your provider has some kind of SIP gateway/proxy so you can configure on phones.
Even though what cmb suggest is true, use static port.
-
Well, tried it and no diffrence…
But right now I dont get any blocks that show... I did originally as seen in first post a few months ago, but now it does not show blocks anymore (I have had rules in place forever.)
Other than this any other suggestions?
It seems it wont register or download its configs via TFTP, but it can get the time and date, lol
Thx in advance
-
You need a TFTP-PROXY. AFAIK this is a feature in HEAD and it will be available on 1.2 or 1.3 if you push it with a bounty.
-
That just doesn't seem right… pfsense supports tftp, it has it listed even as rules?
But okay, that explains the tftp part, but what about the phones?
I can get the configuratio to the phone but it still wont talk to the server... Does it need a sip proxy too?
I know pfsense has a package for one, just not sure if thats right for my setup, and it does not seem to work...
The cheap dlink that works has ALG with SIP which is why it works..
As for doing a bounty, its pointless for me than because they wont put any new features in 1.2 from my understanding, and 1.3 is so buggy and not even public to mess with.... I just would think this wonderful flexable firewall could do simple things... I know other people have sip working through it fine, but whatever these cisco's are doing that it does not like just sucks... Our softphones work fine through PfSense. ARg..
-
Ask cisco to fix their crap ;D Actually SIP is not that trivial and it has the same design problems like ftp for example. I sometimes just can't understand why they build such a crappy protocol knowing that things like firewalls or nat are involved everywhere nowadays. Your softphones probably are using stun-servers and are working therefor. Does the cisco gear support assigning a stun server too? If yes you can give this a try.
-
Softphone not doing stun as the server does not support it..
I have control of the phone server. :)
I understand that this is most likly because cisco did something probably non-standard but just would think if the cheap no for good routers have the options to turn on that fix it, that could have on in pfsense… I understand security may go down a little but I rather have the pfbox with less security because of it than this $40 dlink... lol
-
Cyber–
hey i have the same problems you are having also. i did try this and it works great except you need a 2nd PFSENSE box running Ovpn.
i set up a vpn tunnel between client and obviously the server and the cisco 7940/60 works great! the down side is you need a box to do the vpn shit and then the other is, it is a piggy on the bandwidth somewhere around 139kbs up/down i thnk it is 70kb for the voice and the rest is all encapsulation of the VPN.
but i did have this working well and thought i could do a alix on the remote side and hook a linksys router in bypass mode just for the extra physical ports and the wifi ability. but that thing doesnt like to do a live install where you can use packages.
-
I was kind of wondering about the VPN part… We have a IPSec tunnel between us and a data center and I was thinking of trying the phone server at that location and see if it would work through the VPN. But I agree, I dont like extra overhead and that does not help me with other remote clients, it only would help for the main office.
Ugg.. I just wish things would work, lol. We are going to end up ditching pfsense because of this and I did not want to do this but my options are gone. It works with routers that have ALG and SIP as an option, just hope someone can maybe make a package or something.
-
Hey from what i can tell
the Pfsense starter m0n0 is running Voip like there is no tomorrow. what is the difference that pfsense is stuck?
i would really like to keep the asterisk server behind the Firewall for obvious reasons. so si there something that sould be done is a differnt part of pfsense?
