Firewall HELP, VOIP wont work!
-
Well we have multiple phones but I cant even get it to work with one… I even set all ports udp/tcp open and to forward to the one phone and no go.
What firmware did your 7940/7960 have? Ours worked with pfsense also until our provider switched over to sip, than it stopped... It seems that these phones do something on sip that the firewall dont like or is not doing right itself.
It all worked fine when the phone was aeg but the sip just did it in... They are on latest firmware and the firewall is on 1.2RC3...
-
I heard from a friend who said they talked to scott and it was said to be a known issue that pfsense is doing something to the packets. It only affects certain phones and I guess our Cisco phones are one of them.
Can anyone confirm this and any idea if it will get fixed? It is said this was not an issue with 1.01 but with all the version changes in the code for 1.2 it was broke with something new..
This is absolutely not true, don't spread FUD.
It's actually much less likely that VoIP gets broken in the 1.2 snapshots because normal SIP port 5060 traffic isn't source port rewritten by default. Yours doesn't use 5060 though. You probably need static port, which is what everybody needed in 1.0 but now only systems that use atypical ports require it.
http://doc.pfsense.org/index.php/Static_Port -
Anyone have any update on this?
I still have no luck… I have a trixbox server setup at a colo working, all remote phones can connect to it except ones that are behind pfsense... They cant download the configuration and do not register.. They connect just enough to get the time/date...
I have opened all ports, the firewall log shows nothing blocked so I am just lost... Our softphones work fine though pfsense, just these darn Cisco 7940 phones wont....
The phone if I go to status just says W250 TFTP Error: Timeout
If I put it behind a cheap dlink router it will work though... ( I know the dlink dont filter crap which is why it works I am sure)
And I still have it setup to do static ports even as suggested... That does not seem to matter either way it wont work, lol
-
Ssh in pfSense
open for editing /etc/inc/filter.incfind this in that file:
#–-------------------------------------------------------------------------default rules (just to be sure)
#---------------------------------------------------------------------------
comment out these 2 lines
block in $log quick all label "Default block all just to be sure."
block out $log quick all label "Default block all just to be sure."Save and see if it blocks packets!
Try even to see if your provider has some kind of SIP gateway/proxy so you can configure on phones.
Even though what cmb suggest is true, use static port.
-
Well, tried it and no diffrence…
But right now I dont get any blocks that show... I did originally as seen in first post a few months ago, but now it does not show blocks anymore (I have had rules in place forever.)
Other than this any other suggestions?
It seems it wont register or download its configs via TFTP, but it can get the time and date, lol
Thx in advance
-
You need a TFTP-PROXY. AFAIK this is a feature in HEAD and it will be available on 1.2 or 1.3 if you push it with a bounty.
-
That just doesn't seem right… pfsense supports tftp, it has it listed even as rules?
But okay, that explains the tftp part, but what about the phones?
I can get the configuratio to the phone but it still wont talk to the server... Does it need a sip proxy too?
I know pfsense has a package for one, just not sure if thats right for my setup, and it does not seem to work...
The cheap dlink that works has ALG with SIP which is why it works..
As for doing a bounty, its pointless for me than because they wont put any new features in 1.2 from my understanding, and 1.3 is so buggy and not even public to mess with.... I just would think this wonderful flexable firewall could do simple things... I know other people have sip working through it fine, but whatever these cisco's are doing that it does not like just sucks... Our softphones work fine through PfSense. ARg..
-
Ask cisco to fix their crap ;D Actually SIP is not that trivial and it has the same design problems like ftp for example. I sometimes just can't understand why they build such a crappy protocol knowing that things like firewalls or nat are involved everywhere nowadays. Your softphones probably are using stun-servers and are working therefor. Does the cisco gear support assigning a stun server too? If yes you can give this a try.
-
Softphone not doing stun as the server does not support it..
I have control of the phone server. :)
I understand that this is most likly because cisco did something probably non-standard but just would think if the cheap no for good routers have the options to turn on that fix it, that could have on in pfsense… I understand security may go down a little but I rather have the pfbox with less security because of it than this $40 dlink... lol
-
Cyber–
hey i have the same problems you are having also. i did try this and it works great except you need a 2nd PFSENSE box running Ovpn.
i set up a vpn tunnel between client and obviously the server and the cisco 7940/60 works great! the down side is you need a box to do the vpn shit and then the other is, it is a piggy on the bandwidth somewhere around 139kbs up/down i thnk it is 70kb for the voice and the rest is all encapsulation of the VPN.
but i did have this working well and thought i could do a alix on the remote side and hook a linksys router in bypass mode just for the extra physical ports and the wifi ability. but that thing doesnt like to do a live install where you can use packages.
-
I was kind of wondering about the VPN part… We have a IPSec tunnel between us and a data center and I was thinking of trying the phone server at that location and see if it would work through the VPN. But I agree, I dont like extra overhead and that does not help me with other remote clients, it only would help for the main office.
Ugg.. I just wish things would work, lol. We are going to end up ditching pfsense because of this and I did not want to do this but my options are gone. It works with routers that have ALG and SIP as an option, just hope someone can maybe make a package or something.
-
Hey from what i can tell
the Pfsense starter m0n0 is running Voip like there is no tomorrow. what is the difference that pfsense is stuck?
i would really like to keep the asterisk server behind the Firewall for obvious reasons. so si there something that sould be done is a differnt part of pfsense? -
My problem is only with the Cisco phones, and I do NOT have a problem if the Trixbox is behind pfsenes. I only have the problem if the phone is behind one… I have the trixbox on public wan. The problem is not the server end, its the client end. The softphones work fine also but the Cisco phones just wont play nice...
I am going to try what one of the other members said as far as changing the time from 60 to 30 but I am a little doubtfull still...
-
Is this a remote office that will have several phones? Or a couple mobile users that want to pickup up their phone and use it at any location?
If it is a remote office setup an Asterisk/Trixbox Server and run a TFTP server on it. Set your remote Asterisk server to use the SIP as a trunk to the main PBX and then have your phones talk to the local phone system.
Honestly the Cisco phones are not the right choice for mobile use. The configuration coming to the phone over TFTP is a huge security risk. Since these phones get their config from TFTP I believe they were designed for use on a LAN where the VOIP server also resides. Ring tones have to be downloaded from the TFTP server. You could get around this by setting up a local TFTP server on the remote location so that the configs and ringtones come locally. As far as SIP working over the PFSense WAN that does work. I've done it with multiple soft phones, Linksys PAP2Ts, SPA3102, and the SPA942. However I have not yet tried it with my Cisco 7940 if I get time soon I will give it a try and report what happens.
The Linksys devices such as the PAP2T and the SPA942 are a much better choice for picking up the phone and using it at any location, it stores its config, doesn't require TFTP, the web interface is simple, and the SIP support is very good.
-
alright people–
i have a Linksys WIP300. wifi ip phone. (kinda a cheep phone but ti works good)
i have forwarded the ports of
5004-5082
10000-10050 (i edited the rtp ports on the trixbox)
and i think thats all i need ( this is all from the top of my head now)what am i doing wrong that i cant get the phones to register/ hook up to the server via the internet... iu must be the only IT10 Error here on this forum.
-
Did you setup static port? This fixes all of my sip problems. Below is a link of the settings I used for my asterisk box.
http://forum.pfsense.org/index.php/topic,7151.msg40557.html#msg40557
-
I have static ports on.
The best I can get the phones to work is I CAN get it to TFTP through pfsense and it the phone box things its registered and the phone gets the time, but it just does not register itself because it cant call out or in and has the X on the extention.
-
Did you try the siproxd package?
-
last time i tryed to use the sip proxy it didnt work.
also what about setting the Clear DF bit instead of dropping in the advace tab???
-
I had no luck with any of it… I have tried everything I could find and/or think of... :(