Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense + Asterisk (or other VoIP) – A Solution

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 2 Posters 6.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AlmightyOatmeal
      last edited by

      The following are the details of my usage of pfSense and Asterisk for my phone service. It currently works flawlessly thanks to a SIP proxy called siproxd which is available as a package for pfSense. For some reason, the FreeBSD firewall pf likes to mess with SIP packets which makes it necessary for a SIP proxy. I spent a lot of time getting things to work properly so I hope this information is useful to the masses.

      1. Configure your Asterisk.
        1.a) Configure your SIP and RTP ports. My SIP port is the default 5060 and RTP is between 10000 and 20000 for me. You can narrow this down considerably for I actually would need less than 10 ports open for RTP.
        1.b) Also be sure to specify "externip" or "externhost" in sip.conf. I personally have externhost configured to a dyndns.org account that resolves to my WAN ip address.
        1.c) make sure you have "nat=yes" in sip.conf
        1.d) make sure you configure "localnet=" in your sip.conf to your network. You can use the RFC1918 method or CIDR method. I chose the later of the two for my network. Change accordingly.
      
localnet=192.168.1.0/24

      1.e) in your SIP provider's context in sip.conf, make sure you have "outboundproxy=192.168.1.1", replacing 192.168.1.1 with whatever your pfSense running siproxd ip address is. Here is my example context for use with BroadVoice:

      
[sip.broadvoice.com]
type=peer
user=phone
host=sip.broadvoice.com
outboundproxy=192.168.1.1
fromdomain=sip.broadvoice.com
fromuser= <censored>secret= <censored>username= <censored>insecure=very
context=ivr
authname= <censored>dtmfmode=inband
dtmf=inband
canreinvite=no</censored></censored></censored></censored>

      Please note that if you don't use asterisk and use a softphone for your voip provider, you will use your pfSense ip address for the proxy instead of your voip provider.

      1. Confiigure pfSense firewall/nat rules.
        2.1) For this you will need the ports you setup in step 1.a above. I will be using my port configuration. Add a NAT rule for RTP. This is essential or you will have no audio or one way audio in your calls. I use TCP/UDP though RTP should only be UDP, change if you want. Also change the NAT IP to whatever your asterisk server is and change the description to something that makes sense for you.
      
Interface: WAN
Protocol: TCP/UDP
External port range: From: 10000
External port range: To: 20000
NAT IP: 192.168.1.50
Local Port: 10000
Description: Asterisk PBX - RTP
Enable Auto-add a firewall rule to permit traffic through this NAT rule

      2.2) For this you will need the ports you setup in step 1.a above. I will be using my port configuration. Add a NAT rule for SIP. This is essential or you won't be able to receive calls and you may have trouble registering with your SIP provider. Also change the NAT IP to whatever your asterisk server is and change the description to something that makes sense for you.

      
Interface: WAN
Protocol: TCP/UDP
External port range: From: 5060
External port range: To: 5060
NAT IP: 192.168.1.50
Local Port: 5060
Description: Asterisk PBX - SIP
Enable Auto-add a firewall rule to permit traffic through this NAT rule
      1. Now the fun part: installing and configuring siproxd on your pfSense box.
        3.a) Install siproxd by going to the pfSense web UI and going to System -> Packages. Hit the "+" button to the right of siproxd and let pfSense install the SIP proxy.
        3.b) Go back to the main pfSense web UI page then go to Services -> siproxd. It may be  under Services -> SIP Proxy as well. Here is how I have my siproxd configured, be sure to change your "Outbound Proxy Hostname" to the hostname or IP (IP in my case) to your sip provider. Options I don't specify here I leave blank or default.
      
Inbound Interface: LAN
Outbound Interface: WAN
Enable RTP Proxy: Enable
RTP Port Range (lower): 7070
RTP Port Range (upper): 7080
Outbound Proxy Hostname: 206.15.136.221

      Basically when you make a call your asterisk box will talk to the SIP proxy, the SIP proxy will then talk to your VoIP provider. When you receive a call your VoIP provider will talk directly with your asterisk box (this is important for setting "externip" or "externhost" in sip.conf).

      And that's it! That is how my asterisk/siproxd is configured and has been working beautifully for me for a long time now. No registrations problems, no call issues, no audio problems. Perfect. I hope this helps someone.

      I also have traffic shaping enabled to allow 4 simultaneous 64kbps calls to happen and guarantee bandwidth, but that is pretty much straight forward and you should look for help configuration the traffic shaper.

      1 Reply Last reply Reply Quote 0
      • H
        hatboy
        last edited by

        I always wondered, what is the benefit for having a sip proxy installed? I am running an asterisk box for almost a year in my office with pfsense and without a sip proxy solution implemented and everything works great.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.