Dual WAN with SIP VOIP

RangerJoe

Our current network is comprised of a pfsense box with four interfaces.
WAN1 = ISP B
WAN2 = ISP A
LAN = Internal network
Phone = Phone network

LAN and Phone have DHCP enabled
WAN1 is our voice provider and secondary ISP.  They also run the SIP.  The PBX traffic has to run through WAN1 in order for the SIP to register.
WAN2 is our primary ISP, and we wish to use it for all traffic from the workstations.

We recently had WAN2 installed and are having problems getting traffic from our PBX to ONLY route through WAN1.
The only traffic that needs to go between the LAN interface and the Phone interface is traffic to/from the PBX for the purpose of system modifications through a web server.  This traffic is on port 443.

The Phone interface must have traffic from the WAN1 on port 10000-20000 for RTP connections
The PBX must have traffic from WAN1 on port 5060 for the SIP connection

The Phone subnet must allow the RTP connections to WAN1 (port 10000-20000)
The PBX must be able to send traffic through WAN1 on port 5060 for the SIP connection.

I also have NAT set up as manual outbound NAT.
There is a mapping for WAN1 interface, source is Phone Subnet.  Static port option is selected for both NAT mappings
There is also a mapping for WAN1 Interface, source is phone subnet on port 10000-20000

Basic drawing of how network is laid out.  Incoming connections = Red, Outbound = Blue

Does it seem like I am configuring everything the right way?  I have a Digium (switchvox) VOIP system.  As well as the newest release of pfSense.

Thanks guys.

jimp

The diagram seems to be missing, but I'm not sure it would help more.

You control such policy routing by making a firewall rule to match the traffic and selecting a gateway there, it is not done with outbound NAT rules.

RangerJoe

Apparently it is necessary to create NAT rules to make RTP connections work.  This is the only reason I have NAT rules.

How can I create a rule stating that all traffic except for HTTPS goes through WAN1 and HTTPS traffic goes through WAN2 (for the PBX address)

jimp

You just make multiple rules:

#1: Proto TCP, src: any, dst: any (or the PBX addr if you want to be specific) port 443 (HTTPS) gateway WAN2
#2: Proto any, src: any, dst: any, gateway WAN1

First match wins, just remember that when making rules. So if you want to route specific traffic, do it at the top of the list and not the bottom.

RangerJoe

Alright, I can't get the Phone interface to have access to the internet.  I can't ping out from that interface at all, and the PBX will not connect to the internet either.

Should I need a rule on WAN 1 or WAN 2 interface in regards to this traffic?

jimp

Not a firewall rule, no, but perhaps an outbound NAT rule.

RangerJoe

If I am doing a single IP will it be a /32?

overand

Yes, /32 effectively refers to a single IP address.  I suggest you google "subnet calculator" if you want help with IP subnetting.

@RangerJoe:

If I am doing a single IP will it be a /32?