How to port forward VoIP correctly?

krisken · Oct 30, 2010, 11:50 PM

I have a correct dual-wan setup (failover/loadbalancing) with 2 VDSL connections:

Skynet : 30Mbit down - 4.5mbit up - variabel IP
Dommel : 30Mbit down - 4.5mbit up - fixed IP

Used pfsense version : 2.0-BETA4 (i386) built on Fri Oct 29 13:09:04 EDT 2010 FreeBSD 8.1-RELEASE-p1
Used CPU type : Intel(R) Atom(TM) CPU D510 @ 1.66GHz Current: 1254 MHz, Max: 1672 MHz
CPU usage = about 2%
RAM usage = about 5%

More systeminfo
http://krisken.dommel.be/pfsense/voip/phpsysinfo01.jpg
http://krisken.dommel.be/pfsense/voip/phpsysinfo02.jpg

My internal (LAN) IP range is the 10.0.0.1/24, and my VoIP ATA is on 10.0.0.3 (Linksys PAP2T).

Can someone tell me step-by-step what ports i need to forward so that ALL the VoIP traffic uses the Skynet WAN only? I've tried a lot of things but everytime i got the same situation : no-one can call me. If I want to call someone, they don't hear me at all.

I've tried with and without STUN server, so I don't think that's the solution.

Some screenshots of what i have now:

pfsense (firewall-nat-portforward)
http://krisken.dommel.be/pfsense/voip/firewall-nat-portforward.jpg

pfsense (firewall-rules-nat)
http://krisken.dommel.be/pfsense/voip/firewall-rules-nat.jpg

pfsense (firewall-rules-skynet)
http://krisken.dommel.be/pfsense/voip/firewall-rules-skynet.jpg

pfsense (firewall-nat-outbound)
http://krisken.dommel.be/pfsense/voip/firewall-nat-outbound.jpg

pap2t (info)
http://krisken.dommel.be/pfsense/voip/pap2t-info.jpg

pap2t (sip)
http://krisken.dommel.be/pfsense/voip/pap2t-sip.jpg

If you have any solution about my problem, please try to explain it step-by-step, i'm not so into port forwarding stuff ;-)

If possible, no solution with siproxd

Thanks for any advice!!!

clarknova · Oct 31, 2010, 6:39 AM

Some things to try:

1. On firewall_nat.php remove the source ports from the second rule.
2. On the third LAN firewall rule, delete the source and destination ports and add the destination addresses of your SIP and RTP servers (use an alias).
3. Your SKYNET interface firewall rules look correct, but you could try deleting the destination ports and instead use your SIP and RTP servers alias as the source address.
4. I'm pretty sure that outbound load balancing doesn't require advanced (manual) outbound NAT. Try just going with automatic.
5. And then there's this:
http://doc.pfsense.org/index.php/VoIP_Configuration

krisken · Nov 6, 2010, 10:36 PM

@clarknova:

Some things to try:

1. On firewall_nat.php remove the source ports from the second rule.
2. On the third LAN firewall rule, delete the source and destination ports and add the destination addresses of your SIP and RTP servers (use an alias).
3. Your SKYNET interface firewall rules look correct, but you could try deleting the destination ports and instead use your SIP and RTP servers alias as the source address.
4. I'm pretty sure that outbound load balancing doesn't require advanced (manual) outbound NAT. Try just going with automatic.
5. And then there's this:
http://doc.pfsense.org/index.php/VoIP_Configuration

I've tried it all, but without any success… Anyone else have an idea?

chpalmer · Nov 7, 2010, 4:47 AM

Many VOIP providers will use a registration server and allow the audio to be directly handled by other(s) audio servers.

What I have done with my provider is to make a firewall rule that allows their (my providers) server all needed ports to the ata. No port forwarding.

In fact- Im of the belief that if the provider needs port forwarding on your end using this particular router software that they're doing something wrong… Ive never had to use it. I can't speak for the soho routers because I have not used them with any VOIP service.

I use 3 lines at the house and 6 at my office using a pfSense box at both locations. Multiple providers...

dreamslacker · Nov 7, 2010, 1:32 PM

Can you try setting up 2 static port rules (on Outbound) for:

Interface: Skynet
Source: 10.0.0.0/24 / 5060-5070
Destination: Any/ Any
Check Static Port

Interface: Skynet
Source: 10.0.0.0/24 / 16384-16482
Destination: Any/ Any
Check Static Port

Also, you don't need a fixed static port rule for everything going out Skynet (2nd ruleset in Outbound NAT). This can cause some problems if any other client goes out Skynet (due to loadbalancing) and uses source ports in the voip range.

MageMinds · Nov 8, 2010, 12:16 PM

In the outbound rule I would set the source to

10.0.0.3/32 and remote the port assignment…

Skynet 10.0.0.3/32 * * * YES
Skynet 10.0.0.0/24 * * * NO
Somnet 10.0.0.0/24 * * * NO

Also as other said you should not need to port forward anything for your provider to work... You only need port forward when you want to register phone to a SIP server you might have on your side, but since you're talking about a ATA, you should not need it, the registration should take care of everything. The outbound NAT below should take care of sending the traffic coming from the ATA to Skynet.