Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Asterisk behind pfsense

    Scheduled Pinned Locked Moved NAT
    9 Posts 3 Posters 6.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Garf
      last edited by

      Asterisk 1.8.4.2, FreePBX

      PFsense 2.0-RC3

      Excuse me for my bad english!  :)

      Nat: 5061, TCP/UDP -> FreePBX ip

      Asterisk SIP settings:
      NAT = Yes
      Static ip = my wan ip
      Bind port = 5061

      Problem:
      Everything seems to work fine but a smal problem. When I make a call out to someone and that side hangsup, my PBX dont recive "bye" message and the call keeps on going. Its only when I make the call, incomming call works.

      Tried som packet capture and seems that I get "BYE" message on the right port 5061 from provider but it geets blocked somwhere and dont get to my PBX.

      Any idea?

      1 Reply Last reply Reply Quote 0
      • G
        Garf
        last edited by

        No one???

        My sip provider told me to test disabling "stateful packet filtering", is there someway I can do this on SIP protocol or on my nat rule? (5061)

        1 Reply Last reply Reply Quote 0
        • G
          Garf
          last edited by

          Nobody?  ???

          1 Reply Last reply Reply Quote 0
          • I
            inflamer
            last edited by

            Garf,

            try setting System -> Advanced -> Firewall/NAT ->Firewall Optimization Options to 'Conservative', the fact that pfSense doesn't seem to forward the BYE message could indicate that a state has timed out (Although the NAT entry you have added should get the BYE forwarded regardless).

            Please note that this setting will increase memory usage.

            1 Reply Last reply Reply Quote 0
            • N
              Nachtfalke
              last edited by

              @inflamer:

              Garf,

              try setting System -> Advanced -> Firewall/NAT ->Firewall Optimization Options to 'Conservative', the fact that pfSense doesn't seem to forward the BYE message could indicate that a state has timed out (Although the NAT entry you have added should get the BYE forwarded regardless).

              Please note that this setting will increase memory usage.

              This affects the complete firewall settings and as far as I know this only makes sense if you have a connection with high latency.

              I think the better way is this one:
              FIREWALL -> Rules -> Edit rule -> Advanced Features -> State type: There I am not really sure what you should use but try it with "none".

              1 Reply Last reply Reply Quote 0
              • I
                inflamer
                last edited by

                From my understanding, the 'Conservative' setting will increase the state timeout value for UDP states, ref http://doc.pfsense.org/index.php/VoIP_Configuration.

                • Andreas
                1 Reply Last reply Reply Quote 0
                • N
                  Nachtfalke
                  last edited by

                  @inflamer

                  @Garf:

                  No one???

                  My sip provider told me to test disabling "stateful packet filtering", is there someway I can do this on SIP protocol or on my nat rule? (5061)

                  This can only be done like I described in the post above. Further what I describe only affects the special rule and not the whole firewall rules.

                  Port 5061 is used for encrypted (TLS) VoIP traffic. This means that TCP is used. So changing the timeout of UDP will not help. In some cases VoIP can use DTLS (UDP) encrypted traffic. Than this could help.

                  Nevermind, Garf now has some possibilities he could try and perhaps he will post back if he solved the problem :)

                  1 Reply Last reply Reply Quote 0
                  • G
                    Garf
                    last edited by

                    Hi!

                    Thanks for the reply!

                    In panic to get the VOIP service to work correctly (Had some problems with long connection time, or no connection when calling in). I shut down my PFsense  :o and change it to an old 3com router. Now everything works with a simple port forward. I will be back to you as soon as possible when Im changing back and could test your advices.

                    I want my PFsense back  :(

                    1 Reply Last reply Reply Quote 0
                    • G
                      Garf
                      last edited by

                      @Nachtfalke:

                      Port 5061 is used for encrypted (TLS) VoIP traffic. This means that TCP is used. So changing the timeout of UDP will not help. In some cases VoIP can use DTLS (UDP) encrypted traffic.

                      Im using port 5061 for security reasoon, im using the same technic as usual port 5061, udp yes. My firwall is blockling alot of traffic on 5060 that shouldnt be there, mostly ip's from china.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.