Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Asterisk behind pfsense (no sound)

    Scheduled Pinned Locked Moved pfSense Packages
    25 Posts 3 Posters 16.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • luckman212L
      luckman212 LAYER 8
      last edited by

      So the advice to get Asterisk working behind pfSense is to disable SIP and switch to IAX?  haha you can't be serious… are there even any carriers offering IAX trunking anymore??  Of the ones who do, they usually list it as an 'unsupported' feature anyway.

      1 Reply Last reply Reply Quote 0
      • S
        serialdie
        last edited by

        @luckman212:

        So the advice to get Asterisk working behind pfSense is to disable SIP and switch to IAX?  haha you can't be serious… are there even any carriers offering IAX trunking anymore??  Of the ones who do, they usually list it as an 'unsupported' feature anyway.

        Welcome to the year 2011.
        voip.ms has full support for IAX2. They will even help you for free get your pbx configured.
        And there is no advice in this post. My solution was to switch protocols as IAX2 has better support behind NAT.

        1 Reply Last reply Reply Quote 0
        • luckman212L
          luckman212 LAYER 8
          last edited by

          I received this feedback from voip.ms (I did know about them and actually I've been using them for several years)

          http://i.imgur.com/g506A.png

          fwiw…

          1 Reply Last reply Reply Quote 0
          • S
            serialdie
            last edited by

            @luckman212:

            I received this feedback from voip.ms (I did know about them and actually I've been using them for several years)

            http://i.imgur.com/g506A.png

            fwiw…

            Key word "recommend"
            Not "Not Supported"

            Thank you for clarifying it. ;)

            1 Reply Last reply Reply Quote 0
            • marcellocM
              marcelloc
              last edited by

              Both works.

              When using sip behind nat you Must configure sip server to support nat.

              Sip + RTP are realy hard to setup when you have to pass more then one nat translation.

              Iax can pass as many nats you need.

              Treinamentos de Elite: http://sys-squad.com

              Help a community developer! ;D

              1 Reply Last reply Reply Quote 0
              • S
                serialdie
                last edited by

                @marcelloc:

                Both works.

                When using sip behind nat you Must configure sip server to support nat.

                Sip + RTP are realy hard to setup when you have to pass more then one nat translation.

                Iax can pass as many nats you need.

                SIP + RTP with dual NAT was my main issue.
                Once I moved to IAX2 my problems instantly solved.

                :)

                1 Reply Last reply Reply Quote 0
                • luckman212L
                  luckman212 LAYER 8
                  last edited by

                  I have 1 asterisk server behind pfsense nat and also 2 sip phones behind the same nat.  asterisk server is at 192.168.20.248 and listens on UDP 5060 and RTP is 17000-18000.  I am having a hard time getting this setup working – lots of SIP trunk registration timeouts, or no-audio problems when answering incoming calls.  Does anyone have a similar setup that's willing to share their working pfsense configuration?  I know this can work well because all I did was change out my linux router (running Tomato K26) and that's when the problems began.  I was NOT using the SIP ALG if that's what you're thinking -- I had explicitly disabled it and was just using 2 port forwards:
                  UDP 5060-->192.168.20.248
                  UDP 17000-18000 --> 192.168.20.248

                  these simple settings do not seem "enough" for pfsense.

                  1 Reply Last reply Reply Quote 0
                  • S
                    serialdie
                    last edited by

                    @luckman212:

                    I have 1 asterisk server behind pfsense nat and also 2 sip phones behind the same nat.   asterisk server is at 192.168.20.248 and listens on UDP 5060 and RTP is 17000-18000.   I am having a hard time getting this setup working – lots of SIP trunk registration timeouts, or no-audio problems when answering incoming calls.  Does anyone have a similar setup that's willing to share their working pfsense configuration?  I know this can work well because all I did was change out my linux router (running Tomato K26) and that's when the problems began.  I was NOT using the SIP ALG if that's what you're thinking -- I had explicitly disabled it and was just using 2 port forwards:
                    UDP 5060-->192.168.20.248
                    UDP 17000-18000 --> 192.168.20.248

                    these simple settings do not seem "enough" for pfsense.

                    luckman212,

                    SIP in pfsense can be the most tedious task you will ever do in your IT life!
                    Start with this few things.

                    in your sip.conf the only parts that needs to be nat=yes would be your provider context

                    all of your sip devices will be nat=no and canreinvite=no
                    because they are in the same subnet as your asterisk server so they are not natted.
                    Also make sure you have in your general context
                    localnet=your.lan.range/subnet
                    externip=your.isp.ip

                    if your wan ip changes constantly you could also use
                    externhost=dynamicip.dyndns.com

                    Than move to pfsense

                    Make sure you have port forward it for your RTP range and for SIP.

                    Also change your outbound nat to Manual.

                    Only if it applies:

                    Make sure you have white listed your providers ip and your internal range in snort and in any other blocking pkg you have running like ipblock….

                    at the end I was unable to get my calls to route properly so I changed to IAX2 with a static outbound port mapping and it all worked like a charm.

                    Good Luck.

                    1 Reply Last reply Reply Quote 0
                    • luckman212L
                      luckman212 LAYER 8
                      last edited by

                      Hmm thanks but that's discouraging that after all that in the end you gave up and used IAX.  I already use externhost= and localnet= and have properly set nat=yes/no on my peers and trunks.  Been playing with this for months.   I know voip.ms supports IAX but most wholesalers don't.  (e.g. other trunks I use like flowroute, gafachi or callcentric do not support it).   So I really need to get it working.  Has anyone ever asked  WHY its so difficult to make SIP work behind a pfSense NAT, compared to other routers?

                      1 Reply Last reply Reply Quote 0
                      • S
                        serialdie
                        last edited by

                        @luckman212:

                        Hmm thanks but that's discouraging that after all that in the end you gave up and used IAX.  I already use externhost= and localnet= and have properly set nat=yes/no on my peers and trunks.  Been playing with this for months.   I know voip.ms supports IAX but most wholesalers don't.  (e.g. other trunks I use like flowroute, gafachi or callcentric do not support it).   So I really need to get it working.  Has anyone ever asked  WHY its so difficult to make SIP work behind a pfSense NAT, compared to other routers?

                        To my observation it looks like pfsense nat mangles the packet on its way out improperly marking the packet out for example look at this state:

                        10.30.2.102:5060 -> XX.XX.XXX.XX:33441 -> XX.XX.XXX.XX:5060

                        You see how NAT changed the port on its way out and than re port it (If that's even a word lol)? Well I think that SIP application/providers do not accept that thus marking the packet mangled…
                        This is just a long shot at something I did not wanted to spent more time than what  need it... to be more specific I was up for 32hrs trying to figure this out. at the end I say to hell with it. IAX is my new friend.

                        Note: That behavior can be changed by setting out bound NAT to ONT but even than my system failed to register RTP out bound..

                        Maybe my isp block's sip as a lot of isp do.

                        1 Reply Last reply Reply Quote 0
                        • marcellocM
                          marcelloc
                          last edited by

                          @luckman212:

                          Has anyone ever asked  WHY its so difficult to make SIP work behind a pfSense NAT, compared to other routers?

                          I have no problems with it.

                          When using many sip devices behind any firewall, consider using sipproxy.

                          RTP issue sample:
                          You redirected ports from 17000 to 18000 to your sip server.
                          Your second sip device received a call and remote server sent rtp to 17454. In this case you will have no audio and pfSense is not guilty.

                          SIP issue sample:
                          You redirected port 5060 to your sip server.
                          Your second sip device registers at voip.com. When voip.com checks registration who will receive this info? Again pfSense is not guilty.

                          Try to set different sip ports/rtp range to each sip server/device behind your firewall.

                          :) Just remember that computers do what we tell them to do, not what we want to do. :)

                          Treinamentos de Elite: http://sys-squad.com

                          Help a community developer! ;D

                          1 Reply Last reply Reply Quote 0
                          • S
                            serialdie
                            last edited by

                            @marcelloc:

                            @luckman212:

                            Has anyone ever asked  WHY its so difficult to make SIP work behind a pfSense NAT, compared to other routers?

                            I have no problems with it.

                            When using many sip devices behind any firewall, consider using sipproxy.

                            RTP issue sample:
                            You redirected ports from 17000 to 18000 to your sip server.
                            Your second sip device received a call and remote server sent rtp to 17454. In this case you will have no audio and pfSense is not guilty.

                            SIP issue sample:
                            You redirected port 5060 to your sip server.
                            Your second sip device registers at voip.com. When voip.com checks registration who will receive this info? Again pfSense is not guilty.

                            Try to set different sip ports/rtp range to each sip server/device behind your firewall.

                            :) Just remember that computers do what we tell them to do, not what we want to do. :)

                            I am going to make one more test over sip tonight and see how far I can get again. In my case its was only one device and I was still unable to get outgoing RTP to function properly.
                            My sip devices talk to asterisk and than asterisk talks to my provider.

                            I will reply back and see what are the results again.

                            1 Reply Last reply Reply Quote 0
                            • S
                              serialdie
                              last edited by

                              @marcelloc:

                              @luckman212:

                              Has anyone ever asked  WHY its so difficult to make SIP work behind a pfSense NAT, compared to other routers?

                              I have no problems with it.

                              When using many sip devices behind any firewall, consider using sipproxy.

                              RTP issue sample:
                              You redirected ports from 17000 to 18000 to your sip server.
                              Your second sip device received a call and remote server sent rtp to 17454. In this case you will have no audio and pfSense is not guilty.

                              SIP issue sample:
                              You redirected port 5060 to your sip server.
                              Your second sip device registers at voip.com. When voip.com checks registration who will receive this info? Again pfSense is not guilty.

                              Try to set different sip ports/rtp range to each sip server/device behind your firewall.

                              :) Just remember that computers do what we tell them to do, not what we want to do. :)

                              I am sorry but in pfsense sip is plain impossible. I just tried everything I can think of and nothing works!
                              If you have your sip working behind your pfsense by all means please post your pfsense config and prove me wrong. but for now I stand by this. SIP is not possible behind pfsense.

                              1 Reply Last reply Reply Quote 0
                              • marcellocM
                                marcelloc
                                last edited by

                                Do you need inbound calls?

                                If don't you do not need any nat rule, just outbound.

                                Treinamentos de Elite: http://sys-squad.com

                                Help a community developer! ;D

                                1 Reply Last reply Reply Quote 0
                                • S
                                  serialdie
                                  last edited by

                                  @marcelloc:

                                  Do you need inbound calls?

                                  If don't you do not need any nat rule, just outbound.

                                  Somebody under general gave me some hints that made the registration possible. the issue has been that outbound is not possible.
                                  And I do need inbound and outbound.

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    serialdie
                                    last edited by

                                    @marcelloc:

                                    Do you need inbound calls?

                                    If don't you do not need any nat rule, just outbound.

                                    Look here and see if you can chime in:

                                    http://forum.pfsense.org/index.php/topic,41286.0.html

                                    Thanks!

                                    1 Reply Last reply Reply Quote 0
                                    • marcellocM
                                      marcelloc
                                      last edited by

                                      can you bridge your router to have real ip at wan?

                                      my setup is very simple:

                                      provider–>real ip-->pfsense->--192.168.3.x ip->asterisk server.

                                      nothing different from nat inbound ports and sip_nat.conf.

                                      Treinamentos de Elite: http://sys-squad.com

                                      Help a community developer! ;D

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        serialdie
                                        last edited by

                                        Well I am back…. Here is what I can say... For an unknown reason I am not able to get SIP working over port 5060. As soon as I switch to 5080 everything started to work as it should. and no I have no other sip device except for my asterisk pbx.
                                        odd.....

                                        1 Reply Last reply Reply Quote 0
                                        • marcellocM
                                          marcelloc
                                          last edited by

                                          Great news!!!  :)

                                          Some dsl routers has a 'sip Alg' option that break out sip comunication. I have no idea why.
                                          Maybe you have something like that on you network.

                                          Treinamentos de Elite: http://sys-squad.com

                                          Help a community developer! ;D

                                          1 Reply Last reply Reply Quote 0
                                          • S
                                            serialdie
                                            last edited by

                                            @marcelloc:

                                            Great news!!!  :)

                                            Some dsl routers has a 'sip Alg' option that break out sip comunication. I have no idea why.
                                            Maybe you have something like that on you network.

                                            Nope not here… I have cable... :) but its all resolved now.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.