Asterisk behind pfsense (no sound)
-
I received this feedback from voip.ms (I did know about them and actually I've been using them for several years)
http://i.imgur.com/g506A.pngfwiw…
Key word "recommend"
Not "Not Supported"Thank you for clarifying it. ;)
-
Both works.
When using sip behind nat you Must configure sip server to support nat.
Sip + RTP are realy hard to setup when you have to pass more then one nat translation.
Iax can pass as many nats you need.
-
Both works.
When using sip behind nat you Must configure sip server to support nat.
Sip + RTP are realy hard to setup when you have to pass more then one nat translation.
Iax can pass as many nats you need.
SIP + RTP with dual NAT was my main issue.
Once I moved to IAX2 my problems instantly solved.:)
-
I have 1 asterisk server behind pfsense nat and also 2 sip phones behind the same nat. asterisk server is at 192.168.20.248 and listens on UDP 5060 and RTP is 17000-18000. I am having a hard time getting this setup working – lots of SIP trunk registration timeouts, or no-audio problems when answering incoming calls. Does anyone have a similar setup that's willing to share their working pfsense configuration? I know this can work well because all I did was change out my linux router (running Tomato K26) and that's when the problems began. I was NOT using the SIP ALG if that's what you're thinking -- I had explicitly disabled it and was just using 2 port forwards:
UDP 5060-->192.168.20.248
UDP 17000-18000 --> 192.168.20.248these simple settings do not seem "enough" for pfsense.
-
I have 1 asterisk server behind pfsense nat and also 2 sip phones behind the same nat. asterisk server is at 192.168.20.248 and listens on UDP 5060 and RTP is 17000-18000. I am having a hard time getting this setup working – lots of SIP trunk registration timeouts, or no-audio problems when answering incoming calls. Does anyone have a similar setup that's willing to share their working pfsense configuration? I know this can work well because all I did was change out my linux router (running Tomato K26) and that's when the problems began. I was NOT using the SIP ALG if that's what you're thinking -- I had explicitly disabled it and was just using 2 port forwards:
UDP 5060-->192.168.20.248
UDP 17000-18000 --> 192.168.20.248these simple settings do not seem "enough" for pfsense.
luckman212,
SIP in pfsense can be the most tedious task you will ever do in your IT life!
Start with this few things.in your sip.conf the only parts that needs to be nat=yes would be your provider context
all of your sip devices will be nat=no and canreinvite=no
because they are in the same subnet as your asterisk server so they are not natted.
Also make sure you have in your general context
localnet=your.lan.range/subnet
externip=your.isp.ipif your wan ip changes constantly you could also use
externhost=dynamicip.dyndns.comThan move to pfsense
Make sure you have port forward it for your RTP range and for SIP.
Also change your outbound nat to Manual.
Only if it applies:
Make sure you have white listed your providers ip and your internal range in snort and in any other blocking pkg you have running like ipblock….
at the end I was unable to get my calls to route properly so I changed to IAX2 with a static outbound port mapping and it all worked like a charm.
Good Luck.
-
Hmm thanks but that's discouraging that after all that in the end you gave up and used IAX. I already use externhost= and localnet= and have properly set nat=yes/no on my peers and trunks. Been playing with this for months. I know voip.ms supports IAX but most wholesalers don't. (e.g. other trunks I use like flowroute, gafachi or callcentric do not support it). So I really need to get it working. Has anyone ever asked WHY its so difficult to make SIP work behind a pfSense NAT, compared to other routers?
-
Hmm thanks but that's discouraging that after all that in the end you gave up and used IAX. I already use externhost= and localnet= and have properly set nat=yes/no on my peers and trunks. Been playing with this for months. I know voip.ms supports IAX but most wholesalers don't. (e.g. other trunks I use like flowroute, gafachi or callcentric do not support it). So I really need to get it working. Has anyone ever asked WHY its so difficult to make SIP work behind a pfSense NAT, compared to other routers?
To my observation it looks like pfsense nat mangles the packet on its way out improperly marking the packet out for example look at this state:
10.30.2.102:5060 -> XX.XX.XXX.XX:33441 -> XX.XX.XXX.XX:5060
You see how NAT changed the port on its way out and than re port it (If that's even a word lol)? Well I think that SIP application/providers do not accept that thus marking the packet mangled…
This is just a long shot at something I did not wanted to spent more time than what need it... to be more specific I was up for 32hrs trying to figure this out. at the end I say to hell with it. IAX is my new friend.Note: That behavior can be changed by setting out bound NAT to ONT but even than my system failed to register RTP out bound..
Maybe my isp block's sip as a lot of isp do.
-
Has anyone ever asked WHY its so difficult to make SIP work behind a pfSense NAT, compared to other routers?
I have no problems with it.
When using many sip devices behind any firewall, consider using sipproxy.
RTP issue sample:
You redirected ports from 17000 to 18000 to your sip server.
Your second sip device received a call and remote server sent rtp to 17454. In this case you will have no audio and pfSense is not guilty.SIP issue sample:
You redirected port 5060 to your sip server.
Your second sip device registers at voip.com. When voip.com checks registration who will receive this info? Again pfSense is not guilty.Try to set different sip ports/rtp range to each sip server/device behind your firewall.
:) Just remember that computers do what we tell them to do, not what we want to do. :)
-
Has anyone ever asked WHY its so difficult to make SIP work behind a pfSense NAT, compared to other routers?
I have no problems with it.
When using many sip devices behind any firewall, consider using sipproxy.
RTP issue sample:
You redirected ports from 17000 to 18000 to your sip server.
Your second sip device received a call and remote server sent rtp to 17454. In this case you will have no audio and pfSense is not guilty.SIP issue sample:
You redirected port 5060 to your sip server.
Your second sip device registers at voip.com. When voip.com checks registration who will receive this info? Again pfSense is not guilty.Try to set different sip ports/rtp range to each sip server/device behind your firewall.
:) Just remember that computers do what we tell them to do, not what we want to do. :)
I am going to make one more test over sip tonight and see how far I can get again. In my case its was only one device and I was still unable to get outgoing RTP to function properly.
My sip devices talk to asterisk and than asterisk talks to my provider.I will reply back and see what are the results again.
-
Has anyone ever asked WHY its so difficult to make SIP work behind a pfSense NAT, compared to other routers?
I have no problems with it.
When using many sip devices behind any firewall, consider using sipproxy.
RTP issue sample:
You redirected ports from 17000 to 18000 to your sip server.
Your second sip device received a call and remote server sent rtp to 17454. In this case you will have no audio and pfSense is not guilty.SIP issue sample:
You redirected port 5060 to your sip server.
Your second sip device registers at voip.com. When voip.com checks registration who will receive this info? Again pfSense is not guilty.Try to set different sip ports/rtp range to each sip server/device behind your firewall.
:) Just remember that computers do what we tell them to do, not what we want to do. :)
I am sorry but in pfsense sip is plain impossible. I just tried everything I can think of and nothing works!
If you have your sip working behind your pfsense by all means please post your pfsense config and prove me wrong. but for now I stand by this. SIP is not possible behind pfsense. -
Do you need inbound calls?
If don't you do not need any nat rule, just outbound.
-
Do you need inbound calls?
If don't you do not need any nat rule, just outbound.
Somebody under general gave me some hints that made the registration possible. the issue has been that outbound is not possible.
And I do need inbound and outbound. -
Do you need inbound calls?
If don't you do not need any nat rule, just outbound.
Look here and see if you can chime in:
http://forum.pfsense.org/index.php/topic,41286.0.html
Thanks!
-
can you bridge your router to have real ip at wan?
my setup is very simple:
provider–>real ip-->pfsense->--192.168.3.x ip->asterisk server.
nothing different from nat inbound ports and sip_nat.conf.
-
Well I am back…. Here is what I can say... For an unknown reason I am not able to get SIP working over port 5060. As soon as I switch to 5080 everything started to work as it should. and no I have no other sip device except for my asterisk pbx.
odd..... -
Great news!!! :)
Some dsl routers has a 'sip Alg' option that break out sip comunication. I have no idea why.
Maybe you have something like that on you network. -
Great news!!! :)
Some dsl routers has a 'sip Alg' option that break out sip comunication. I have no idea why.
Maybe you have something like that on you network.Nope not here… I have cable... :) but its all resolved now.
