Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Asterisk behind pfsense (no sound)

    Scheduled Pinned Locked Moved pfSense Packages
    25 Posts 3 Posters 16.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      serialdie
      last edited by

      @luckman212:

      I received this feedback from voip.ms (I did know about them and actually I've been using them for several years)

      http://i.imgur.com/g506A.png

      fwiw…

      Key word "recommend"
      Not "Not Supported"

      Thank you for clarifying it. ;)

      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        Both works.

        When using sip behind nat you Must configure sip server to support nat.

        Sip + RTP are realy hard to setup when you have to pass more then one nat translation.

        Iax can pass as many nats you need.

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • S
          serialdie
          last edited by

          @marcelloc:

          Both works.

          When using sip behind nat you Must configure sip server to support nat.

          Sip + RTP are realy hard to setup when you have to pass more then one nat translation.

          Iax can pass as many nats you need.

          SIP + RTP with dual NAT was my main issue.
          Once I moved to IAX2 my problems instantly solved.

          :)

          1 Reply Last reply Reply Quote 0
          • luckman212L
            luckman212 LAYER 8
            last edited by

            I have 1 asterisk server behind pfsense nat and also 2 sip phones behind the same nat.  asterisk server is at 192.168.20.248 and listens on UDP 5060 and RTP is 17000-18000.  I am having a hard time getting this setup working – lots of SIP trunk registration timeouts, or no-audio problems when answering incoming calls.  Does anyone have a similar setup that's willing to share their working pfsense configuration?  I know this can work well because all I did was change out my linux router (running Tomato K26) and that's when the problems began.  I was NOT using the SIP ALG if that's what you're thinking -- I had explicitly disabled it and was just using 2 port forwards:
            UDP 5060-->192.168.20.248
            UDP 17000-18000 --> 192.168.20.248

            these simple settings do not seem "enough" for pfsense.

            1 Reply Last reply Reply Quote 0
            • S
              serialdie
              last edited by

              @luckman212:

              I have 1 asterisk server behind pfsense nat and also 2 sip phones behind the same nat.   asterisk server is at 192.168.20.248 and listens on UDP 5060 and RTP is 17000-18000.   I am having a hard time getting this setup working – lots of SIP trunk registration timeouts, or no-audio problems when answering incoming calls.  Does anyone have a similar setup that's willing to share their working pfsense configuration?  I know this can work well because all I did was change out my linux router (running Tomato K26) and that's when the problems began.  I was NOT using the SIP ALG if that's what you're thinking -- I had explicitly disabled it and was just using 2 port forwards:
              UDP 5060-->192.168.20.248
              UDP 17000-18000 --> 192.168.20.248

              these simple settings do not seem "enough" for pfsense.

              luckman212,

              SIP in pfsense can be the most tedious task you will ever do in your IT life!
              Start with this few things.

              in your sip.conf the only parts that needs to be nat=yes would be your provider context

              all of your sip devices will be nat=no and canreinvite=no
              because they are in the same subnet as your asterisk server so they are not natted.
              Also make sure you have in your general context
              localnet=your.lan.range/subnet
              externip=your.isp.ip

              if your wan ip changes constantly you could also use
              externhost=dynamicip.dyndns.com

              Than move to pfsense

              Make sure you have port forward it for your RTP range and for SIP.

              Also change your outbound nat to Manual.

              Only if it applies:

              Make sure you have white listed your providers ip and your internal range in snort and in any other blocking pkg you have running like ipblock….

              at the end I was unable to get my calls to route properly so I changed to IAX2 with a static outbound port mapping and it all worked like a charm.

              Good Luck.

              1 Reply Last reply Reply Quote 0
              • luckman212L
                luckman212 LAYER 8
                last edited by

                Hmm thanks but that's discouraging that after all that in the end you gave up and used IAX.  I already use externhost= and localnet= and have properly set nat=yes/no on my peers and trunks.  Been playing with this for months.   I know voip.ms supports IAX but most wholesalers don't.  (e.g. other trunks I use like flowroute, gafachi or callcentric do not support it).   So I really need to get it working.  Has anyone ever asked  WHY its so difficult to make SIP work behind a pfSense NAT, compared to other routers?

                1 Reply Last reply Reply Quote 0
                • S
                  serialdie
                  last edited by

                  @luckman212:

                  Hmm thanks but that's discouraging that after all that in the end you gave up and used IAX.  I already use externhost= and localnet= and have properly set nat=yes/no on my peers and trunks.  Been playing with this for months.   I know voip.ms supports IAX but most wholesalers don't.  (e.g. other trunks I use like flowroute, gafachi or callcentric do not support it).   So I really need to get it working.  Has anyone ever asked  WHY its so difficult to make SIP work behind a pfSense NAT, compared to other routers?

                  To my observation it looks like pfsense nat mangles the packet on its way out improperly marking the packet out for example look at this state:

                  10.30.2.102:5060 -> XX.XX.XXX.XX:33441 -> XX.XX.XXX.XX:5060

                  You see how NAT changed the port on its way out and than re port it (If that's even a word lol)? Well I think that SIP application/providers do not accept that thus marking the packet mangled…
                  This is just a long shot at something I did not wanted to spent more time than what  need it... to be more specific I was up for 32hrs trying to figure this out. at the end I say to hell with it. IAX is my new friend.

                  Note: That behavior can be changed by setting out bound NAT to ONT but even than my system failed to register RTP out bound..

                  Maybe my isp block's sip as a lot of isp do.

                  1 Reply Last reply Reply Quote 0
                  • marcellocM
                    marcelloc
                    last edited by

                    @luckman212:

                    Has anyone ever asked  WHY its so difficult to make SIP work behind a pfSense NAT, compared to other routers?

                    I have no problems with it.

                    When using many sip devices behind any firewall, consider using sipproxy.

                    RTP issue sample:
                    You redirected ports from 17000 to 18000 to your sip server.
                    Your second sip device received a call and remote server sent rtp to 17454. In this case you will have no audio and pfSense is not guilty.

                    SIP issue sample:
                    You redirected port 5060 to your sip server.
                    Your second sip device registers at voip.com. When voip.com checks registration who will receive this info? Again pfSense is not guilty.

                    Try to set different sip ports/rtp range to each sip server/device behind your firewall.

                    :) Just remember that computers do what we tell them to do, not what we want to do. :)

                    Treinamentos de Elite: http://sys-squad.com

                    Help a community developer! ;D

                    1 Reply Last reply Reply Quote 0
                    • S
                      serialdie
                      last edited by

                      @marcelloc:

                      @luckman212:

                      Has anyone ever asked  WHY its so difficult to make SIP work behind a pfSense NAT, compared to other routers?

                      I have no problems with it.

                      When using many sip devices behind any firewall, consider using sipproxy.

                      RTP issue sample:
                      You redirected ports from 17000 to 18000 to your sip server.
                      Your second sip device received a call and remote server sent rtp to 17454. In this case you will have no audio and pfSense is not guilty.

                      SIP issue sample:
                      You redirected port 5060 to your sip server.
                      Your second sip device registers at voip.com. When voip.com checks registration who will receive this info? Again pfSense is not guilty.

                      Try to set different sip ports/rtp range to each sip server/device behind your firewall.

                      :) Just remember that computers do what we tell them to do, not what we want to do. :)

                      I am going to make one more test over sip tonight and see how far I can get again. In my case its was only one device and I was still unable to get outgoing RTP to function properly.
                      My sip devices talk to asterisk and than asterisk talks to my provider.

                      I will reply back and see what are the results again.

                      1 Reply Last reply Reply Quote 0
                      • S
                        serialdie
                        last edited by

                        @marcelloc:

                        @luckman212:

                        Has anyone ever asked  WHY its so difficult to make SIP work behind a pfSense NAT, compared to other routers?

                        I have no problems with it.

                        When using many sip devices behind any firewall, consider using sipproxy.

                        RTP issue sample:
                        You redirected ports from 17000 to 18000 to your sip server.
                        Your second sip device received a call and remote server sent rtp to 17454. In this case you will have no audio and pfSense is not guilty.

                        SIP issue sample:
                        You redirected port 5060 to your sip server.
                        Your second sip device registers at voip.com. When voip.com checks registration who will receive this info? Again pfSense is not guilty.

                        Try to set different sip ports/rtp range to each sip server/device behind your firewall.

                        :) Just remember that computers do what we tell them to do, not what we want to do. :)

                        I am sorry but in pfsense sip is plain impossible. I just tried everything I can think of and nothing works!
                        If you have your sip working behind your pfsense by all means please post your pfsense config and prove me wrong. but for now I stand by this. SIP is not possible behind pfsense.

                        1 Reply Last reply Reply Quote 0
                        • marcellocM
                          marcelloc
                          last edited by

                          Do you need inbound calls?

                          If don't you do not need any nat rule, just outbound.

                          Treinamentos de Elite: http://sys-squad.com

                          Help a community developer! ;D

                          1 Reply Last reply Reply Quote 0
                          • S
                            serialdie
                            last edited by

                            @marcelloc:

                            Do you need inbound calls?

                            If don't you do not need any nat rule, just outbound.

                            Somebody under general gave me some hints that made the registration possible. the issue has been that outbound is not possible.
                            And I do need inbound and outbound.

                            1 Reply Last reply Reply Quote 0
                            • S
                              serialdie
                              last edited by

                              @marcelloc:

                              Do you need inbound calls?

                              If don't you do not need any nat rule, just outbound.

                              Look here and see if you can chime in:

                              http://forum.pfsense.org/index.php/topic,41286.0.html

                              Thanks!

                              1 Reply Last reply Reply Quote 0
                              • marcellocM
                                marcelloc
                                last edited by

                                can you bridge your router to have real ip at wan?

                                my setup is very simple:

                                provider–>real ip-->pfsense->--192.168.3.x ip->asterisk server.

                                nothing different from nat inbound ports and sip_nat.conf.

                                Treinamentos de Elite: http://sys-squad.com

                                Help a community developer! ;D

                                1 Reply Last reply Reply Quote 0
                                • S
                                  serialdie
                                  last edited by

                                  Well I am back…. Here is what I can say... For an unknown reason I am not able to get SIP working over port 5060. As soon as I switch to 5080 everything started to work as it should. and no I have no other sip device except for my asterisk pbx.
                                  odd.....

                                  1 Reply Last reply Reply Quote 0
                                  • marcellocM
                                    marcelloc
                                    last edited by

                                    Great news!!!  :)

                                    Some dsl routers has a 'sip Alg' option that break out sip comunication. I have no idea why.
                                    Maybe you have something like that on you network.

                                    Treinamentos de Elite: http://sys-squad.com

                                    Help a community developer! ;D

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      serialdie
                                      last edited by

                                      @marcelloc:

                                      Great news!!!  :)

                                      Some dsl routers has a 'sip Alg' option that break out sip comunication. I have no idea why.
                                      Maybe you have something like that on you network.

                                      Nope not here… I have cable... :) but its all resolved now.

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.