Problem with Freeswitch package

kartweel

Yes that is an option, but I wanted to be able to access it from the same IP whether inside or outside the network. Also I was having some trouble running it behind a NAT, but I may be able iron out those issues.

I've done some further packet captures on pfsense and a local client.

These are captures from the LAN interface on pfsense.

This is the SIP traffic, which correctly responds on the LAN interface back to the SIP client.

23:14:21.568533 IP 192.168.2.123.5060 > 120.146.228.51.5060: UDP, length 1430
23:14:21.569010 IP 120.146.228.51.5060 > 192.168.2.123.5060: UDP, length 371

This is the RTP traffic from the client to pfsense/freeswitch.

23:14:21.576339 IP 192.168.2.123.5054 > 120.146.228.51.18488: UDP, length 62
23:14:21.615120 IP 192.168.2.123.5054 > 120.146.228.51.18488: UDP, length 62
23:14:21.636939 IP 192.168.2.123.5054 > 120.146.228.51.18488: UDP, length 62

There is no RTP data going from the server to the client. Running a packet capture on the WAN interface picks up the outgoing RTP traffic from freeswitch, but alas it never makes it to the client.

It is odd, the internal profile for freeswitch has this written on it… (I am using fusionpbx frontend)

"By default the Internal profile binds to the WAN IP which is accessible to the internal network. A rule can be set from PFSense -> Firewall -> Rules -> WAN to the the WAN IP for port 5060 which enables phones register from outside the network."

This would make me think that my setup should work!...

marcelloc

Can't you setup freeswitch to listen on all interfaces?

sip does not like nat very much.

On asterisk there are specific options to set nat but I don't know how it works on freeswitch

kartweel

Yes I am trying to avoid NAT :). Freeswitch has some NAT options, but I am a bit of a noob at it.

You can't set a single profile to bind to multiple interfaces, but I can set up multiple profiles, 1 on each interface. So I could have an internal one and an external one. But it would still mean I couldn't use the same IP inside and outside the network, which I don't see why I shouldn't be able to?

marcelloc

Check rules on lan and maybe disabling  Block bogon networks could help

kartweel

Tried that, no joy :(. Also tried blocking and unblock private networks etc from WAN.

Any other ideas? I might try putting another interface on, bind it to that and then see if it works. At least then I'll know if it is a problem with the WAN interface specifically, or something else…

kartweel

So I made another interface, LAN2 with IP 192.168.3.1. I bound freeswitch to that IP and it works correctly from the LAN, I can register and get audio etc. So it must just be an issue with using it with WAN. Maybe coz WAN is pppoe ? or maybe coz WAN-LAN is NAT'd ?

In any case, I think it still should work, so any more ideas on what to try?
I guess I should try it on a second WAN interface. and see if it is all WAN interfaces or just the 1 that is causing the issue.

marcelloc

Change your outbound to manual.

kartweel

Ok, I've narrowed it down a little further.

Changing NAT Outbound to manual didn't work. Either did deleting all the NAT rules after chaning to manual (And successfully disabling any internet access, btw changing to auto again didn't fix it, I had to manually create some rules)

I created another WAN interface and set it up, and it exhibits the same behaviour… so I conclude that the issue only happens on WAN interfaces. So on this WAN interface I changed the gateway to "none" (I guess that means it isn't really a WAN interface anymore) and it works perfectly! So this is where the issue is happening.

Likewise from pfsense diagnostics -> ping, I can ping LAN addresses from this "WAN" interface without a gateway...

kartweel

Any ideas anyone?

I'm just wondering if I should persist with this or what I am trying to do is unsupported or not supposed to work…

Thanks!

marcelloc

I will work, just take a look on docs.pfsense.org or this forum for manual outbound nat.

Change to manual and only create outbound nat rules for traffic leaving wan interface.

kartweel

I've got it set to manual and this is the only rule I have in there… Even If I delete all rules it still doesn't work...

Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description

WAN  192.168.2.0/24 * * * * *
NO

The only things I can do to get it to work are:

Remove the gateway on the WAN interface
Disable all packet filtering

Either of which are no good for my setup :(

marcelloc

if LAN is 192.168.2.0/24, outbound nat is fine, check lan rules now.

You must permit traffic fom LAN net to any on LAN interface.

kartweel

I got frustrated and just allowed everything to everywhere on the firewall.

Both LAN and WAN interface are * * * * * * * as the first rule

Still no go…

It still seems to mimic the behaviour of pfSense diagnostics -> ping

I wonder if I should try installing pfSense 1.2.3 and see if it works on that.

cmb

I really doubt that issue has anything to do with your NAT or firewall rules, it's somewhere in your freeswitch or phone config. No idea where, I don't know a whole lot about freeswitch, but that's in general not the kind of symptoms you'd have with any NAT or firewall rule issues in that type of deployment.

1.2.3 and 2.0 will be the same in that regard.

cmb

updated subject and moved into the packages board, not sure if that will help it get better attention, but it's a freeswitch package issue.

kartweel

I've set up pfSense 1.2.3 and installed the freeswitch-dev package and it seems to be working how I want it. Likewise pinging a LAN address from the WAN interface also works. I might try setting up a fresh pfSense 2.0.1 install and seeing if it works. Maybe I just messed up my networking config somehow.

kartweel

Ok. Set up pfSense 2.0.1 again from scratch. Freeswitch package doesn't work on 2.0.1, so I installed fusionPBX again. Same issue as originally.

So to summarise my findings.

pfSense 1.2.3 with freeswitch-dev package worked.
pfSense 2.0.1 with FusionPBX didn't work (meaning cannot hear audio on the internal network, apart from that works fine).

I still think the issue is with pfSense. In 1.2.3 you can ping internal hosts from the WAN interface, in 2.0.1 you cannot. Also in 2.0.1 it works fine if you disable packet filtering, or take the gateway off the WAN interface.

Anyway, I guess I will multi-home freeswitch and then access it internally from the internal IP and externally from the external IP. bah. I like pfSense too much to replace it for something else I can run freeswitch on how I want.

sdudley

Thought I would chime in and mention that on a fresh PFSense (x86) 2.01 install, I was able to follow the steps on Mark's PBXFusion Wiki site and other than the svn issue that marcelloc helped me with to synch PBXFusion updates, the FreeSwitch manual install per the directions works for all intents and purposes on PFSense 2.01…the 32 bit variant. I'm using DynDNS on the PFSense 2.01 and phones on the LAN and WAN work. Not sure if this has any bearing on what you were doing or maybe it's enough of an incentive to keep trying. I'm using Aastra SIP phones, slightly older models and the Linux Twinkle SIP client as a softphone, no VLANs or anything beyond an out of the box setup on the network side of things.
All the best.
Shaun

Cino

@sdudley:

Thought I would chime in and mention that on a fresh PFSense (x86) 2.01 install, I was able to follow the steps on Mark's PBXFusion Wiki site and other than the svn issue that marcelloc helped me with to synch PBXFusion updates, the FreeSwitch manual install per the directions works for all intents and purposes on PFSense 2.01…the 32 bit variant. I'm using DynDNS on the PFSense 2.01 and phones on the LAN and WAN work. Not sure if this has any bearing on what you were doing or maybe it's enough of an incentive to keep trying. I'm using Aastra SIP phones, slightly older models and the Linux Twinkle SIP client as a softphone, no VLANs or anything beyond an out of the box setup on the network side of things.
All the best.
Shaun

I was also able to get it to install a couple of weeks ago… I have had it running on 2.01 and also 2.1... I have a question for you, how were you and marcelloc able to get the updates to work? I haven't spend anytime on it trying it tho.. It was more to see if it would work on my box... some reason I would rather have a VoIP run on another box then my firewall..

marcelloc

@Cino:

I have a question for you, how were you and marcelloc able to get the updates to work?

All these updates are related to cyrrus-sasl and kerberos missing libraries. I've first tried to include sasl + tls to postfix(not done yet), then I saw freeradius with same issues as well subversion.

@Cino:

I haven't spend anytime on it trying it tho.. It was more to see if it would work on my box… some reason I would rather have a VoIP run on another box then my firewall..

freeswitch or asterisk could be a layer7 voip filtering daemon/proxy/gateway, just like squid, varnish and postfix do with it's own protocols.

I agree that a sip nat or sip proxy could do the job, it's just more options for admins  :)