How to setup point to point Line
-
Hi dreamslacker
I did the setup as per your guidlilnes and now i can ping both the OPT interfaces from each other, however i am not able to ling the lan Net, i have added rules under OPT interface as per sequesnce you mentioned.
Please suggest which rule i am missing… -
Either you firewall rules are wrong in which case you should see entries in the firewall log(s) or your static routes aren't working correctly.
Can you ping from the pfSense machines themselves? If the routing isn't working you should see 'no route' or a similar error.Steve
-
If you're confident that the point to point link is a pure end to end ethernet type connection such as with Metro-E, then you just need to add one more NIC to each pfsense box.
Assign the additional NIC on each pfSense box as OPT1.
Determine a small subnet to use for this link. e.g. 10.0.1.0/28
Now configure each OPT1 connection with a unique static IP within that subnet.
Following the example:
Office 1 OPT1 has interface address 10.0.1.1/28 with Gateway 10.0.1.2
Office 2 OPT1 has interface address 10.0.1.2/28 with Gateway 10.0.1.1Furthermore, you need to configure static routes.
Hence:
Under System -> Routing -> Routes:
Office 1 has Static route as such:
Destination Subnet: 192.168.2.0/24
Gateway: 10.0.1.2and Office 2 has Static route as follows:
Destination Subnet: 192.168.1.0/24
Gateway: 10.0.1.1Then head over to Firewall -> Rules -> OPT1 tab.
For office 1:
Add a rule to Allow ANY Protocol, Source subnet: LAN Subnet, Destination Subnet: 192.168.2.0/24.For office 2:
Add a rule to Allow ANY Protocol, Source subnet: Lan Subnet, Destination Subnet: 192.168.1.0/24.Thanks
Hi
Thanks a lot for your valuable inputs, i have successfully setup point to point line.
The only thing which wasted my some time was that once we setup both the firewalls, after that we need to reboot both of them.
I hope this will be helpfull for sopmepne ion future -
If you're confident that the point to point link is a pure end to end ethernet type connection such as with Metro-E, then you just need to add one more NIC to each pfsense box.
Assign the additional NIC on each pfSense box as OPT1.
Determine a small subnet to use for this link. e.g. 10.0.1.0/28
Now configure each OPT1 connection with a unique static IP within that subnet.
Following the example:
Office 1 OPT1 has interface address 10.0.1.1/28 with Gateway 10.0.1.2
Office 2 OPT1 has interface address 10.0.1.2/28 with Gateway 10.0.1.1Furthermore, you need to configure static routes.
Hence:
Under System -> Routing -> Routes:
Office 1 has Static route as such:
Destination Subnet: 192.168.2.0/24
Gateway: 10.0.1.2and Office 2 has Static route as follows:
Destination Subnet: 192.168.1.0/24
Gateway: 10.0.1.1Then head over to Firewall -> Rules -> OPT1 tab.
For office 1:
Add a rule to Allow ANY Protocol, Source subnet: LAN Subnet, Destination Subnet: 192.168.2.0/24.For office 2:
Add a rule to Allow ANY Protocol, Source subnet: Lan Subnet, Destination Subnet: 192.168.1.0/24.Hi
Now i am experiencing issue with UDP packets. we have a SIP device on 192.168.2.x side and SIP server on 192.168.1.x side.
now udp packets are not goinf across properly resulting other end is not able to hear the voice.Any idea what additional rule i need to add.
thanks i advance
-
If you have ANY protocol in your rules that includes UDP.
Are you seeing anything in the firewall logs at either end?Are you seeing no UDP at all or just some packet loss?
Steve
-
If you have ANY protocol in your rules that includes UDP.
Are you seeing anything in the firewall logs at either end?Are you seeing no UDP at all or just some packet loss?
Steve
Thanks for quick response Steve,
For more information:VoIP Phone1 –--> Cisco 2960 ---> pfsense1 Firewall <---------point to point link ----------> pfsense2 Firewall ----> Cisco 2960 ----> VoIP Server
VoIP Phone1: 192.168.2.100
pfsense1: LAN-192.168.2.1, WAN-Dynamic & WAN2-10.0.5.2 with gateway 10.0.5.1(one end of point to point)
pfsense static route: 192.168.1.0 via 10.0.5.2pfsense2: LAN-192.168.1.1, WAN-Dynamic & WAN2-10.0.5.1 with gateway 10.0.5.2 (one end of point to point)
pfsense static route: 192.168.2.0 via 10.0.5.1
VoIP Server 192.168.1.5The problem I am facing is that VoIP server is not able to detect the IP address of the VoIP phone on the other side of the point to point connection. How can you over come this NAT issue, unfortunately the VoIP Server doesn't provide many configureable options.
-
Yet other services work across the link?
I am inexperienced with VoIP so may not be of much help. :(
Have you read this?: http://doc.pfsense.org/index.php/VoIP_ConfigurationSteve
-
It's a NAT issue. He needs to set static port NAT for the SIP traffic.
-
Is there any reason to be NATing across the PTP link?
Steve
-
Is there any reason to be NATing across the PTP link?
Steve
Thanks Everyone for your response
Actual problem is that with point to point line evrything is accesible except voip phone.
The issue with voip phone is that two voip phoe are not working at the same time while one is working.
so probably voip server is not able to identify the sip/udp packet source from other end thats why it intrects with one voip phone.can anyone suggest please how to pass voip phone info to voip server on other end.
-
From your description it sounds exactly like the situation described in the docs.
pfSense 2 (you are using 2 right?) is NATing traffic across the PTP link, that is the default behaviour when using an interface with a gateway so all traffic appears to be coming from one IP. You setup the first call and that uses source port 5060 which works fine. You try to make a second call and pfSense re-writes the source port as 5060 is already in use. Your VoIP equipment can't deal with re-written source ports.Two solutions as I see it.
1. Use the siproxd package as suggested in the docs.
2. Disable NAT across the link and just route traffic. See: http://doc.pfsense.org/index.php/How_can_I_completely_disable_NAT%3F Obviously you would still require rules to keep NAT on your WAN interface.Disabling NAT may also help other stuff that doesn't like NAT and it's quick and easy to do. That's what I'd try first but I'm coming from almost no VoIP experience! ;)
Steve
