Help with SIP please

berrick

Thanks for the reply.

make sure that the traffic to the PBX is returned to pfSense as part of the default gateway's duties

The way I read the above made me wonder if there was something I had missed. All local clients have their DG pointing to the F/W 192.168.0.254.

I too was thinking it may be a double NAT issue such as 5060 being forwarded to another IP address in the router but I accessed the commandline of the router and saw nothing to do with 5060?

kind regards

podilarius

With the double NAT, you are going to have to worry about state timeouts at 2 places. Depending on the router, it might be okay or might be the cause of your problem. Most phones have SIP timeout/rekey/or something that keeps the state alive. I would cut that in half each time a test failed until you find a value that does work.

berrick

Hi podilarius,

As I have the router forwarding ALL ports to the outside interface of the firewall NAT'ing should only be happening in the firewall itself? I take on board your points in the last reply though.
For now is it the consensus that the issue I have with pfsense not forwarding UDP/TCP to the PBX on port 5060 but some random port as in my first post is probably due to something already forwarding UDP/TCP to 5060 ?

kind regards

podilarius

It does not matter if it is forwarding one port or all, if it is NATting, then unless you have turned it off, the router/modem is going to keep states. If you turned off keep states at the modem, I think a lot of things are going to fail to work.
The issue you might have is the media port. My phones use 16384-32766. These are used when a call is in progress and is negotiated at the time of the call. My phones are setup to be NAT aware so it sends packets every so often to keep the states alive.
I would watch traffic dumps at each NIC on the firewall to see how traffic is being transformed and to make sure that it is doing that correctly.

berrick

*** Update ***

For now I have removed Pfsense from the equation to ensure I have SIP working correctly. So far everything VoIP is working as expected using port 5060 for SIP and ports 16384-32767 for RTP.

cristianonix

podilarius, help-me with protocol sip and iax, I have problems. use pfsense version 2.0.1 , asterisk not work with nat.

podilarius

You are going to have to provide a bit more details? Type of phones and what you have currently setup for rules/NAT. Are you using SIP proxy?

cristianonix

Podilarius,

Sorry, my english is bad yet  :D

My network below.

company A                                                                                        company B

(SIP)                                                (Bridge)            IAX            (Bridge)                                                    (SIP)   
LAN –->  Elastix --->  PFSENSE (FW)  ---> Modem ---> Internet  --->  Modem  ---> PFSENSE (FW) ---> Elastix ---> LAN
                                                                                                        |
Class C    Class C                                                                                |--------- SIP------------------ MODEM (BRIDGE) ---> PFSENSE-->  LAN

I have many problems with connections udp (IAX,SIP,RTP ), always show NO_TRAFFIC;
In linux debian (iptables), never had this problem.

dhatz

Which version of Elastix are you using?

When both Asterisk servers are behind symmetric NAT (default pf / pfsense behavior) you're going to have troubles, at least with non-NAT-aware protocol like SIP.

You could make it work with special config of asterisk and pfsense, but the easiest solution would be to use IAX.

cristianonix

elastix-2.3.0

joako

Two things:

1. If you use SIP registration you absolutely do not need any port forwarding
2. Create NAT rule with static port = yes. If you read in the pfSense wiki you will see explained why this is needed for SIP.

cristianonix

thanks …