Asterisk + Pfsense and Static port is not fixing the problem..
-
I have a pfsense running in front of an asterisk, and I only get one way audio (going outbound)
I have set static port to the network it goes to (I will fix this later to be more specific) and yet it still will not do two-way audio. I also do not get the ring tone when I put a call through.
What baffles me is that this configuration is working for another box out in the field, but not this one (this one replaced a dead cisco pix)
does it sound like I should back the config up, default the pfsense and re-apply? I've had to do this back in the 1.2.3 days when something just didnt click right initially.
-
In such a setup, it also depends on your configuration of Asterisk and/or SIP trunk provider (or remote SIP clients).
Relatively recent versions of voip software can deal with pf's symmetric NAT without the need to use static-port.
-
Are you using manual outbound NAT rules?
is your IP for your VOIP the default WAN IP, or a Virtual IP via NAT for inboind NAT rules?
-
Are you using manual outbound NAT rules?
is your IP for your VOIP the default WAN IP, or a Virtual IP via NAT for inboind NAT rules?
We're using bandwidth.com as the trunk, and it uses the default wan IP, and we have several 1:1 nats via virtual IP but are not part of the equation.
I'm also beginning to run into issues where the ip phones are no longer registering over IPSec, now customers are having issues with talking to an exchange server over a VPN..
IPSec rules are set accordingly to allow traffic through, and for the most part, can get through.
The odd part is, if you run nmap on any IP going through the VPN towards this router, you cant see the ports, where on the local LAN, you can.
IPSEC is currently set to allow all traffic for troubleshooting purposes, and I still see things are blocked.
Not to mention we still have issues with the phone system… It's absolutely frustrating. I love pfsense but it may need to be chucked in this instance at it seems it doesnt want to work correctly. Even after clearing the system back to defaults and manually adding everything back.
-
Are you using manual outbound NAT rules?
is your IP for your VOIP the default WAN IP, or a Virtual IP via NAT for inboind NAT rules?
We're using bandwidth.com as the trunk, and it uses the default wan IP, and we have several 1:1 nats via virtual IP but are not part of the equation.
I'm also beginning to run into issues where the ip phones are no longer registering over IPSec, now customers are having issues with talking to an exchange server over a VPN..
IPSec rules are set accordingly to allow traffic through, and for the most part, can get through.
The odd part is, if you run nmap on any IP going through the VPN towards this router, you cant see the ports, where on the local LAN, you can.
IPSEC is currently set to allow all traffic for troubleshooting purposes, and I still see things are blocked.
Not to mention we still have issues with the phone system… It's absolutely frustrating. I love pfsense but it may need to be chucked in this instance at it seems it doesnt want to work correctly. Even after clearing the system back to defaults and manually adding everything back.
Actually disregard most of this.
I was able to verify it was an unrelated issue. but my cisco phones still refuse to register through the VPN now. getting unauthorized errors which may be the pbx. only thing, the pbx was unchanged during the switch to pfsense, now I'm getting this. there are rules that allow the traffic through. I'm absolutely confused. pfsense has absolutely refused to work with our elastix box completely. yet there is another one that works perfectly fine.. it's mind boggling.
-
my issues i had, as i also run elastix,. was the auto outbound nat, the PBX was going out over my firewall IP, which was different than my NAT PBX virtual IP i was using for inbound.
once i changed to Manual outbound NAT and put a rule to send my PBX out on the same IP it came in on, everything worked for me.
you have all the ports open, default 5060 and 10000 to 20000 ?
-
I'm absolutely confused. pfsense has absolutely refused to work with our elastix box completely. yet there is another one that works perfectly fine.. it's mind boggling.
If you need answers, you'll have to do some debugging with tcpdump.
Both Asterisk and pfSense are very complex (due to being so feature-rich) pieces of software, each with hundreds of tunable parameters. Most problems people have with VoIP is that the standard SIP protocol wasn't initially designed with NAT traversal support and as a result SIP devices have to be configured appropriately (assuming reasonable up-to-date SIP protocol implementations).
Bottom line, one cannot just plug an IP PBX and a router/firewall together and expect everything to "automagically" work; and if by chance it does, one risks encountering problems as soon any changes / upgrades occur to the initial configuration.
PS: I run various Asterisk & Elastix systems behind pfSense and iptables with remote extensions over VPN and don't have to use static-port. Currently pfSense's most serious and long-standing shortcoming is its inability to properly clear states upon WAN IP change, which isn't an issue in my case but affects many others.
-
Oh by no means do I ever expect anything to be plug and play at this level. I work with cisco equipment (though it becomes plug and play once you have mastered a base config :) )
I found out why my extensions stopped working. Sipproxd and cisco phones don't play well at all.
-
my issue is now, outbound calling. I can hear them but not me.
Oi.
-
okay my extensions arent talking to each other again. nothing changed. this is absolutely frustrating. The problem here is, everything worked fine when we were using a PIX 515, now it isn't and I'm baffled.
-
If you cant hear people, the right ports aren't forwarded or IP access is not correct on your trunk provider to allow access, if they block it.
-
I figured it out a while back but I wanted this to be finalized so if anyone else is reading with a similar issue they arent like "great another unfinished topic!"
Basically I needed to modify the sip_nat.conf with two more localnet= entries as my configuration has IP phones talking via VPN.
I didnt realize you need one for every subnet a phone is on internally. d'oh.
-
I inherited a situation where the previous Sysadmin placed the Trixbox (asterisk box) outside the firewall. For security reasons, I have to move it back behind my pfSense firewall. To do so, I installed a new Intel dual NIC and created a dedicated interface for VoIP traffic. Next I setup NAT rules for inbound SIP & RTP as well as HUD & VPN for Fonality. Inbound calls work perfectly. However, outbound calls fail to connect. Using the packet tracer built into asterisk, I determined that my outbound calls are going through the WAN interface instead of the VoIP interface and are being rejected by my SIP provider because the header contains the wrong IP address (this is what SysIT posted). So far so good. I installed the siproxd proxy, made the necessary changes to my sip.conf, configured it according to the instructions outlined here: http://doc.pfsense.org/index.php/Asterisk_VoIP. Still unable to make outbound calls. Inbound calls work as before. Tried a variety of NAT/Firewall rules aimed at forcing outbound traffic through VoIP interface. This time, I was able to make outbound calls but could get no sound (ringing, etc). Gave up and returned to the previous setup.
I have looked everywhere and have sifted through a lot of conflicting information. This should have worked with the NAT rules - actually it does work for the WAN interface but not the VoIP interface. What I need is an hint on how to direct all outbound traffic from the Trixbox through the VoIP interface. I thought the siproxd proxy did this but it's not working for me. Would the solution be to delete the sip proxy and create a manual outbound AON NAT rule for the VoIP interface forcing all SIP traffic through a static port? I would appreciate any and all suggestions. I feel that I am very close to solving this issue.
My NAT Rules (Autogenerated Firewall Rules) are:
VOIP UDP * * VOIP address 5060 (SIP) Trixbox 5060 (SIP) SIP Signalling
VOIP TCP * * VOIP address 8000 Trixbox 8000 VPN1 for Trixbox
VOIP TCP * * VOIP address 9000 Trixbox 9000 VPN2 for Trixbox
VOIP TCP * * VOIP address 5222 Trixbox 5222 HUD3 for Trixbox
VOIP UDP * * VOIP address 10000 - 20000 Trixbox 10000 - 20000 RTP SignallingI'm looking at the following AON NAT Outbound rule:
VOIP 192.168.150.0/24 udp/5060 * udp/5060 * * YES (static port) -
I inherited a situation where the previous Sysadmin placed the Trixbox (asterisk box) outside the firewall. For security reasons, I have to move it back behind my pfSense firewall. To do so, I installed a new Intel dual NIC and created a dedicated interface for VoIP traffic. Next I setup NAT rules for inbound SIP & RTP as well as HUD & VPN for Fonality. Inbound calls work perfectly. However, outbound calls fail to connect. Using the packet tracer built into asterisk, I determined that my outbound calls are going through the WAN interface instead of the VoIP interface and are being rejected by my SIP provider because the header contains the wrong IP address (this is what SysIT posted).
Could you draw a simple diagram of your network topology ?
I think your problems are due to "multi-homing" your Trixbox server, after the addition of the dual-port NIC. You'll need to configure proper routing on the IP-PBX itself. I don't think static-port NAT configuration on pfsense will make any difference and you shouldn't be needing siproxd.
I agree with your decision to put the PBX behind a perimeter firewall (pfSense) and I always add a host-based firewall & monitoring software on the IP-PBX itself.
-
No, I don't think so. (see attached) The Trixbox currently has two NICs: eth0 & eth1. Eth0 connects directly to a 6MB fiber connection for Broadvox, my SIP provider. Eth1 connects to the LAN. When I move the Trixbox behind the firewall, I disable eth1 and eth0 is configured as the LAN port. The VoIP interface on pfSense is configured with the previous eth0 configuration. This works fine - I can receive calls with no quality or cutoff issues. However, no calls connect from inside because the Trixbox is sending out through the WAN interface instead of the VoIP interface (verified by Broadvox). I get lost trying to force outbound traffic from the Trixbox LAN connection through the VoIP interface. Now, I thought that the siproxd proxy did this but it didn't work. I attempted to setup a NAT port forward (with associated filter rules) like this:
LAN UDP * * VOIP address 5060 (SIP) Trixbox 5060 (SIP) SIP Signalling
LAN UDP * * VOIP address 10000 - 20000 Trixbox 10000 - 20000 RTP SignallingWhich did not work. Even if a call connects, you hear nothing because (if I understand correctly) RTP is getting randomized. Soooo, today I tried setting up an Outbound NAT AON rule:
VOIP x.x.x.0/24 * * * * * YES Outbound NAT for TrixboxAll I want is to use the dedicated VoIP interface for Trixbox traffic. There must be a way to to do this on pfSense but at this point I suffer from a severe case of overthink - I am certain the answer is simply but it eludes me.
-
Is the image I attached what you are trying to accomplish? I added lines through pfSense to show what I think your intended routing is.
It sounds like your PBX needs to have the settings for the default gateway adjusted. The internal network IP address shouldn't have a default gateway. Do this by setting a static IP on the PBX and leave the default gateway blank on the LAN side.
To make management simpler, you may wish to put the WAN interface of the PBX in a separate subnet from the rest of the network. The pfSense interface it connects to should also be on the same subnet and the IP address should be the default gateway.
You might want to consider using a PBX system which is maintained. Trixbox was abandoned years ago and support for the software is very limited. My system uses FreePBX and I like it. Trixbox put my system in a Fonality database which led to intrusion attempts almost daily.
-
Hi,
i take a short look over this thread. If I'm right it was mentioned that it should be manual outbound NAT but nobody wrote/suggested that you have/should use
-
incoming 1:1 NAT (public IP => internal IP )
-
oubout NAT (Interface, Source IP (network), an port , any IP, any port, public IP, no static (needed))
=> important is here also the order of rules… first match wins ;) (so PBX network must be come after PBX IP) -
related Firewall rules from outside => inside
We have opened
+ UDP any IP , any port => public IP :5060
+ UDP any IP , any port => public IP :1000:20000 RTP
+ TCP/UDP any IP , any port => public IP :4569 IAX2
perhaps you need TCP for SIP, too:
+ TCP/UDP any IP , any port => public IP :5060 SIPThis rules are done in our company and work fine ;)
if your SIP Accounts passworts are secure you can open it like our ports;
If not / you don't want connect clients from outside you should better allow outside IP ranges of your trunk(s) as remote incoming IPs. -
-
Reiner30 you shouldn't need to open any ports (5060, 10000_20000, IAX etc) from outside, unless you have remote extensions (in that case, even if you're using strong passwords, it'd still be advisable to only let people connect over VPN, for no other reason than to avoid the flood of fake SIP registration attempts as soon as they find out you have an open port 5060)
I've seen cases where all the bandwidth was consumed by the hackers' intrusion attempts …
PS: 1:1 NAT does no port rewriting iirc.
-
Reiner30 you shouldn't need to open any ports (5060, 10000_20000, IAX etc) from outside, unless you have remote extensions (in that case, even if you're using strong passwords, it'd still be advisable to only let people connect over VPN, for no other reason than to avoid the flood of fake SIP registration attempts as soon as they find out you have an open port 5060)
PS: 1:1 NAT does no port rewriting iirc.interesting…
-
How do you let incoming trunk INVITES then in? ;)
If you have 1:1 connection then it's no problem but some of our providers have different IPs for their media gateways than their SIP registrar IP. -
And how (if not initiated from internally) should incoming RTP streams get in?
I think pfsense didn't use an iptables equivalent of ip_sip which reads SIP stream to find out the negotiated ports ?
Our PBX has also snort running so intrusion attackes are blocked after short time.
And using full bandwith for these attacks is not impossible but needs huge resource since we have 100 MBit fiber connection.EDIT:
forgotten... our SNOM phones can use OpenVPN tunnels but most SIP software clients doesn't support tunnels "out of the box" :(
I found 3CX as interesting solution for Windows/mobile clients but their 3cx tunnel is bundled to their 3cx server only/need windows.
So "tunneling to go" for the users is not possible from my state of knowledge.Bests
-
-
Hi,
i take a short look over this thread. If I'm right it was mentioned that it should be manual outbound NAT but nobody wrote/suggested that you have/should use
-
incoming 1:1 NAT (public IP => internal IP )
-
oubout NAT (Interface, Source IP (network), an port , any IP, any port, public IP, no static (needed))
=> important is here also the order of rules… first match wins ;) (so PBX network must be come after PBX IP) -
related Firewall rules from outside => inside
We have opened
+ UDP any IP , any port => public IP :5060
+ UDP any IP , any port => public IP :1000:20000 RTP
+ TCP/UDP any IP , any port => public IP :4569 IAX2
perhaps you need TCP for SIP, too:
+ TCP/UDP any IP , any port => public IP :5060 SIPThis rules are done in our company and work fine ;)
if your SIP Accounts passworts are secure you can open it like our ports;
If not / you don't want connect clients from outside you should better allow outside IP ranges of your trunk(s) as remote incoming IPs.Well, this is the last thing left to try - setup a 1:1 NAT from the VoIP provider's public IP on the VoIP interface to the Trixbox. I have tried everything else with no success. So far I have tried:
Siproxd: Didn't work for me. It appears to be made for users who have IP phones that need to register with an external VoIP provider. I have an asterisk server I want to move behind the firewall and my softphones register with it just fine. Siproxd logs
Outbound NAT AON: Broke everything and left my network without Internet access.
Port Forwards for SIP & RTP: Works inbound only. Outbound calls go nowhere and then you get a fast busy signal. VoIP provider confirmed that these are coming from WAN interface, not the VoIP interface and hence are being rejected.
Have done a great deal of reading and it appears that running VoIP behind pfSense is a hit or miss endeavor. While I love pfSense and have been running it since 2009, I have already begun pricing Cisco ASA units which can easily accomodate what I'm trying to do. One other curiosity I noticed: When I moved the Trixbox behind the firewall, I was IMMEDIATELY swamped with a flood of fake SIP registrations from the 220.240.0.0 subnet because I had opened up SIP port 5060. I ended up blocking the entire subnet on the Trixbox using IPChains. This confirms what dhatz points out.
-