VoIP with Auerswald 5020 and 1&1 + Sipgate behind pfSense

derh2 · Dec 6, 2013, 2:20 AM

I have an issue with setting up VoIP correctly. PfSense replaced an AVM FritzBox 7170.
Old working config: Port forwarding from FritzBox: SIP UDP 5063 + 5067 –> Auerswald 5020 (TK)

Now incoming calls do not work properly.
(With the same Sipgate account calling is possible in both directions with a SIP-phone from the same LAN)

1&1 = number not reachable
Sipgate = phone ringing but no voice connection, rings further after hanging up for a few seconds

Port status COMpact 5020 VoIP:

Port overview:

Network structure:
adsl-modem <–-WAN (PPPoE, dynamic IP)---> pfSense <–-LAN(192.168.110.0)---> internal network

System Information: v2.1-RELEASE (amd64)
Installed Packages: arping 2.09.1 | Lightsquid 1.8.2 pkg v.2.33 | OpenVPN Client Export Utility 1.2.4 | Sarg 2.3.6_2 pkg v.0.6.3 | squid 2.7.9 pkg v.4.3.3

At the internal network there is the VoIP-Server Auerswald 5020 (192.168.110.3 Alias TK).

DNS-Servers list on Dashboard:
127.0.0.1
217.237.151.115 (assigned from ISP)
217.237.148.102 (assigned from ISP)
23.54.98.59 (ISP DNS, Use gateway: WAN_PPPOE)
4.2.2.2
8.8.8.8

System: Advanced:
checked = Allow DNS server list to be overridden by DHCP/PPP on WAN
unchecked = Do not use the DNS Forwarder as a DNS server for the firewall
checked = Disable DNS Rebinding Checks
Firewall Optimization Options = conservative
checked = Disable Firewall Scrub
NAT Reflection mode for port forwards = Enable (NAT + Proxy)

NAT: Port Forward

Outbound:

Firewall-Rules WAN:

Firewall-Rules LAN:

Firewall-Logs:
1

2

3

What does that arrow before LAN mean? (Direction = out). Why is that traffic from the proxy server blocked to LAN?

4

5

6

7

8

9

10

11

12

I hope provide enougth information so far.

Thanks
derh2

pftdm007 · Dec 6, 2013, 1:59 AM

Good luck, until yesterday when I upgraded to 2.1 my VoIP immediately stop registering with the services provider… I created a new thread at the same time as yours!

derh2 · Dec 8, 2013, 5:55 PM

From now my COMfortel 3500 also have an issue to register Sipgate-Account. Hit deactivate/activate several times an it is online at the moment. Problem with dynamic IP???

Any idea?

pftdm007 · Dec 8, 2013, 9:25 PM

2 tyhings come to my mind:

A package (or many) are blocking or redirecting packets from/tp the SIP server , if its the case, you have to do some testing, deactivate certain firewall rules and packages, and see when things comes back to normal.

Otherwise, do you have Snort installed? Snort works fairly well, but can also be a major PITA. Look in Snort's alerts at the moment someone tries to use the VoIP system.

For me, it was mainly Snort. The problem was crystal clear: Someone would call, the phone would ring once or twice, then stop. At first I thought they hung up on me before I had a chance to pick up the phone, then I realized Snort was blocking the communication packets. Same was true when I made a call.

I see you use squid. I personally got rid of this package. I am still not sure if I have a hardware limitation on my current pfsense box, or is it squid that has MAJOR issues, but the package kills everything. It worked back around 2010 but after that, it became a nightmare.

derh2 · Dec 9, 2013, 1:00 PM

ok, no Snort. Try that to untick the LAN interface in Squid config screen.
Please look at my firewall screenshot nr. 2, port 10000 is blocked but I do not know why? Neccessary for STUN?

derh2 · Dec 10, 2013, 8:33 PM

So far I'm not familiar with pfSense. If it don't work as expected and there is no solution I have to to go back to my old Fritzbox.

Please help!!

Best regards
derh2

derh2 · Dec 17, 2013, 7:17 PM

Not even ONE answer in 7 days???

Why? Pleas help, I have no idea…

This is open source and I probably know anybody here has the answer. I'm very disappointed.

derh2 · Jul 8, 2014, 4:54 PM

Any idea?

-flo- 0 · Jul 18, 2014, 2:53 PM

Is this still open? I cannot see the pictures in your original post. Can you post these again here in the forum?

derh2 · Jul 18, 2014, 2:59 PM

Yes, problem is still there.

Sorry, I can't edit my post. Here is a link where you can see the pictures:

http://www.administrator.de/forum/pfsense-voip-mit-auerswald-5020-und-1und1-u-sipgate-223819.html

-flo- 0 · Jul 18, 2014, 3:25 PM

Ok, got it. I would recommend to change your second Outbound NAT rules: make this valid for ports from 5060 through 5067 and disable STUN.

Also I second lpallard. Get rid of squid / snort at least until your phones work.

derh2 · Aug 31, 2014, 12:05 PM

Thank you for your message. I will test that when I have enough time and give feedback.