VoIP on Separate Interface
-
Once you make this change make sure to reboot the voip device and let it sit for up to a good half hour. They can sometimes take a while to request their config file.
-
I set TFTP to lan and will see if anything happens.
But i suppose I have to open one or a few ports to let calls through, right? Or will TFTP take care of that too?
-
pfSense rewrites the source port and TFTP transfers such as your VOIP device uses to get its config file do not like that.
Its hard to tell if your VOIP provider will require any rules or not. It depends on how they are set up.
With one provider I need rules, the other I do not. Ive actually quit the one that doesn't need rules and ported those numbers to the one that does.
No NAT rules however. You should not need inbound NAT to a VOIP ATA (client device) these days.
-
After trying what you suggested I found that the WAN LED on the router lit up orange instead of green as it does if I plug in straight into the wall.
Although it still functions and provides internet access to a computer I plugged into its LAN for testing. It did however not download any
configuration files or made any changes to the settings as it should have done according to my ISPs website during the time I had it plugged in.
It is possible that it tries to receive something but fails as the WAN light flashes rapidly in bursts when plugged in to the pfsense box even if nothing is connected to it.It is possible it needs to be port forwarded. I did a port scan and found out that several ports were open by default in the router.
This was scanned from inside its own LAN and there were nothing open from the WAN side. This is also right after a reset.21 filtered ftp
22 open ssh
23 filtered telnet
53 open domain
80 open http
443 filtered https
7676 open imqbrokerd
10000 open snet-sensor-mgmt
10001 open scp-config
49152 openAll open on tcp.
It might not be necessary but I did it just in case it would be important and overlooked later on.
-
if the provider of this box can not provide you with the ports it requires if behind a firewall I would question that for sure - maybe the 1st level guy were talking about just didn't know. Ask to talk to an engineer.
Your other option is to sniff on pfsense interface this box is connected to and see what it is trying to do.
Or other option put this box in front of pfsense for your voip stuff, and make pfsense behind its nat.. Just forward all ports on your zyxel to pfsense wan IP, or make pfsense wan IP the dmz host, etc. Or turn it into a bridge, where pfsense would get your public IP but voip would still be handled by the device.
Other option is enable UPnP on pfsense so it can forward the ports it needs on pfsense.
-
I will try to get the ports by either sniffing them or calling the support again. I have asked to talk to a next level person, but there are none available. At all, they say at least.
I once got a number from them to an in depended company that knew more but took extra money for me calling in.Meanwhile, is it possible to create a "transparent" interface that forwards the wan address to trick VoIP modem that it is the first, while actually pfsense is the first line?
I would like to do it like that because configuring the zyxel to act like a bridge is slowing down my network speed by a fair amount. It is not, or at least mine is not very fast.How the ISP wants me to plug it all in:
ISP – zyxel – pfsense – LAN
\ – PhoneHow I would like it to be:
ISP – pfsense – LAN
\ – zyxel – PhoneI do not know if it would work but I imagine I would be able to open every port in that interface to not block anything and still be safe on my LAN.
-
And thanks to you for helping me as well.
-
I scanned my network traffic while calling in and out and saw a reference to port 5060.
I saw some protocols that were used:-
TCP
-
SIP
-
RTP
-
TRCP
-
Syslog
I also saw, while looking at the packets that were sent first during calls out and found, a reference to an md5 hash (supposedly a password), so I will not be filling in the information manually for some time.
The traffic flowed to a remote host that I could not ping and from a host other that my own IP.This was done by making another computer a bridge with sniffing tools running on it and the zyxel connected to the forwarded port from the bridge.
So plugged everything back and I tried to open some ports in pfsense and point them to the zyxel router, but with no luck. Nothing is getting through.
-
-
You do understand that pfsense can sniff traffic on any interface, there is a gui to do it under diag. If you need to sniff on multiple interfaces at the same time I find it easier to just ssh to pfsense a few times and run whatever tcpdump I want in each shell, etc.
-
Yes, I do know that. It is just so that the zyxel router does not function as it should when behind pfsense. No the phone instantly returns an error sound without even transmitting anything.
So I wonder how I would create an interface that just passes all data along with my external ip address that I can connect the zyxel to?
That is the only solution I can think of. -
that would be a 1:1 nat, but you would need more than 1 public IP if you wanted to send any other inbound traffic to anything else.
Just put the zyxel in front of pfsense would be easier solution.
-
Okay. If that is the best and easiest way to do it except putting the zyxel in front of everything else, let’s pretend I now have two IP-addresses with one connected to the phone.
What would I do to transfer data coming from the phone address to its router and keep the other address to the other interface? -
I would just try creating a second LAN interface first.
Id be very surprised if you had to port forward anything at all but instead you just need firewall rules to allow the traffic.
Do you have an available interface on your firewall that you can use?
-
Further my bet is a couple of WAN rules pointed at your device's LAN address would work as well but Ive started putting all my voip devices on a secondary interface as well just for ease and to be able to segregate traffic for statistical purposes.
Question- Do you have admin access to your Zytel device?
-
Yes, I have an excess interface and I turned it into a new LAN with the same configuration as my other one, created when I installed pfsense.
I works just fine for everything except my VoIP.I have access to my zyxel router but it is limited. I cannot update the firmware and view the VoIP configuration. That is all managed my ISP.
But I might be able to get them to do some things for me in I am not able to. There might be more settings that I am not capable of changing that I am not aware of.I also just phoned my ISP and asked about IP-addresses and they told me I am able to get up to 5 with my current subscription.
-
I want to make this interface a straight hole into the internet with no nat or firewall so that something from my end can get an external IP-address from my ISP and sent data through pfsense.
In other words I want it to act like a switch.I am not a pro so I need some help from someone who that can tell me how this may be done.
-
You have a public IP on the WAN of your pfSense box right?
If the only thing plugged into that interface is your VOIP device then simply create a WAN rule pointed at that interface and allow all.
Interface- WAN
TCP/IP- IPv4
Protocol- TCP/UDP
Source- Any
Source Ports Any
Destination- (Id make this your device's Local IP.)
Destination Ports - Try 5060 and 5061 first and see if it will connect
In order to do what your asking you would have to bridge that interface to the WAN and you would still need rules between them. You would also need a second public IP address for your VOIP device. Its much more complicated if your not familiar.
-
On the outbound NAT rules for that interface you might also make the whole interface Static Port… Some providers still need this although only a few from what Ive seen.
https://forum.pfsense.org/index.php?topic=84339.0
-
Then I would like to become familiar. :)
The method you suggested unfortunately does not work. When I called my ISP just before my last post, they told me the VoIP router must have a public IP.
It may be hard for me to understand every setting at first, but I will have something to think about during the week end and if I cannot get my head around it I will just have to use google.For the hard way to function correctly do I need to have two static IP-addresses, only one for either VoIP or pfsense or can I stick with dynamic IP?
-
Im not sure why the ISP would be involved with what your VOIP adapter needs… Is your ISP the VOIP provider as well?Nevermind- just reread… The Zyxel is a popular ATA router and many people have them behind routers.they told me the VoIP router must have a public IP.
Your provider obviously has decided to take NAT out of their VOIP equation then possibly. ::)
Do you have a spare switch that you could use to split your modem off to the two separate routers? The pfSense box and the Zyxel?
You can use Dynamic Addressing for the public IP's no problem. You just need to be able to get two addresses.
