Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VoIP on Separate Interface

    Scheduled Pinned Locked Moved NAT
    31 Posts 3 Posters 5.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • chpalmerC
      chpalmer
      last edited by

      Once you make this change make sure to reboot the voip device and let it sit for up to a good half hour.  They can sometimes take a while to request their config file.

      Triggering snowflakes one by one..
      Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

      1 Reply Last reply Reply Quote 0
      • F
        Filip
        last edited by

        I set TFTP to lan and will see if anything happens.

        But i suppose I have to open one or a few ports to let calls through, right? Or will TFTP take care of that too?

        1 Reply Last reply Reply Quote 0
        • chpalmerC
          chpalmer
          last edited by

          pfSense rewrites the source port and TFTP transfers such as your VOIP device uses to get its config file do not like that.

          Its hard to tell if your VOIP provider will require any rules or not. It depends on how they are set up.

          With one provider I need rules, the other I do not.  Ive actually quit the one that doesn't need rules and ported those numbers to the one that does.

          No NAT rules however.  You should not need inbound NAT to a VOIP ATA (client device) these days.

          Triggering snowflakes one by one..
          Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

          1 Reply Last reply Reply Quote 0
          • F
            Filip
            last edited by

            After trying what you suggested I found that the WAN LED on the router lit up orange instead of green as it does if I plug in straight into the wall.
            Although it still functions and provides internet access to a computer I plugged into its LAN for testing. It did however not download any
            configuration files or made any changes to the settings as it should have done according to my ISP’s website during the time I had it plugged in.
            It is possible that it tries to receive something but fails as the WAN light flashes rapidly in bursts when plugged in to the pfsense box even if nothing is connected to it.

            It is possible it needs to be port forwarded. I did a port scan and found out that several ports were open by default in the router.
            This was scanned from inside its own LAN and there were nothing open from the WAN side. This is also right after a reset.

            21      filtered  ftp
            22      open      ssh
            23      filtered  telnet
            53      open      domain
            80      open      http
            443      filtered  https
            7676    open      imqbrokerd
            10000  open      snet-sensor-mgmt
            10001  open      scp-config
            49152  open

            All open on tcp.

            It might not be necessary but I did it just in case it would be important and overlooked later on.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              if the provider of this box can not provide you with the ports it requires if behind a firewall I would question that for sure - maybe the 1st level guy were talking about just didn't know.  Ask to talk to an engineer.

              Your other option is to sniff on pfsense interface this box is connected to and see what it is trying to do.

              Or other option put this box in front of pfsense for your voip stuff, and make pfsense behind its nat..  Just forward all ports on your zyxel to pfsense wan IP, or make pfsense wan IP the dmz host, etc.  Or turn it into a bridge, where pfsense would get your public IP but voip would still be handled by the device.

              Other option is enable UPnP on pfsense so it can forward the ports it needs on pfsense.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • F
                Filip
                last edited by

                I will try to get the ports by either sniffing them or calling the support again. I have asked to talk to a next level person, but there are none available. At all, they say at least.
                I once got a number from them to an in depended company that knew more but took extra money for me calling in.

                Meanwhile, is it possible to create a "transparent" interface that forwards the wan address to trick VoIP modem that it is the first, while actually pfsense is the first line?
                I would like to do it like that because configuring the zyxel to act like a bridge is slowing down my network speed by a fair amount. It is not, or at least mine is not very fast.

                How the ISP wants me to plug it all in:
                ISP – zyxel – pfsense – LAN
                                \ – Phone

                How I would like it to be:
                ISP – pfsense – LAN
                                  \ – zyxel – Phone

                I do not know if it would work but I imagine I would be able to open every port in that interface to not block anything and still be safe on my LAN.

                1 Reply Last reply Reply Quote 0
                • F
                  Filip
                  last edited by

                  And thanks to you for helping me as well.

                  1 Reply Last reply Reply Quote 0
                  • F
                    Filip
                    last edited by

                    I scanned my network traffic while calling in and out and saw a reference to port 5060.
                    I saw some protocols that were used:

                    • TCP

                    • SIP

                    • RTP

                    • TRCP

                    • Syslog

                    I also saw, while looking at the packets that were sent first during calls out and found, a reference to an md5 hash (supposedly a password), so I will not be filling in the information manually for some time.
                    The traffic flowed to a remote host that I could not ping and from a host other that my own IP.

                    This was done by making another computer a bridge with sniffing tools running on it and the zyxel connected to the forwarded port from the bridge.

                    So plugged everything back and I tried to open some ports in pfsense and point them to the zyxel router, but with no luck. Nothing is getting through.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      You do understand that pfsense can sniff traffic on any interface, there is a gui to do it under diag.  If you need to sniff on multiple interfaces at the same time I find it easier to just ssh to pfsense a few times and run whatever tcpdump I want in each shell, etc.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      1 Reply Last reply Reply Quote 0
                      • F
                        Filip
                        last edited by

                        Yes, I do know that. It is just so that the zyxel router does not function as it should when behind pfsense. No the phone instantly returns an error sound without even transmitting anything.

                        So I wonder how I would create an interface that just passes all data along with my external ip address that I can connect the zyxel to?
                        That is the only solution I can think of.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          that would be a 1:1 nat, but you would need more than 1 public IP if you wanted to send any other inbound traffic to anything else.

                          Just put the zyxel in front of pfsense would be easier solution.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                          1 Reply Last reply Reply Quote 0
                          • F
                            Filip
                            last edited by

                            Okay. If that is the best and easiest way to do it except putting the zyxel in front of everything else, let’s pretend I now have two IP-addresses with one connected to the phone.
                            What would I do to transfer data coming from the phone address to its router and keep the other address to the other interface?

                            1 Reply Last reply Reply Quote 0
                            • chpalmerC
                              chpalmer
                              last edited by

                              I would just try creating a second LAN interface first.

                              Id be very surprised if you had to port forward anything at all but instead you just need firewall rules to allow the traffic.

                              Do you have an available interface on your firewall that you can use?

                              Triggering snowflakes one by one..
                              Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                              1 Reply Last reply Reply Quote 0
                              • chpalmerC
                                chpalmer
                                last edited by

                                Further my bet is a couple of WAN rules pointed at your device's LAN address would work as well but Ive started putting all my voip devices on a secondary interface as well just for ease and to be able to segregate traffic for statistical purposes.

                                Question-  Do you have admin access to your Zytel device?

                                Triggering snowflakes one by one..
                                Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                                1 Reply Last reply Reply Quote 0
                                • F
                                  Filip
                                  last edited by

                                  Yes, I have an excess interface and I turned it into a new LAN with the same configuration as my other one, created when I installed pfsense.
                                  I works just fine for everything except my VoIP.

                                  I have access to my zyxel router but it is limited. I cannot update the firmware and view the VoIP configuration. That is all managed my ISP.
                                  But I might be able to get them to do some things for me in I am not able to. There might be more settings that I am not capable of changing that I am not aware of.

                                  I also just phoned my ISP and asked about IP-addresses and they told me I am able to get up to 5 with my current subscription.

                                  1 Reply Last reply Reply Quote 0
                                  • F
                                    Filip
                                    last edited by

                                    I want to make this interface a straight hole into the internet with no nat or firewall so that something from my end can get an external IP-address from my ISP and sent data through pfsense.
                                    In other words I want it to act like a switch.

                                    I am not a pro so I need some help from someone who that can tell me how this may be done.

                                    1 Reply Last reply Reply Quote 0
                                    • chpalmerC
                                      chpalmer
                                      last edited by

                                      You have a public IP on the WAN of your pfSense box right?

                                      If the only thing plugged into that interface is your VOIP device then simply create a WAN rule pointed at that interface and allow all.

                                      Interface-  WAN

                                      TCP/IP-    IPv4

                                      Protocol-  TCP/UDP

                                      Source-  Any

                                      Source Ports  Any

                                      Destination-  (Id make this your device's Local IP.)

                                      Destination Ports -  Try 5060 and 5061 first and see if it will connect

                                      In order to do what your asking you would have to bridge that interface to the WAN and you would still need rules between them. You would also need a second public IP address for your VOIP device.  Its much more complicated if your not familiar.

                                      Triggering snowflakes one by one..
                                      Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                                      1 Reply Last reply Reply Quote 0
                                      • chpalmerC
                                        chpalmer
                                        last edited by

                                        On the outbound NAT rules for that interface you might also make the whole interface Static Port…  Some providers still need this although only a few from what Ive seen.

                                        https://forum.pfsense.org/index.php?topic=84339.0

                                        Triggering snowflakes one by one..
                                        Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                                        1 Reply Last reply Reply Quote 0
                                        • F
                                          Filip
                                          last edited by

                                          Then I would like to become familiar.  :)
                                          The method you suggested unfortunately does not work. When I called my ISP just before my last post, they told me the VoIP router must have a public IP.
                                          It may be hard for me to understand every setting at first, but I will have something to think about during the week end and if I cannot get my head around it I will just have to use google.

                                          For the hard way to function correctly do I need to have two static IP-addresses, only one for either VoIP or pfsense or can I stick with dynamic IP?

                                          1 Reply Last reply Reply Quote 0
                                          • chpalmerC
                                            chpalmer
                                            last edited by

                                            Im not sure why the ISP would be involved with what your VOIP adapter needs…  Is your ISP the VOIP provider as well? Nevermind- just reread…    The Zyxel is a popular ATA router and many people have them behind routers.

                                            they told me the VoIP router must have a public IP.

                                            Your provider obviously has decided to take NAT out of their VOIP equation then possibly.    ::)

                                            Do you have a spare switch that you could use to split your modem off to the two separate routers? The pfSense box and the Zyxel?

                                            You can use Dynamic Addressing for the public IP's no problem.  You just need to be able to get two addresses.

                                            Triggering snowflakes one by one..
                                            Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.