VOIP - Basic configuration of pfSense
-
Hi !
We have bought a new SIP Phone system; Panasonic KX-NCP-500.
We need to configure this to work behind NAT. The reason for us to use NAT is for it to be accesible from local computers (phone software/applications).
(The public IP's in this post is fictional)
We have a subnet from our ISP. Our regular internet use 81.200.200.98 <nat>10.0.0.x
The SIP system has an dedicated public IP 81.200.200.100
And two local IP's :
SIP-MPR 10.0.0.98
SIP-DSD 10.0.0.99This is the NAT's to be configured :
SIP-MPR 5060 UDP -> 10.0.0.98
SIP-DSD 10000-60000 UDP > 10.0.0.99- I've also been told (from our voip service provider) that the network must allow traffic to/from the ports 10000-60000 UDP to/from IP 193.80.100.5
SIP Remote managment 35300 TCP > 10.0.0.98
So pfSense needs to be configured for two public IP's :
81.200.200.98 - Internet
81.200.200.100 - SIP systemWhere do I start ?
Thanks in advance !</nat> - I've also been told (from our voip service provider) that the network must allow traffic to/from the ports 10000-60000 UDP to/from IP 193.80.100.5
-
pfSense (actually any nat/firewall device) config depends on the capabilities of the IP-PBX and its support of NAT-traversal RFCs.
Will you be using remote extensions (i.e. people connecting to your IP-PBX from home or from a hotel while on the road etc) ? Btw it's considered bad practice to open an IP-PBX to the Internet using publicly routable IPs; there have been just too many cases of companies who got huge phone bills (hundreds of thousands of dollars) due to toll fraud.
I also don't quite understand why you'd be using different IPs for SIP (5060) and RTP (10000-60000) for the same VoIP PBX.
-
for me to get my Elastix box working i had to enable Manual outbount NAT under firewall, NAT, outbound NAT and make a rule that my VOIP LAN IP went out over the same inbound NAT virtual IP i had set. and also set "static port" and it worked.
Not sure if the same issue your having.
-
You must create the proper NAT rule for the 2nd IP, set static port NAT and create firewall rules to ensure the traffic is routed through the correct gateway.
Then forward inbound the port 35300 as requested by the installer. You should not have to forward the UDP port range inbound, unless either the PBX or carrier is not properly handling the NAT, but normally ensure there's no firewall rule that will block/reject the traffic. In the case you believe you need to forward the ports, ensure you have set Log packets blocked by the default rule under Status > System Log > Settings and then watch Status > System Log > Firewall while placing test calls.