Help migrating from Ipcop 1.4.21
-
I have started the migration process from Ipcop 1.4.21 to pfsense 2.2.
Old Setup
4 nic cards:
Red (connected to bridged modem)
Green (connected to LAN switch)
Blue (Connected to wireless AP)
Orange (connected to internal DMZ servers)Domain registered thru no-ip (let's use mydomain.com as an example here).
I have recreated the 4 networks on pfsense:
WAN (DHCP)
LAN (DHCP 192.168.1.1/24 with DHCP range from 192.168.1.200 to 192.168.1.25)
Blue (192.168.2.1 connected to a Netgear router configured as an AP 192.168.2.2)
Orange (192.168.3.1 connected to a Web Server 192.168.3.3, SIP Server 192.168.3.5 etc)I started the pfsense box and from my laptop (192.168.1.74) I can ping both my AP and the web server (192.168.2.2 and 192.168.3.3)
Next I created firewall rules (see attached).
Problem.
When I point my browsed from my laptop to https://www.mydomain.com, I get a 404 error message. if i issue a tracert mydomain.com, it points to my external ip address.
Similarly, none of my SIP phones are connecting. I have created a firewall rule on WAN forwarding UDP 5060 and 10000-20000 to my 192.168.3.5 (SIP server)
What am I doing wrong?
Thanks
Renato
-
"When I point my browsed from my laptop to https://www.mydomain.com, I get a 404 error message. if i issue a tracert mydomain.com, it points to my external ip address."
"Similarly, none of my SIP phones are connecting. I have created a firewall rule on WAN forwarding UDP 5060 and 10000-20000 to my 192.168.3.5 (SIP server)"
Are your sip phones and the sip server both behind the SAME pfsense?
Is https://www.mydomain.com a site running behind the same pfsense you are trying to connect from?
-
Yes, the phones are all connected to 192.168.1.X (LAN Network) while Elastix server is connected to the Orange network card (192.168.3.X)
Thanks
Renato -
If all of your phones and your server are on the LANs side of pfsense, you don't need any sip rules on the WAN. None.
Is there anything OUTSIDE your pfsense network that is using your elastix server? Phone? Video? Audio?
Are you pointing the SIP phones at the local LAN IP of the server or at some domain name or public IP?
-
This is just me… However.
If I had an elastix server (I do have something like that) and ALL of my phones and other clients to that server were inside my network, I would not have any rules on my wan at all related to elastix. Also, I would put my elastix server on the same subnet as my clients just to make things easy unless you feel a need to have access to elsatix firewalled off from the LAN. Even if I decided to put my elastix box on a seperate subnet, I would no DMZ it. Why bother unless you have external clients?
-
Kejianshi
Thanks again for your reply.
Perhaps this pics will help clarify.
Net:
I have Sip Phones connected the LAN interface and I also have remote phones which would be connecting thru the WAN.In both scenarios, all phones have mydomain.com in the domain setting.
Hope this helps clarify.
Renato
-
How many remote phones are out there? Are they at many sites?
On your pfsense you will need a domain override to point to the local address of your server.
-
I fixed remote site and my laptop also have a SIP softphone which I use for my travel.
How do I enable the "domain override"? Sorry for the dumb question :)
Renato
-
I'd set up VPN at the remote site just for the sip and laptop also. Then close all those forwarded ports. This will 100% eliminate NAT issues and make things far more secure.
-
With a sip server, you can end up fighting with NAT for ages. A good UDP VPN server will fix you right up.
as far as domain overrides, what are you using for DNS?
-
pfsense is getting the default DNS servers from Verizon
i.e. 71.242.0.12 and 71.252.0.12Renato
-
DNS forwarder?
Try Services: DNS forwarder
Then in there at bottom, Host overrides / domain overrides.
You can use this to make your things resolve to a internal local IP (sip server IP for example), instead of the public IP.
https://doc.pfsense.org/index.php/DNS_Forwarder
Me personally, I just use IPs directly at the SIP device instead of relying on DNS.