Siproxd Update

chpalmer

There were some posts to http://forum.pfsense.org/index.php/topic,44011.msg228334.html that I missed and now a PM has brought them to my attention.

The original document failed to show some apparently needed firewall rules to actually get this going. First Ill try and repost the original document here and then do a better step by step with some explanation of settings and rules. Ive had the rules since the beginning and must have just foobar'd and ASSumed. ::)

I use Siproxd at two sites at this point with Voipo as my provider and couldn't be happier with the whole setup.

This will be a work in progress. I am now running pfSense 2.0.3 at both of my business locations.

chpalmer

Start Document

Using VOIPo Devices Behind a pfSense Router
Ive been using pfSense routers on my networks for a number of years and while I don't
know everything about them there is to know Im very comfortable using them and trust them for the
security of not only mine, but my customers networks without hesitation.
Due to the sophistication of my business and home networks which are tied together via
OpenVPN, and the fact that I run other voip devices (radio and phone), I could not run the ATA's in
front of the network as the perimeter device. Besides We've been known to lock up various soho
routers with the amount of traffic we tend to generate.
Voip ATA's generally work better directly against the public internet. In fact without some
kind of proxy or stun server many times voip will fail. VOIP traffic many times is up against
devices that are too eager to close connections after a minimal amount of time.
PfSense is a stateful packet inspection firewall/router firmware, based on FreeBSd.
Firewalls by default are supposed to block traffic from sources that initiate unsolicted contact with
your network unless they have been directed otherwise. PfSense does this well.

Picture here.

The guys over at the pfSense design center have added the ability to add "packages" into the
the system thus allowing various addons. Ive added and configured the "siproxd"package onto my
pfSense routers and will detail my settings here.
http://siproxd.sourceforge.net/

page1.jpg_thumb

chpalmer

Assuming you have a working pfSense firewall already we will not visit any initial firewall
setup here. Starting at System/Packages page (/pkg_mgr.php) locate and install the siproxd package.
This is done by clicking the + button to the right of the individual packages on the page.

Picture page2a here.

Once the package is installed you will find it on the installed packages page…

Picture Page2b here.

and find a new menu item under "Services". Visiting this page we get to configure siproxd. I
did not have any luck trying to use any other outgoing port than 5060 and had to ask VOIPo tech
support to move my outbound server setting. My ATA "inbound" port is still 5078 and 5079.
"Inbound Interface" = LAN
"Outbound Interface" = WAN
"Listening Port" = 5060 You may have to work with VOIPo to change your ata(s) to this.
"RTP port range (lower)" = 16384
"RTP port range (upper) " = 16482 Work with VOIPo to make sure these are correct for you. They
are default Linksys setting and some others out there...
"Expedited RTP Forwarding" Enable this.
"Expedited SIP Forwarding " Enable this.
"Enable Fix Bogus Via Networks Plugin" Enable this.
"Bogus Via Networks" = Enter the subnet of where your ATA's reside or simply just the IP of your
single ATA.
Click "Save". Ive been told at this point you should re-boot the firewall. I just went to the
"/status_services.php" page and restarted the siproxd service...

Add- I have still yet not been able to use any other SIP port than 5060 with siproxd.
Add- Your RTP port rang needs to match the settings on your ATA. Linksys came with the above settings. Grandstream usually has 5004 as the first port. I use 5059 as the last.
You need to work with your tech or provider for the correct settings.

page2a.JPG_thumb

page2b.JPG_thumb

chpalmer

Page 3 screenshot 1

page3a.JPG_thumb

chpalmer

Page 3 screenshot 2

page3b.JPG_thumb

chpalmer

Restart the ATA's and let em sync. You might want to unplug em early on to let the
registrations on VOIPo's server clear as the servers don't allow too many registrations per my
experience…

This was a document that I originally wrote for Voipo customers and therefore has references to that service. YMMV.

Picture 4a here.

Page above showing active registrations… Yes it will work with multiple sip servers... I just didn't
get this picture while my other ATA was powered up...

Picture 4b here.

States page showing one ATA hooked to the byod server and the other with two ports connecting to
the west production server...
This is how your Vpanel page should look if the proxy is working...
I bridge two of my numbers together quite regularly on my desk phone and the quality is amazing.

Picture 4c here.

page4a.JPG_thumb

page4b.JPG_thumb

4c.JPG_thumb

chpalmer

This is where I should add another page to that document. Ive helped a few other Voipo customers and we all have similar settings.

This is where it gets tricky. If you look at the rules in the picture below, you will notice that our SIP servers are not the same as our RTP servers. In fact RTP is directly served by the backbone providers. [sarcasm]the firewall just loves this[/sarcasm] Not all voip providers do this. You have to do some work to figure out what you have. I looked at the state tables and firewall logs during test calls to come up with my rules.

Vonage uses SIP port 10000 and RTP of 10001 to 20000. Their SIP and RTP come from the same servers. If you have two numbers on your ATA you will point at two different servers. Ive never had to use Siproxd with Vonage. But couldn't justify the high cost (commercial phone service) of Vonage.

I have not been able to (happily)duplicate a telephone number on ports 1 and 2 of my ATA pointing at the same server through Siproxd (without some kind of issue). Again- YMMV.

page5a.JPG_thumb

Tillebeck

Thanks you for this guide

I have a few questions that may will help complete this guide:

Must the Pfsense be set up to "AON" Advanced Outbound NAT or is default enough when working with siproxd?
Must each client ATA be configured to use the pfsense/siproxd as proxy or will this happen automatically?
There is a "user" tab in the siproxd. I guess that is not used at all, correct?

BR. Anders

Tillebeck

Hi

My pfsense with siproxd is 10.24.0.1

What should be edited in this setup from my SIP-adaptor:

chpalmer

Most people don't have access to their sip settings. You don't have to touch those.

If your phone still doesnt show up in the SIP settings then un-plug the ata.

Go into your states and locate any states for your ata.

Make sure that Siproxd is actually running in "Services".

Reboot your ata.

Should show up now.

Thats how I do it anyways…

RenderMonkey

Hi!

I have had big problems with my siproxd but your guide has helped alot. The problem I had were that the state between my firewall and my sip provider kept dropping. After I set the rule up that you suggested it worked much better and the state help up for some days. But this morning it was down when I came to work.

I have 6 phones which are all registered in siproxd's interface. I have setup the rule as I think you did: on the Wan side the sip provider is set a source and my wan adress on the destination, port 5060 over TCP/UDP.

Are there anything I can setup for forcing the state not to go down, much like a ping can keep an VPN connection up. As of now from what I can understand it keeps up as long as possible but nothing stops it from going down if the resources are needed elsewhere. Perhaps there is a way to get the state up again if it goes down? The only way that I found to get the state up again is to make an outgoing call from one of the phones.

Hope for some help. Cheers!

//Peter