VOIP Issues
-
I have a weird intermittent issue that happens with our VoIP when going through PFSense. The phones register no problem, we get inbound calls, can make outbound calls, 99% of it works. However sometimes when we make a call and there is an automated system i.e. press 1 for sales, 2 for support etc. pressing the number doesn't register with the automated system. If we call right back with a cell phone it works, call with the VoIP phone same issue, after 4-6 attempts it sometimes works. As a second issue, not sure if its the same or completely unrelated, there will be sometimes when we try and make an outgoing call and it just doesn't seem to connect, just hangs there in silence. Again we can call it from a cell phone no problem, and sometimes after several redial attempts it goes through.
We have about 20 Polycomm VVX311 phone behind the PFSense firewall connecting to 8x8 hosted solution.
All the VoIP phones are on their own dedicated VLAN. We don't block any outgoing traffic. We also haven't created any incoming rules.
I have tried to setup siproxd but it doesn't seem to be working. None of the phones show up under the registered phones tab on there.
I also tried to enable "static ports" in the outbound NAT rule and that just seems to break all the phones. -
If you want to use SIProxd.. See if the phones have an "Outbound Proxy" setting.. Make this their LAN "Gateway" (or the IP address of your pfSense VLAN.
If you use SIProxd.. Make a firewall rule from your SIP server to your WAN address on your pfSense box. Also a rule(s) for your RTP server to your pfSense WAN address.
If you do not use SIProxd.. Make these same rules pointing at your VOIP VLAN.
-
There is a lot to go over here for troubleshooting.
Do you use QOS? You said they are on their own vlan, but is QOS enabled and configured?
What type of phone service do you use? Is it a cloud PBX (RingCentral or Blue IP etc…) or a self hosted solution?
What type of switch are these phones connecting to? Did you ensure Green Ethernet are disabled on the switch?
How is the ISP line? At ths time of this happening did you do any ISP related testing on the line? is there any packet drops?
Have you tried running jitter tests on your network?
Is it possible that the modem has SIP enable and its conflicting with the router?
Does PFSense or Switch logs indicate any thing at the time of this happening?
Have you tried to followed this guide?
https://doc.pfsense.org/index.php/VoIP_Configuration
I could go on and on but we need more specific details.
-
I just realized I might be going about this all wrong. Our VOIP solution is through 8x8, but I don't know if it is a SIP solution as there isn't one SIP server, they have a network of IP address that the phones could connect to. I am not familiar with the differences in VoIP communications.
The PolyComm VVX311 phone connects directly to their servers. All we do is give it a local IP address, gateway (the PFSense Firewall) and DNS Server information. The phone then resolves a server address, which I assume round robins or something between the many they have and communicates directly to their servers.
To answer a few more questions,
I have HFSC traffic shaping enabled on the PFSense firewall the rule is based on the list of servers 8x8 provided, so anything going to their servers or from their servers is considered VOIP traffic and is prioritized as such,
The switch they are connecting to is a Netgear M4100-50G-POE+ which i had previously disabled Green Ethernet as it was causing other issues. It also has QoS setup as per their documentation.
The ISP is a 25/25Mbps fiber from Time Warner, and all that is there is what I believe to be a modem, or whatever its called that converts fiber to ethernet. It is an Adva FSP 150CC.
I did follow the guide, I just haven't had a chance to try the last option in regards to enabling scrub. I was going to try that here in a little bit. Also as stated in my first post turning on the static port option broke all the phones like they could no longer communicate with the external servers.
As for checking the logs, unfortunately I don't get the info until after the fact that there was an issue, I am trying to get them to report it right away since they are making a big deal of it and checking logs for "it was 3ish last thursday" well thats a needle in a haystack.
I will try and find a jitter test to run, I haven't run one, but it might not be accurate since I will be running it from a PC which will be on the wrong VLAN and won't be prioritized as VoIP traffic.Thanks again for your help
-
If you want to use SIProxd.. See if the phones have an "Outbound Proxy" setting.. Make this their LAN "Gateway" (or the IP address of your pfSense VLAN.
If you use SIProxd.. Make a firewall rule from your SIP server to your WAN address on your pfSense box. Also a rule(s) for your RTP server to your pfSense WAN address.
If you do not use SIProxd.. Make these same rules pointing at your VOIP VLAN.
Thanks for the feedback. Their gateway is already the VLAN interface and I am not sure exactly what rule exactly you want me to make. They don't have seperate RTP servers, they only have a list of servers based on where you live(West US/East US, UK etc) If you could be a little more specific on what the rule should do, and I am assuming you are suggesting it be made on the WAN interface as I stated that nothing from that VLAN is blocked. Also I am not sure what area of the PFSense config you were in when you took that screen shot, I haven't been able to find that info anywhere on the PFSense firewall.
Thank you.
-
Yeah I feel ya. I do this kind of troubleshooting all day. (maily with Cisco switchs and Watchguard firewalls) Doesn't help when users wait hours to report the issue… or not accurate in the time the issue occurred.
It sounds like you are using a cloud PBX solution. It's pretty standard nowadays.
You mentioned about the switch QOS "It also has QoS setup as per their documentation" Netgears documentation or the VOIP vendors documentation? Different vendors have different QOS requirements or recommendations. Make sure you are using QOS recommendations from your SIP provider. How big is this network? How many phones? Would it be possible to disable QOS on PFSense and the switch to test? If the network is small enough, QOS should have a minimal impact.
I have a feeling your issue is related to NAT. You said you changed it to static NAT and phones broke? Are you sure you configured static Nat properly? You can't simply just enable it, you also have a clone and edit a rule to allow static NAT traffic to be used properly. (you can define just the VOIP subnet for the static NAT only if you want, you don't have to do it globally).
If I had to guess it is NAT or QOS that is causing your issues. But that's just a guess. It's a pretty well known issue that port rewrite causes a lot of issue with VOIP on PFSense. That's why its the first thing most people recommend to change.
-
I have a feeling your issue is related to NAT. You said you changed it to static NAT and phones broke? Are you sure you configured static Nat properly? You can't simply just enable it, you also have a clone and edit a rule to allow static NAT traffic to be used properly. (you can define just the VOIP subnet for the static NAT only if you want, you don't have to do it globally).
I have a feeling your right, the only documentation I could find on enabling static ports was to go to the outbound NAT switch to Manual (which I was already on) go to the rule for the VLAN, which in my case is the entire 192.168.150.0 network, scroll down and check the box that said "Static port" leaving the port field empty.
After doing that, none of the phones (except maybe the first one to grab the desired port) were able to communicate with the external VOIP server.Please correct me if this is not the correct way, but the documentation isn't very clear.
And actually after re-reading https://doc.pfsense.org/index.php/Static_Port it makes it sound like it is for one IP address, do I need to create a rule for each of my ip addresses in use by the phones?
-
Yeah I agree, its not very detailed. Had same issues myself when I first went through it. However, it sounds like you did it properly.
Did you make sure to filter and kill existing connections under states?
Did you try to reboot other phones and/or the switch after the change? It could be possible some packets from the previous state where in the mix? Reboots should clear them out etc..
On the phone that actually did connect. Were you able to do any testing on it while it was up?
-
Yeah I agree, its not very detailed. Had same issues myself when I first went through it. However, it sounds like you did it properly.
Did you make sure to filter and kill existing connections under states?
Did you try to reboot other phones and/or the switch after the change? It could be possible some packets from the previous state where in the mix? Reboots should clear them out etc..
On the phone that actually did connect. Were you able to do any testing on it while it was up?
I will test again tomorrow morning, it is business hours right now and I don't want to bring down the entire phone system, they would not be happy. :P
-
Ha yeah not a good idea. Good luck!
-
https://forum.pfsense.org/index.php?topic=133600.msg735013#msg735013
Maybe some of this will help.
Your not on a cable connection for internet are you? Any modem with a Puma 6 chipset can wreak havoc on a VOIP system..
-
I tried to enable the static ports again and here is what happened. While the phones seem to communicate to the hosted server, some wouldn't even register, the ones that did appear to be registered could not make or receive calls.
https://forum.pfsense.org/index.php?topic=133600.msg735013#msg735013
Maybe some of this will help.
Your not on a cable connection for internet are you? Any modem with a Puma 6 chipset can wreak havoc on a VOIP system..Unfortunately these don't appear to be relevant, these are mostly for users trying to get one Voip device working behind the firewall. I have about 20 phones.
Although I will check the documentation on the ports used and see if adding firewall rules to allow those ports from their Voip servers to our local voip network resolves any issues. -
I wonder if it has to do with the packet rules once it changed over to static.
Could you put a phone on a static IP as well then make a rule to allow all inbound and outbound traffic to that phone, then reboot the phone and see if it can register?
-
I do have a customer with multiple Cisco SIP phones behind his firewall (another brand) and he has to specify a different SIP port for each phone. 5060-5090.. (inbound) though all phones go out to port 5078 on their SIP server..
I have to go back and look but I believe this is a shortcoming of NAT in this case… Might be a clue for you.
In my case here Ive always used SIProxd for multiple phones so no real experience myself there trying without it.
Reason I ask about the type of connection is that when we were using a PUMA 6 equipped cable modem we had similar issues with audio and DTMF due to the modem dropping UDP packets.
-
Could it simply be a DTMF issue?
http://community.polycom.com/t5/VoIP/FAQ-Phone-unable-to-send-DTMF-to-an-IVR-system-or-how-to/td-p/4237
"If you are unable to send DTMF Signals to a IVR or Voice Mail System you may need to change the method or the payload type.
Please liaise with your SIP Platform Support in order to gather this Information.
Changing from SIP Inbound (RFC2833) to SIP INFO (RFC2976) must be done with a Configuration File loaded from a Provisioning Server."
-
This post is deleted!