VOIP with NAT

rosch

Hi there,

I'm, using the latest version 2.1.4 on an apu1c board and ran into problems when trying to connect our VOIP landline on a Cisco 508G VOIP phone on a private network behind the pfsense box.
It uses SIP on the standard port 5060.
I've been successful with registering (at the moment even that doesn't succeed any more).

Firewall and phone details:

NAT port forward:

NAT outbound

WAN Rules

CISCO SIP parameters (1)

CISCO SIP parameters (2)

CISCO Ext 1 (1)

CISCO Ext 1 (2)

Thanks a lot in advance for any clues.

chpalmer

Unless you have a reason for it "automatic NAT" should be fine for your outgoing rules.

Get rid of your inbound NAT.  Yep…

Your WAN rules need to point to the destination device.  Use the below example as a reference.

(ignore the verizon rule in the pictue below. I added it by mistake here. I really dont even need it.)

This is the only thing I have set for the GS502 that I have at a remote office location.

Of coarse adjust rules to your setup.

chpalmer

On your 4th page- "Use outbound proxy"  = no.    If you use siproxd package then set this yes.  (you don't appear to have anything set for "outbound proxy" anyways.

2nd page-  disable "Stun" .

Set your registration interval to something smaller such as 1800 or even 900 for better results while testing.

Note on my WAN rules page that I have RTP traffic from different servers than my SIP registration comes from. This is what gets allot of people and the reason the provider here wants its customers with problems to do the NAT forwarding to the device. Its done this way because most people are trying to use a device in which there is no way to build separate firewall rules apart from port forwarding. In our case we are not.  Your phone is already capable of notifying the SIP server of its NAT address.

Ive found this setup to work for several providers myself.

rosch

Thanks a lot for your answer.

I removed the incoming NAT forwardings, set outbound NAT to automatic, and adapted the WAN rule to pass the SIP traffic from the registration server to the phone IP.
On the phone I disabled STUN, set the outbound proxy to no and set the registration interval to 900.

No luck at first, the registration status said "Failed (no response)".
I rebooted pfsense but am still getting the same response from the phone.

By verizon rule you mean the 3rd rule in your image?
How did you find out the RTP is not coming from the same address?

I don't have any rules for RTP but I don't think that is necessary fir registration to work.

chpalmer

@rosch:

Thanks a lot for your answer.

I removed the incoming NAT forwardings, set outbound NAT to automatic, and adapted the WAN rule to pass the SIP traffic from the registration server to the phone IP.
On the phone I disabled STUN, set the outbound proxy to no and set the registration interval to 900.

No luck at first, the registration status said "Failed (no response)".
I rebooted pfsense but am still getting the same response from the phone.

By verizon rule you mean the 3rd rule in your image?
How did you find out the RTP is not coming from the same address?

I don't have any rules for RTP but I don't think that is necessary fir registration to work.

First rule in my picture is for my Verizon Femtocell. I didn't mean to include it and was too lazy to redo the picture…  ;)

I watched the firewall logs while I was attempting calls and noticed that I was getting responses in my RTP range that were being blocked. I was also unable to make calls at the time...When I set up rules for the servers range the calls started working.

On your ata page- last picture...    Proxy should be your sip server your trying to connect to. Its blurred out so just verifying.

Try to set "Use Auth ID" to no.  I had a lot of problems setting this to yes with my provider voipo.

If your trying to connect to your sip server on something other than 5060 then at "proxy"      sip.sipserver.com:5080    as an example.

Ill work at making some screenshots of my PAP2 a bit later and post them.

rosch

No luck with "Use Auth ID" set to no.

I got a bit further already, but still cannot register:
I took a packet capture and saw that the SIP server is sending the invites on other ports than 5060 so I modified the rule's incoming port to *.
The capture show this:
from                to              protocol  size    Info
WAN          -> SIP_server SIP          524    Request: REGISTER
SIP_server  -> WAN          SIP          615    401: Unauthorized

This is repeated about every 4 seconds..(4 times in total in my capture file).
The 401 is normal as the server asks for authentication, which the phone should send as the reply but it never does.

I also had to modify the destination to WAN instead of my phone IP for the WAN firewall rule since the traffic was blocked.

chpalmer

@rosch:

I got a bit further already, but still cannot register:
I took a packet capture and saw that the SIP server is sending the invites on other ports than 5060 so I modified the rule's incoming port to *.
The capture show this:
from                to              protocol  size    Info
WAN          -> SIP_server SIP          524    Request: REGISTER
SIP_server  -> WAN          SIP          615    401: Unauthorized

This is repeated about every 4 seconds..(4 times in total in my capture file).
The 401 is normal as the server asks for authentication, which the phone should send as the reply but it never does.

I also had to modify the destination to WAN instead of my phone IP for the WAN firewall rule since the traffic was blocked.

The "unauthorized" makes me think there is an issue with your login…  Are you able to try connecting the phone straight to the internet?

On your incoming rules- select "Log packets that are handled by this rule". 
Even if your using port forwarding you still have to direct the incoming rule to the LAN device. Pointing to the WAN address will only work if you have a proxy such as Siproxd on your firewall.

What do your "States" look like for the device?

chpalmer

Something I missed on my end.  (Ive got too many of these things…)

On your outbound NAT select the Manual box and save.

Add a manual rule for your phone and select static port.

rosch

@chpalmer:

The "unauthorized" makes me think there is an issue with your login…  Are you able to try connecting the phone straight to the internet?

I disabled the pfsense firewall (advanced  / check disable all packet filtering), but got the same results. No successful SIP connection.

@chpalmer:

On your incoming rules- select "Log packets that are handled by this rule". 
Even if your using port forwarding you still have to direct the incoming rule to the LAN device. Pointing to the WAN address will only work if you have a proxy such as Siproxd on your firewall.

Done.

@chpalmer:

What do your "States" look like for the device?

What I got filtering with "5060":

udp sip:5060 <- phone:5060 NO_TRAFFIC:SINGLE
udp phone:5060 -> wan:55675 -> sip:5060 SINGLE:NO_TRAFFIC
udp wan:5060 <- sip:5060 NO_TRAFFIC:SINGLE

rosch

@chpalmer:

Something I missed on my end.  (Ive got too many of these things…)

On your outbound NAT select the Manual box and save.

Add a manual rule for your phone and select static port.

Done.

rosch

States after adding the manual outbound NAT rule with static port:

udp wan:5060 <- sip:5060 NO_TRAFFIC:SINGLE
udp sip:5060 <- phone:5060 NO_TRAFFIC:SINGLE
udp phone:5060 -> sip:5060 SINGLE:NO_TRAFFIC

By the way, last time I was using the sipproxd package I was able to register.
(Even so after disabling the package, I had to uninstall it for it to stop running; that seems to be a pfsense issue.)

chpalmer

Looks like your firewall is passing everything just fine. You have states.

Siproxd makes the server believe that its talking directly to the client device.  I use it here at my primary location due to the number of phones and multiple servers we connect to. The server has no knowledge of the device LAN IP address.

Its possible it could be a bandaid to your problem and the reason it registered.

Is there a reason you do not wish to use Siproxd?

I disabled the pfsense firewall (advanced  / check disable all packet filtering), but got the same results. No successful SIP connection.

What does your Voip provider say is hitting their server?

chpalmer

With Siproxd- you also need firewall rules allowing your SIP and RTP server(s) access to your WAN address. (WAN address because Siproxd is a proxy.)

If you don't use Siproxd then your rules need to point to your SIP device. This is true whether or not you use port forwarding. (My belief is that if you need port forwarding on a voip ata or phone then something is broken.)

If pointing your firewall "allow" rule at your client device doesn't work and you begin seeing blocked attempts from your SIP server in the firewall rules then the SIP server has wrong information about where your client is. (Its not recognizing its NAT address.)  Building port forwarding rules could work in this case but Id say Siproxd would be a better solution.

How many ata's or other SIP devices do you have on your network if any others.

In my picture you can see the difference between my two connected devices. One is here (bottom (Siproxd)) and one (top) is at a remote office.

Looking at the one here using Siproxd, the server believes its is directly connected to the phone device. Therefore nothing in the "Received" column.

Looking at the remote office location (top) the server pushes to the LAN address (contact column). Public IP is in the received column.

Kinda simplified but Im hoping you can acquire the "Received" and "Contact" information from your voip provider. If "Contact is blank and "Received" is your public IP then there is still a problem with your phones settings. Because you mention that you had to make rules pointing at your WAN port in order to not get blocked, I believe this is the case…

rosch

@chpalmer:

Looks like your firewall is passing everything just fine. You have states.

Siproxd makes the server believe that its talking directly to the client device.  I use it here at my primary location due to the number of phones and multiple servers we connect to. The server has no knowledge of the device LAN IP address.

Its possible it could be a bandaid to your problem and the reason it registered.

Is there a reason you do not wish to use Siproxd?

I did not want to use it because some calls had too much of a delay, which makes communication really hard (A speaks when B speaks too..then nobody speaks and waits for the other..).
Does siproxy add a considerable delay or do I have to look elsewhere?

@chpalmer:

What does your Voip provider say is hitting their server?

They are not very talkative..isn't it faster if I simply capture the wan packets?

rosch

I finally am able to connect, without sipdroid or port forwards.
I'm not entirely sure but most probably the cleaning of the states resolved the issue.

Unfortunately I get a "Forbidden" message on the phone with a busy signal when I try to call.
Will contact my ISP about this..but I'm not optimistic they can help.

Here are my current states:

Proto Source -> Router -> Destination State
udp sip_server:5060 <- 192.168.1.150:5060 MULTIPLE:MULTIPLE
udp 192.168.1.150:5060 -> wan:5060 -> sip_server:5060 MULTIPLE:MULTIPLE

rosch

I am finally able to call in both directions,  :), the final problem was the STUN which is needed in my case; without STUN the phone registers with its private IP.

Unfortunately the forward is not working as yet. I'm not sure if I should open a new thread for that or not.

Here is the description:

• Cisco phone is configured to forward all calls to a cell phone
• calling the Cisco phone redirects to the cell phone, but it's either
    - not ringing, instead I get the "switched off behaviour", which is voice-mail in this case
    -  ringing once, then goes to voice-mail.

If voice-mail is not activated, the message is the "The phone.. is currently switched off".

My ISP says the call get redirected correctly to the cell number.