problems unblocking my sip provider
-
With a 1:1 rule all ports are forwarded. All incoming traffic will be sent to the SIP device. All outgoing traffic will leave using the same source ports the SIP device sets. That eliminates a number of possible problems.
1:1 NAT rules do not automatically open firewall rules though so you need to add a rule to pass what you need. As a test I suggest just passing everything.
However that will not help if, for example,m the SIP device is using it's private IP is SIP packets as the response address. Only looking at those packets will tell you that. If it is SIProxd could help.
Steve
-
Is there a nice guide for setting up siproxy?
as this is my second dabble with connecting sip devices i really have no idea what i am doing -
Not other than this: https://docs.netgate.com/pfsense/en/latest/packages/siproxd-package.html
That really doesn't tell you much but generally it is discouraged.
The 1:1 NAT did nit help at all? Did you still see blocked traffic?
Have you tried looking at the SIP packets yet to see what IPs the device is sending?
Steve
-
i haven't tried the 1:1 NAT because the incoming IP address in not static, and at one point i had added so many rules added into the firewall that there was nothing appearing in the logs.
i still have the issue were outgoing calls drop after 15 minutes too
-
Might need to review at this point. What exactly do you have in place right now in terms of port forwards and firewall rules and SIProxd?
What VoIP issues are you now seeing?
Steve
-
I have tried to open incoming traffic from telstra's entire sub net range.
the 5060-5065, 5004, 3487 ports are all allowed in firewall rules and NAT rules to forward them to my telstra sip device. i have included up to 5065 because i noticed in the logs that the incoming calls didn't only seem to come from 5060.
i had installed snort so I have tried removing it again.
Incoming calls almost never work and outgoing calls always get cut after about 15 minutes.
It can't be a double NAT issue and my mobile/cell phone uses the telstra device for its WiFi hot spot and it works fine.
I did not have these issues with the previous software firewall/gateway i used and all it took was to port forward the same ports i have currently configured into pfSense.
-
Ok, well there are two possibilities. It requires some static source NAT outbound that the old router provided. It requires a SIP ALG which the old router provided.
Just using 1:1 NAT and opening the phone up completely will test theory one.
To test theory two I would capture the SIP traffic and check the contents to see what's actually happening. Then deploy SIProxd if it's appropriate.
Steve
-
Just taking a complete guess at this.
i never specified a nat source for outbound previously, nor a SIP ALG. i just forwarded the ports
-
-
I'm sure THIS is why its not working... even when i managed to get that to stop showing up it still seems to be blocking it
-
i also can't list a nat rule like this
it requires me to put a redirected port in.. but the source it transmitting from port 5060 to 44780.
i cant just specify any port recieved from the source port of 5060 to forward it
-
am i reading these logs wrong.. it looks like my provider is trying to send sip packets from port 5060 to a random port on my gateway, where pfSense seem to want to to come from a random port from the source and arrive at port 5060
-
What i have right now is :
out of maybe 30 attempted incoming calls one worked... is there some kind of auto closing of established connections that could be going on?
-
looking at the out going packets from a out going call it seems to be normal.
the packets are being sent from my local device port 5065 to a receiving port of 5060.
-
incomming packet sniff
-
The external IP should be the WAN IP address in that 1:1 NAT rule.
Setting the destination as Telstras subnet there means it will only applky to traffic to or from that. So if they are using other IPs it won't pass it. I would leave that as 'any' as a test.
The reason traffic comes back to a random port is because it's replying to traffic the p[hone sent out and pfSense will randomise source ports for security. That should not be a problem. However the fact it's showing as blocked means that firewall state has closed so replies are not getting back to the phone.
You did set the firewall optimisation to conservative earlier? It might require exceptionally long timeouts there.The working 1:1 NAT rule will by-pass that though as traffic will be allowed back in even if the state has expired and source ports will not be changed.
Steve
-
I cant do a 1:1 NAT rule on my wan IP address because i do not currently have a static IP address. there isn't an option to just specify "wan address" like there has been for many other options.
Is there a way i can put in a request for this option?
-
another idea i had now that i'm thinking of it, can i put the telstra device in a dmz on its own vlan and just tell pfsense to forward anything to that single ip address. that would mean anything that didn't originate from my internal lan would get forwarded to the tesltra device, and if it got hacked, its in its own vlan, so they cant do anything anyways.
-
Hmm, interesting I hadn't considered that. Just as a test you can add you current IP as the destination though. You don't want to have that open on all ports permanently. If it works we can look at why it worked and how to replicate that woth port forwards.
Steve
-
sorry i took so long to reply. was sick for like 6 days and had no motivation to look at something with i'm already too frustrated with.
i tried both of these, neither have worked. did i not set it up the way you meant?
i get the occasional incoming call but i think it has more to do with the timing of my sip device re-establishing a connection before it getting dropped out after 15 minutes.