pfSense and Skype for Business SIP issue with Private IP
-
Hi Yes, We 1:1 NAT and firewall WAN pass rules, these are standard with no advanced config in addition to a DMZ rule, however we are new to this system so any guidance would be appreciated, is there a rule that can inspect SIP packets like the Cisco ASA?
-
What do your WAN rules look like?
They should have a destination of your intended LAN address. In your case 192.168.30.x
If you use SIProxd then you would not use 1:1 NAT and you would point to WAN rules destination to your "WAN Address"
-
Yes rule is to the internal IP in the DMZ of the Skype mediation server.
-
The issue is traffic flows with the correct NAT translation to the SIP trunk both directions and reaches provider, however the SIP packet has the private IP this is what we are trying to resolve. The trunk provider drops this obviously.
-
While I have a lot of experience with SIP client devices my only Skype experience is customers that use a Skype client on their desktops which they do quite successfully..
pfsense does not "inspect" the packets to see whats in them.. But passes them when told to do so.
Can you see any connections from Gamma to your Skype server in your State Table?
-
@andrew-frowen said in pfSense and Skype for Business SIP issue with Private IP:
The trunk provider drops this obviously.
Im not sure why they would want to drop this if your device is on that address.. They have to find you some way.
I never use any kind of port forwarding or 1:1 when it comes to SIP with my providers.. Just WAN rules as the fact that the LAN address is in the SIP header is how "they" reach my clients.
-
Hi, Thanks for your help. We have the box offline at the minute but yes we had some states when it was under test earlier. We have considered changing the private IP on the media server to public IP and bypassing NAT altogether.
-
the trunk provider has provided some packet traces and this shows on our original Cisco the IP in the SIP packat refers to the public IP but when we put this through the pfSense it does not change the private to public only for the IP header
-
SIP was not originally designed with NAT in mind.. It was added later as an afterthought when services like Vonage came around and started marketing to residential services.. So the way certain services implement their service can be different from provider to provider.. Vonage got sued for patent infringement which caused all the other services to do things a little different. Now they all have their own flavors of service.
There are a couple of things I would try..
Turn off the 1:1 NAT. Leave the WAN rules in place. Does this set up require RTP? If so rules?
Try static port on your outbound NAT tab. Set the source as your LAN device.
UDP or TCP?? How exactly are your WAN rules set up?
Good luck!
-
Thanks, I will give those suggestions a try and see how it goes!
-
Just to confirm our skype for business end users can call and the endpoint rings but no media flows when the call is answered, this is the same for inbound calls.
-
@andrew-frowen said in pfSense and Skype for Business SIP issue with Private IP:
Just to confirm our skype for business end users can call and the endpoint rings but no media flows when the call is answered, this is the same for inbound calls.
Normal SIP phones also need RTP. Id be watching firewall logs for blocked traffic while trying to make a call and add firewall rules accordingly.
