Allow Voip from WAN side

chpalmer

First the caviat.. VOIP was not originally designed to work behind NAT but had it added later to deal with the new market.. the residential and small business user. Vonage got sued for patent infringement and changed to some really different stuff. SIP- port 10000 RTP- 10001 to 10100 en such.. Other providers that came along watched the suit closely and tried to change up things just enough to avoid the patent. Thus any chance of a closely followed standard.. you get the picture.

I never forward ports. You should not have to with voip products meant for residential use. (Your LAN address of your device is already in the SIP header.) But I do make incoming WAN rules pointed at my VOIP devices. The easiest way to do this is to bundle all your VOIP devices into a specific address range and make an incoming rule that points directly at these devices.

The best way is to segregate them all on their own LAN interface so that your primary LAN is protected from them but I digress.

Remember this- When you forward a port to an address you then cannot forward that same port to another address. You can though make WAN rules for the same port or range all day long to different devices or a range of devices. Rules for each device are also possible.

My VOIP interface at one of my customers has a WAN rule pointed to it (ports 5060-5061) with the destination the entire VOIP network. Works great. Don't forget WAN rules for RTP as well.

shu48

@chpalmer Thanks a lot! I've done as you suggested and just made firewall rules. I've created an alias for voip adapters, although I only have two lol. I've got one rule passing 5060-5076 and another, passing 1024-65535. They've saved without errors. After restarting the Grandstream adapter, it worked! I thought it was working, but my excitement was short lived because it only worked once and then stopped. What I find is that if I unplug and replug the power and wait for it to be ready, it will ring. I can pick up the phone. There is even 2 way audio, but then it stops again. I've realised it was doing that before I made the rules but I just hadn't realised.

chpalmer

Grandsteam adapters generally come default with RTP of 5004.. Did you or your provider change that?

In my case I usually watch my states very closely when I first set up a system. My provider uses their own SIP servers and sometimes provide the RTP from those same servers.. I build SIP rules only allowing their servers. In other cases they use the upstream carrier servers direct for RTP. This is where I will make and continue to monitor calls and see where my RTP comes from. This wont really help you right now but its good stuff to know.

I am confused a little about your closing statement. Is it working now or are you still having an issue?

shu48

Yes, I am still having problems. I tested with Zoiper on my mobile phone. The results were the same as I was having through the voip phones. One worked but the other would only call out. The 'problem' voip adapter works breifly but only if I switch it off and on again. I've since done a new test with Zoiper. I tried registering on the ISP voip servers with wifi disabled, using just the 4G network. The result was that it let me answer a call, but it was a bit broken up due to poor signal. This is not a definitive answer at this stage because of the way in which I can answer a call on the Grandstream when I've just powered it up. I can't understand why one voip number works but the other one is playing up. They are the same in every way except for the usernames. I tried to set up my pfsense rules based on this info https://support.aa.net.uk/VoIP_Firewall, but I might just be doing it wrong. Either that or there is some other problem, because I can't understand why one voip number would wok without setting up rule but the other not. In any case, I've navigated to sytem logs - firewall. It shows a lot of AAISP stuff bouncing off it .

chpalmer

Are you using IPv6 in your system?

chpalmer

From their page..

Avoid using NAT where possible.

Why? see my first post.

Grandstream phones and ATAs tend to default to using 5004 as the RTP port, so you need to allow ports 5004-5005 through the firewall.

I use 5004-5059 here but it is overkill..

Do you manually configure your phone or is it provided by them?

chpalmer

https://support.aa.net.uk/VoIP_NAT

I might suggest another provider with less phobias with NAT.

Have you tried static port?

shu48

@chpalmer The big media providers here are awful. I've deliberately gone with a proper old fashioned ISP. They don't even offer customer service as part of the contract. It's all a bit bit tongue in cheek but the reality is that their customer service is absolutely the best, so long as it's their fault or BT's. BT are dreadful. They are legally responsible for all the lines and exchanges that the newer corporations don't find profitable enough. Chasing them up is like herding cats. I like that AASIP won't fob me off, will hold BT to account, and fight my corner politically. They are very much against any kind of invasion of privacy etc etc. Their control pages let me see if there is a problem and let me tinker with line settings etc if need be. It was being with them that meant I was able to keep my ADSL running when my neighbours complained theirs wasn't working at all. The deal is that I don't ring them up to complain about my WiFi signal, and they don't fob me off if there's an actual problem. The problem I have is it was all working fine on the ASUS with no port forwarding or anything.

The Gigaset came from the ISP shop. I looked around and the price was the same as buying from the cheapest alternative, and as you might have gathered, I'm something of a fan. The Grandstream I bought elsewhere. I can access the setup for both. They're running stock firmware. I've checked and the Gigaset is set to: SIP = 5060-5076 RTP = 5004 - 5020
The Grandstream is set to: SIP = 5060 RTP = 5004.

Getting my free copy of Media Ring Talk on a magazine in the late 90's (and Buddy Phone), I didn't imagine it would replace my copper landline. The call quality is actually far superior these days.

shu48

@chpalmer No I'm not using ipv6. My ISP would like me to as they made the move several years ago. The truth is that I haven't been able to get my head around it. This dyslexic can cope with numbers but nothing too complicated.

shu48

Sorry about all the messages, different time zone. Ive' changed my SIP rile to 5060-5076 and my RTP rule to 5004-5020. While I was at it, I changed UDP to UDP/TCP. After that I get an engaged tone when I ring it. I then took the alias with all the IPs out. After restarting, it allowed me to ring it. When it let me ring it a second time, I once again thought I'd done it. After waiting 5 minutes though, it was back to just giving me an engaged tone again. Although an engaged tone is a slight improvement on nothing. Temporarily, I may set both accounts up on the Gigaset. I do need it to be a seperate phone but it would mean I'm able to answer calls until I get to the bottom of this. Once it's working, both phones will ring and then I can delete the account from the Gigaset.

shu48

Everything worked perfectly on the Gigaset. The Grandstream has many more settings. I was determined to compare and find a different setting. Obviously, I can't compare a setting on the Grandstream to nothing on the Gigaset. I needn't have worried. There it was, plain as day, staring right at me. Keep alive = off. Then it worked. I disabled the firewall rules and it still works. It works with NAT keep alive on and SIP keep alive off, but I've left both on. What's strange is that I hadn't changed any settings. Pfsense must be doing a better job because everything was obviously working fine with the Asus, even without keep alive on. It would seem that either I made a hash of creating my rules or my ISP requires keep alive to be on regardless.

A huge thank you for all your help.

Next challenge will be either putting voip on a vlan or different physical interface. Either option is possible. My switch supports vlans and I have a spare ethernet port on my pfsense. It would be physically neater to have everything on my Ubiquity switch. But I can see why it might be better to put my old 100mbps dumb switch on the spare ethernet port. This is probably a question for another day and a different catagory.

JKnott

@shu48 said in Allow Voip from WAN side:

@chpalmer No I'm not using ipv6. My ISP would like me to as they made the move several years ago. The truth is that I haven't been able to get my head around it. This dyslexic can cope with numbers but nothing too complicated.

There's not much different to worry about. Just use host names, as you would with IPv4.

chpalmer

Im curious if the SIProxd package would not benefit you.. I use it at one location.. (here) and did so due to my provider being new to the market over ten years ago and me needing to get things done.

It makes it look to the provider like your ATA's or devices are on a public address without NAT.

I can work you through it and it is fairly easy if you have access to your client config. Still doable without.

chpalmer

For SIProxd.

Install the package and configure it.

Reconfigure all your WAN rules to point at "WAN Address."

Go to your device settings and point anything that resembles "gateway" (outside of LAN settings.. That should already be the case..) to your pfsense box lan address.

Look at SIProxd for client connections. If they dont connect you need to massage things. Ill be monitoring either way.

shu48

What would be the benefit of siproxd? Would it mean no need for keep alive? Is keep alive a problem?

chpalmer

@chpalmer said in Allow Voip from WAN side:

It makes it look to the provider like your ATA's or devices are on a public address without NAT.