Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VOIP issues

    Scheduled Pinned Locked Moved NAT
    15 Posts 7 Posters 4.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      apronk
      last edited by

      First off, I just wanted to say that this is a great forum which has provided me with answers time and time again without me having to ask anything, thanks for that!
      Currently I find myself in a strange situation that I can't seem to figure out.

      In the LAN are 4 Base Stations that connect to an external PBX.
      Each base station has about 4 or 5 handsets, about 18 in total.
      Everything works without any real issue apart from 1.
      5 of those handsets are part of a group, so when a specific number is called all 5 of those are supposed to ring.
      One of them will always fail with 'Insufficient Resources', it is completely random which one of those will fail.
      If you remove one of the 5 from the group, the problem is solved.

      If I bypass pfSense and connect one of the Base Stations to the WAN directly and have the 5 grouped handsets registered to this Base Station the problem is solved as well.
      This leads me to the conclusion that pfSense is causing this problem.
      The version of pfSense is the latest 2.3.1_1.

      I've tried disabling Firewall Scrub and set the optimization option to conservative and even rebooted pfSense afterward but it didn't help.
      Even tried 1:1 NAT for one of the stations but that also didn't solve it.
      Also set an outbound rule for UDP/5060 but that only caused that 3 out of 4 base stations could not register at all.

      Currently I am at the end of my rope and I'm hoping one of you might have any insights or suggestions that I could try.
      Thanks in advance :)

      1 Reply Last reply Reply Quote 0
      • A
        apronk
        last edited by

        Isn't there anyone that can at least point me in the right direction?

        1 Reply Last reply Reply Quote 0
        • P
          poma187
          last edited by

          What do you mean by 'insufficient resources?'  This is not a SIP response code I am familiar with.  Are there 5 distinct SIP INVITEs sent to the base station when a call is placed?  Are all five UACs registered with the PBX when this situation occurs?  Is STUN enabled on the base station?  What kind of PBX is it? More information is definitely required.

          1 Reply Last reply Reply Quote 0
          • A
            apronk
            last edited by

            "The handset displays "insufficient resources" on the screen when it occurs.
            Each handset is individually registered on the base station, then the group number is called all 5 are ringing.
            During the ringing and before picking up one of the 5 will display "insufficient resources".
            STUN is not enabled on the base station, the PBX is an external provider belcentrale.nl
            If you need more information please let me know.

            1 Reply Last reply Reply Quote 0
            • T
              tomytung0812
              last edited by

              Hi you. I'm using FreePBX and having problems like you. The reason is that the blocking signal Pfsense returned from the server. Fix by visiting the Advance => Firewall & NAT => State Timeouts => Fist + UDP UDP Multiple Single + UDP to 3600 values.

              1 Reply Last reply Reply Quote 0
              • P
                poma187
                last edited by

                If you enable SIP OPTIONS keep-alives and STUN you wouldnt have to increase the UDP timeout.  Most UACs/sip phones support this capability.  You could also use TCP as a transport instead of UDP for SIP traffic as well.

                Edit: Increasing the UDP timeout can also have undesirable effects for other applications.  Your state table will fill up faster.

                1 Reply Last reply Reply Quote 0
                • chpalmerC
                  chpalmer
                  last edited by

                  Have you tried the siproxd package?

                  Ive never had to utilize port forwarding of any kind whether or not I use Siproxd. But incoming firewall rules are important at least in all my cases.

                  Triggering snowflakes one by one..
                  Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                  1 Reply Last reply Reply Quote 0
                  • B
                    breakaway
                    last edited by

                    This sounds like it has nothing to do with the network or pfSense.

                    "Insufficient Resources" is not even a VOIP related thing. What handsets are you using? Is the firmware up to date?

                    Install X-Lite softphone on one of your desktops and see if it exhibits the same symptoms…

                    Out of the box pfSense works just fine for SIP, no "fine tuning" is needed in my experience.

                    1 Reply Last reply Reply Quote 0
                    • A
                      apronk
                      last edited by

                      @tomytung0812:

                      Hi you. I'm using FreePBX and having problems like you. The reason is that the blocking signal Pfsense returned from the server. Fix by visiting the Advance => Firewall & NAT => State Timeouts => Fist + UDP UDP Multiple Single + UDP to 3600 values.

                      Thanks, I'll have to try that just to see if it fixes my problem, so you mean the following 3 settings?
                      UDP First
                      UDP Single
                      UDP Multiple

                      @poma187:

                      If you enable SIP OPTIONS keep-alives and STUN you wouldnt have to increase the UDP timeout.  Most UACs/sip phones support this capability.  You could also use TCP as a transport instead of UDP for SIP traffic as well.

                      Edit: Increasing the UDP timeout can also have undesirable effects for other applications.  Your state table will fill up faster.

                      Unfortunately my povider does not support STUN, SIP OPTIONS keep-alives are already set.
                      We've tried using TCP as a transport and that didn't solve the issue either, even tried using TCP over 5061 (provider supports this).

                      @chpalmer:

                      Have you tried the siproxd package?

                      Ive never had to utilize port forwarding of any kind whether or not I use Siproxd. But incoming firewall rules are important at least in all my cases.

                      No, I haven't because I couln't find clear documentation on how to configure it exactly, or how to configure my handsets to register on the pfSense :-/

                      @breakaway:

                      This sounds like it has nothing to do with the network or pfSense.

                      "Insufficient Resources" is not even a VOIP related thing. What handsets are you using? Is the firmware up to date?

                      Install X-Lite softphone on one of your desktops and see if it exhibits the same symptoms…

                      Out of the box pfSense works just fine for SIP, no "fine tuning" is needed in my experience.

                      It does have everything to do with pfSense because if I hook up the base station directly to WAN the problems are gone.
                      They are RTX 8630 handsets and yes, we've tried a number of different firmware versions up to the very latest.
                      I'll have to try softphones, that might give us some insight, thanks!

                      1 Reply Last reply Reply Quote 0
                      • chpalmerC
                        chpalmer
                        last edited by

                        No, I haven't because I couln't find clear documentation on how to configure it exactly, or how to configure my handsets to register on the pfSense :-/

                        I like using Siproxd where I have multiple devices behind the firewall.

                        siproxd1.jpg
                        siproxd1.jpg_thumb
                        siproxd2.jpg
                        siproxd2.jpg_thumb

                        Triggering snowflakes one by one..
                        Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                        1 Reply Last reply Reply Quote 0
                        • chpalmerC
                          chpalmer
                          last edited by

                          On your phones you might have a "Proxy" entry. Make that your LAN gateway.

                          Whether or not I use the proxy Ive had to make firewall rules. Might be because the service I use does not always proxy the audio from the same server as does SIP.

                          Firewall states and rules below are from a customer of mine that does not use siproxd.  Notice the rules for both SIP and RTP.  You might need to do this based on what you have.

                          If you use Siproxd- point the WAN rules at your WAN address. If you don't then point the rules at the device LAN address.  (see why I like siproxd for many devices now??) You could make a rule to point at a "network" of devices.

                          Last picture is my PAP2 device behind siproxd telling it to use the proxy.

                          siproxd3.jpg
                          siproxd3.jpg_thumb
                          siproxd4.jpg
                          siproxd4.jpg_thumb
                          siproxd5.jpg
                          siproxd5.jpg_thumb

                          Triggering snowflakes one by one..
                          Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                          1 Reply Last reply Reply Quote 0
                          • E
                            eddi1984
                            last edited by

                            Hi,

                            I got a similar siproxd setup as you have, however, I never had so setup any firewall rules to handle the SIP or RTP traffic.

                            Only difference to your siproxd setup, I have a stun server setup (stunserver.org).

                            I use voip.ms as provider.

                            Just my 2cents.

                            pfsense-stun-settings.PNG
                            pfsense-stun-settings.PNG_thumb

                            1 Reply Last reply Reply Quote 0
                            • chpalmerC
                              chpalmer
                              last edited by

                              Yep- stun is why you don't need the firewall rules.  For some of us stun is not an option and can actually add some latency to your voip conversations.

                              Triggering snowflakes one by one..
                              Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                              1 Reply Last reply Reply Quote 0
                              • A
                                apronk
                                last edited by

                                Thank you all of you that pitched in!
                                In the end the problem was in the Base Stations.
                                Apparantly this is a bug in the upgrade process of the firmware, too much stuff gets left behind.
                                The fix was that after upgrading a Base Station you should perform a factory reset on both the Base Station and the Handsets registered to it.
                                Then configure them both again and all is well.

                                For the people reading this thread that are in a similar postition these concern the XRS/RTX/Snom Base Stations and Handsets (all manufactured by RTX).

                                1 Reply Last reply Reply Quote 0
                                • F
                                  franks Banned
                                  last edited by

                                  This post is deleted!
                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.