Problem with SIP VOIP Phone Registration Behind pfSense
-
Hi,
We have a situation whereby VOIP phones behind pfSense are having intermittent problems registering. The phones in question are Linksys SPA942, set by default to register every 60 seconds. We find that the lights on these phones go orange numerous times per day, and checking the web interface reveals that they have not managed to register. The length of time between no-register incidents varies from a minute or so, to up to an hour with flawless service. If we plug a phone directly into the modem (yes, we're sadly double-NATed), it has no difficulty in registering at all. When the phones are green, we can make and receive calls without issue.
Here's our setup in more detail:
7 x Linksys SPA942 -> Dell PowerConnect 5324 switch -> LAN interface on pfSense (running on XenServer 6.5 SP1) -> WAN interface -> Hitron cable modem/router (DMZ pointing to pfSense; modem-only mode doesn't work on this piece of rubbish)
Has anybody got any experience with this? What's the best way to start diagnosing this problem?
Thanks
-
Keep 1 phone for test and disconnect others. Run packet capture on pfSense WAN, set filter to SIP Proxy IP and UDP (assuming your phone is using UDP). Keep capture running until you see the issue on the phone. Open your capture file, filter SIP and enjoy the trace analysis.
You may need to add another phone into the test setup later to reproduce the problem. Once you see a problem check the States table on the router - find the line corresponding to phone IP and note the state.Some side notes - follow the VoIP guidelines available in pfSense wiki and also assign different SIP source ports on all your phones and lines (5062, 5064, etc). Use TCP or TLS if supported by SIP provider. Do not register that often until this is absolutely necessary, use keepalive mechanism on the phone to keep NAT pinhole open.
-
I know this is a late reply. We had some problems with XenServer that stopped me from using it for a while. During that time, the phones were connected to the hardware router and experienced no issues. No we're back on pfSense, they've started getting registration problems again. I did some packet analysis as suggested, and what I found was that the phones were receiving a 401 Unauthorized response every so often. The phones are perfectly usable, it's just annoying to see those orange lights a few times a day.
I'll follow the guidelines in the pfSense wiki and see if I can get anywhere.
-
Voip was not originally designed to be behind NAT. Later when companies like Vonage came along offering this tech to the residential side of things NAT had to be considered. So you can say Double NAT = Double Trouble..
pfSense utilizes a stateful inspection firewall. You don't mention what your "hardware router" is so can't comment there on whether or not it even has a firewall on it. (btw- all routers are just software running on hardware)
I run several systems running VOIP and have no problems with any of them. (albeit all to the same SIP provider)
At my primary location we have multiple numbers so I chose to install the SIProxd package. Everywhere else is just one ata.
1. Use no port forwarding to your phones.
2. Look at your firewall states for each phone. Hopefully you have just one SIP server. Build a WAN firewall rule with your SIP server as source and your phones as destination. Similar to my picture.
If you have more than one phone/ata then you want to make source a range 192.168.25.145/29 .. put all devices in that range.. or one WAN firewall rule for each phone/ata device..
If you use SIProxd package then point the firewall rules to your WAN address of your pfsense box.
-
-
I have been using Pfsense for years to protect VoIp. Nothing beats this with Pf8Blocker. I have never had a NAT issue due to PFS since 2.x earlier version did have issue that needed some tunables etc..
