1:1 NAT to a VOIP/SIP Router



  • Here is my setup:

    Site A:

    Internet connection:
    5 Static IPs
    Gateway: 100.100.100.1
    IPs: 100.100.100.2 - 6

    pfsense Router:
    WAN IP: 100.100.100.2
    WAN VIP: 100.100.100.3
    LAN IP: 192.168.1.1
    1:1 NAT: 100.100.100.3 -> 192.168.1.5
    WAN Rules: Allow all traffic to destination 192.168.1.5
    Outbound Hybrid NAT: On WAN, Source: 192.168.1.5/32, Translate: 100.100.100.3, Static Port

    Site B:

    VOIP/SIP Router:
    WAN IP: 192.168.1.5
    LAN IP: 10.10.10.1/24
    The router also has a field for "Public IP" where I have put 100.100.100.3 , which I assume is used for accurately NATing the phones on the 10.10.10.0/24 interface.

    SiteA and SiteB are connected via an Antenna bridge, which exist at 192.168.1.2 and 192.168.1.3.

    Anyway, it's not working.  I can ping the VOIP/SIP router at 100.100.100.3, and the router is able to communicate with other remote VOIP/SIP and establish a "relationship".  However, incoming and outgoing calls do not work.

    So I'm assuming this is some VOIP weirdness.  Can anyone give me some clues?  I thought that using a 1:1 NAT solution would make things easier, since I assume that pfSense minimally messes with the packets, but it is still breaking something with regards to VOIP.



  • Pic for clarity (all IPs are intentionally obfuscated)




  • No specific guidance other than to check the state table setting as indicated below:

    https://doc.pfsense.org/index.php/VoIP_Configuration

    https://doc.pfsense.org/index.php/PBX_VoIP_NAT_How-to


  • Netgate

    Looks pretty straightforward. The the only thing that might need to happen is some static NAT port on the outbound NAT.

    Your SIP provider would be the one with what is needed there.

    If THEY can tell you what has to happen for THEIR service to work we can probably tell you how to make pfSense do that.

    Your diagram does not show:

    Where the PBX is (if any)
    Where the phones are (if any)
    Where the SIP trunks are (if any)

    Too much guessing to be able to make a determination as to what might be wrong.

    People need to realize that there is no "VoIP." They are all different and your SIP/PBX PROVIDER is the one who should know what needs to happen. Not necessarily how to make pfSense do it, but at least what pfSense needs to do.



  • @Derelict:

    Your SIP provider would be the one with what is needed there.

    I am the SIP provider. This is a completely internal deployment.  I have various sites and at each site there is a PBX/VOIP/SIP router which communicate amongst themselves to provide seamless intersite communication.

    Your diagram does not show:

    Where the PBX is (if any)

    The VOIP/SIP Router is the local PBX.  I thought that would be self explanatory.

    Where the phones are (if any)

    Phones are on a VLAN (10.10.11.0/24) on the LAN (10.10.10.0/24).  However, I'm not sure this is relevant as my primary problem is with the communication between my local and remote PBX servers, which I'm not sure is relevant to the location of the client phones. I'll explain further below:

    Where the SIP trunks are (if any)

    There are no onsite, or indeed off-site lines here.  I'm simply trying to get intersite (extension to extension) calling working.

    People need to realize that there is no "VoIP." They are all different and your SIP/PBX PROVIDER is the one who should know what needs to happen. Not necessarily how to make pfSense do it, but at least what pfSense needs to do.

    I'll explain some more details.  The VOIP system I'm using is an Allworx brand solution.  The process for creating a link between sites is fairly straightforward and I have it working at 7 sites globally.  One site has a "master" controller PBX.  Every other site must join to this master site, but after that the master provides info about all the other slave sites to each slave, and so the slaves maintain direct and independent communication with each other even if the master site goes offline (mesh network topology).

    The process for joining us simple.  You input the master site's IP into the slave site and a join request is issued.  You then login to the master site and accept the request and everything else is automatic.

    The status screen for the multisite network shows an Inbound and Outbound link status for each remote site relative to each local site.  There are three possible status for each link: pending (no response received), syncing (communication in process), and active (all good).

    From the slave site (in my diagram), I am able to successfully join to the master, and both directions show active links, but internal site to site calls do not work.  However, the slave site fails to sync with any of the other slaves.  All outbound links to the other slaves show as active, while all inbound links remain as pending.  This is what indicates to me that there is an issue with the routing that does not involve the local client phones directly.