Single Phone no RTP

creiners

I have a single phone that connects to my office in Houston.  SIP registers fine, yes I have tried nearly everything from the forums and even siproxyd as well.

I am sure it's still pfSense's determination to change port numbers on NAT.  Forgive me, as I feel like a damn noob on pfSense but willing to learn.

I have attached screenshots and a pcap.  please help.  Thank you




packetcap.pcap

chpalmer

edit-  Im a bit blind tonight it seems..  I see your port forward now that should cover RTP.  Are you sure that covers your actual RTP ports?

Some VOIP providers proxy the RTP traffic such as Vonage.  Others such as Voipo (my carrier) will let the carrier connect direct or proxy depending on needs.

When the carrier tries to connect direct, the firewall see's it as unsolicited traffic and tends to block it.

You probably need to make some WAN rules for your carrier IP's so they can reach your phone device.  I generally make some phone calls and then watch the firewall logs and see which IP's are trying to make an RTP connection inbound.  Then base WAN rules on that.

You can test this by making a WAN rule that looks like-  UDP- allow any IP  any port    destination (your ATA LAN IP.)  ports-  (whatever your ATA is programmed for.)

Once you figure out your RTP servers then use those addresses as "source".

With SIProxd you would point the destination as your WAN address.

Picture as example.

chpalmer

Another thing..  SIP is usually UDP unless your provider tells you otherwise.  I don't like using port forward on any SIP service designed for home/home office as it really is usually unnecessary and lets others reach your box too easily. The ATA/phone reports its place behind NAT to the SIP server. An inbound firewall rule is usually sufficient.  Plus it is a good idea to limit access of your ATA to your external SIP providers server and don't leave it wide open.

Then again Ive got my VOIP devices segregated on another LAN subnet away from my primary LAN.

creiners

OK I was able to get into my phone server at the office and I see that my phone is registered with my local LAN ip vs my public WAN … is that PfSense sending that?

Derelict

No. It's your phone/pbx.

Ask your phone system vendor what they need out of NAT in your situation, get an answer, come back and let us know what they said, and we can try to make pfSense do what they need.

It sounds like you need to flip a switch in your PBX that tells it to use the address traffic is actually arriving from in the registration instead of what your phone is sending in SIP.

creiners

I solved it (sort of)  on my phone server I put in my WAN IP for registration vs my DynDNS host (it's always worked in the past)  The dyn host is resolving to the same WAN IP but for some reason the phone system is deciding to pull my LAN IP when I am using DYnDns in the phonesystem … oh well odd issue for another day.

I did go out and rip out all of the specific rules as well, phone works like a champ.

Next mission, setup my sip trunks on my hobby asterisk box (hopefully that won't break my work phone lol)