Using Obihai ATAs with pfSense.
-
I have two VoIP ATAs that work fine when connected to the internet through a 3G gateway. (Obi-110 and Obi-202 with Tp-Link MR3020 & Rooter firmware). I was also able to use these ATAs on my alternate satellite gateway, that is until a few months ago, when I upgraded the router to pfSense (2.3.2-RELEASE-p1 (amd64) on nanobsd (4g)).
Since that upgrade my ATAs will no longer register with SIP (at Telecube and SIPTalk) through the pfsense gateway. The alternate 3G gateway continues to allow registration fine. However the pfSense gateway happily allows SIP registrations when using the softphone Android app Csipsimple, but not the Obihai ATAs.I have attempted to apply the steps in https://doc.pfsense.org/index.php/VoIP_Configuration without success. I am hoping someone might have suggestions on how to troubleshoot this further.
-
You should follow this: https://doc.pfsense.org/index.php/PBX_VoIP_NAT_How-to
-
I have attempted to apply the steps in https://doc.pfsense.org/index.php/VoIP_Configuration without success. I am hoping someone might have suggestions on how to troubleshoot this further.
You tried the SIProxd package? On my Linksys ATA's there is an option for an "Outbound Gateway" which I set to the LAN ip address of my pfSense box when using SIProxd.
Ive never used the Obi devices so I can't help you with their individual configs. But can you see any evidence of them being blocked in your firewall logs?
Im not sure how they wouldn't at least register with the external server for a little bit..
Have you set the TFTP proxy to their LAN interface? System/Firewall&NAT/TFTP Proxy
Don't those devices go out to an external TFTP server for their config??
-
You should follow this: https://doc.pfsense.org/index.php/PBX_VoIP_NAT_How-to
Not sure Id even read that doc in this case.
Its not relevant.
-
Many thanks chpalmer for your take on my problem. Would I be right in concluding that Wolf666’s suggestion may not bear fruit because the process of just registering with my VSP does not rely on voip protocols?
It’s going to take some time for me to work through your suggestions but I will do that. In the mean time I have done packet captures for a failed registration attempt with the Obi, followed by a successful registration with CsipSimple.
[Obi-202: Fails to Register]
09:30:49.252090 9c:ad:ef:22:40:67 > 00:0d:b9:41:e0:6d, ethertype IPv4 (0x0800), length 607: (tos 0x68, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 593)
192.168.10.182.5060 > 103.193.167.58.5060: [udp sum ok] SIP, length: 565
REGISTER sip:sip.siptalk.com.au:5060 SIP/2.0
Call-ID: 355a9fc6e02685f8@192.168.10.182
Content-Length: 0
CSeq: 5256 REGISTER
From: sip:1051958@sip.siptalk.com.au;tag=SP1663a1b8f3edea75b
Max-Forwards: 70
To: sip:1051958@sip.siptalk.com.auVia: SIP/2.0/UDP 192.168.10.182:5060;branch=z9hG4bK-7d57ac5a;rport
User-Agent: OBIHAI/OBi202-3.1.0.5264
Contact: sip:1051958@192.168.10.182:5060;expires=60;+sip.instance="urn:uuid:00000000-0000-0000-0000-9cadef224067"
Allow: ACK,BYE,CANCEL,INFO,INVITE,NOTIFY,OPTIONS,PRACK,REFER,UPDATE
Supported: replaces[CSipSimple: Succeeds to Register]
09:38:46.572372 34:aa:8b:0d:d5:9c > 00:0d:b9:41:e0:6d, ethertype IPv4 (0x0800), length 630: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 616)
192.168.10.103.5060 > 103.193.167.58.5060: [udp sum ok] SIP, length: 588
REGISTER sip:sip.siptalk.com.au SIP/2.0
Via: SIP/2.0/UDP 192.168.10.103:5060;rport;branch=z9hG4bKPjtQ-T4NBzIly5dT1No-.vvmV4gzW0uE6w
Max-Forwards: 70
From: "xxxxxxxx" sip:1051958@sip.siptalk.com.au;tag=EVumNK9EHEXfzh.8q2JFA.AcMRRFFDyj
To: "xxxxxxxx" sip:1051958@sip.siptalk.com.auCall-ID: 2-VUg0f8v9W5KTtiAl74J9sZqFQPvy8-
CSeq: 57666 REGISTER
User-Agent: CSipSimple_lt02wifi-19/r2457
Contact: "82943083" sip:1051958@192.168.10.103:5060;obExpires: 900
Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
Content-Length: 0</sip:1051958@192.168.10.103:5060;ob></sip:1051958@sip.siptalk.com.au></sip:1051958@sip.siptalk.com.au></urn:uuid:00000000-0000-0000-0000-9cadef224067></sip:1051958@192.168.10.182:5060></sip:1051958@sip.siptalk.com.au></sip:1051958@sip.siptalk.com.au> -
I am sorry about your problems with the OBi ATA, and I may not have anything to offer that fixes your problem. But I do want to comment that I too have an OBi 202, which works perfectly with pfSense 2.3.2 since install a few weeks ago.
I did not have to install any additional packages or do substantial configuration to make it work. So it should be something minor on your end, there is nothing fundamentally wrong.
My previous firewall had a manual outbound configuration and I had to allow the voip port (5060) through the firewall. I have pfSense setup for automatic outbound NAT so that no further holes needed to be poked. This is something you may want to check.
The voip traffic does cause false positives in snort and I had to add a snort bypass for the external voip server. Since you are using nano pfSense, I assume you are not using snort so that this is not the issue.
Good luck!
-
Have you set the TFTP proxy to their LAN interface? System/Firewall&NAT/TFTP Proxy
Don't those devices go out to an external TFTP server for their config??
OBi devices must initially be setup through their website, especially if you use Google Voice like I do along with voip.ms. However, once setup you can break the connect to their configuration service and configure the device via http just like a router. I did not want OBi to access my ATA, so I disconnected from the OBi configuration service and changed the password locally.
I reconfigured the device to use a static IP, 192.168.2.70, with netmask 255.255.255.0 and use the pfsense gateway, 192.168.2.1.
-
Thanks again chpalmer, and wolf666 and revengineer for your feedback. It seems that loading the siproxd package has resolved my problem. The Obi202 now registers with my provider and all seems good.
Three observations might bear reporting:
• CsipSimple soft phone did register from behind pfSense without need of siproxd.• I have got to this point without connecting to the Obi server.
• My Obi110 was having the same issues with pfSense and I expect that these will also be addressed by siproxd, though I have not confirmed this yet.
Thanks also to everyone in the pfSense community who make this forum possible, it rocks.
-
Cool!
Would I be right in concluding that Wolf666’s suggestion may not bear fruit because..
That document seems to only deal with inbound towards a PBX server.
If you end up with issues such as one way audio or phone calls going to VM immediately, keep in mind that if you need to make inbound firewall rules to point them at your "WAN address".. (SIProxd) or client LAN address (no SIProxd).
I personally like SIProxd when I have more than one SIP device on a given network. Makes less work for me. But should be possible without it.
With "normal" voip there should Never be a reason to port forward to the client device(s). Although firewall rules might be needed you can make inbound rules on the WAN interface that points to each device(without SIProxd)(or a small subnet of devices if you choose) which will allow the SIP server to reach your device at will. (source- SIP Server destination- your sip client or device(s)). (with SIProxd- source- SIP server destination- WAN address.)