OMG firewall, would you just do as you are told!?



  • Okay so I've been using pfsense for about two years now, got the hang of all the basics, so I thought.

    I'm trying to set up 3CX (VoIP Server) and the firewall test is failing. I've managed to open the ports and this tests okay, but it's not NATing for some reason and I don't know where to look. I've set up plenty of firewall rules and NAT rules so I'm not sure what I'm doing wrong.


  • LAYER 8 Global Moderator

    And either are we without some details.



  • Excellent point!

    I'm trying to forward all sip traffic (TCP/UDP 5060) to the sip server which is at 10.20.60.2.  I started by going to Firewall -> NAT -> Port Forward -> add

    then  the details are:

    interface: wan
    protocol: tcp/udp
    destination: wan address (I've also tried "This Firewall", didn't fix it.  By the way, what's the difference?)
    destination port range: sip to sip
    redirect target ip: 10.20.60.2 (the 3CX sip server)
    redirect target port: sip
    nat reflection: use system default (by the way, what does this mean?)
    filter rule association: add associated filter rule



  • @pr4499:

    Excellent point!

    I'm trying to forward all sip traffic (TCP/UDP 5060) to the sip server which is at 10.20.60.2.  I started by going to Firewall -> NAT -> Port Forward -> add

    then  the details are:

    interface: wan
    protocol: tcp/ip
    destination: wan address (I've also tried "This Firewall", didn't fix it.  By the way, what's the difference?)
    destination port range: sip to sip
    redirect target ip: 10.20.60.2 (the 3CX sip server)
    redirect target port: sip
    nat reflection: use system default (by the way, what does this mean?)
    filter rule association: add associated filter rule

    SIP is usually UDP so you probably need to change protocol: tcp/ip



  • That looks like a typo to me, there is no "tcp/ip" option for protocol in port forward options. Assuming "TCP/UDP" is actually selected it makes no difference.

    We really would like to see more details of the set up, the rule alone is not enogh. Show us the interface set up and if your pfSense is an edge router or if there's another router in front of it.


  • Rebel Alliance Developer Netgate

    Don't forget you probably also need to setup static port outbound NAT for traffic from the PBX. It's not just about inbound traffic.

    And also you'll need to make sure the PBX is putting its real public address in its headers.



  • Yes, typo, was meant to read tcp/udp.  Fixed now.

    This is the rule in question.

    Hey Jimp, I've never had to make such a rule before, why is this needed? Aren't all outbound connections allowed by default?  I tried to make a NAT rule (and automatically added a firewall rule) and changed it a few times and tested, but nothing worked, so I'm not sure about this.

    My network at this site is very simple, I've got pfSense as the only router, and there's just a switch and a wireless AP, that's all.

    The interfaces, again pretty simple.  WAN is PPPoE connection to the ISP using a PCI NIC, LAN is using the onboard NIC.

    ![2017-04-06 10_44_18-quarantine.launcestonit.com.au - Firewall_ NAT_ Port Forward_ Edit.png](/public/imported_attachments/1/2017-04-06 10_44_18-quarantine.launcestonit.com.au - Firewall_ NAT_ Port Forward_ Edit.png)
    ![2017-04-06 10_44_18-quarantine.launcestonit.com.au - Firewall_ NAT_ Port Forward_ Edit.png_thumb](/public/imported_attachments/1/2017-04-06 10_44_18-quarantine.launcestonit.com.au - Firewall_ NAT_ Port Forward_ Edit.png_thumb)
    ![2017-04-06 10_44_35-quarantine.launcestonit.com.au - Firewall_ NAT_ Port Forward_ Edit.png](/public/imported_attachments/1/2017-04-06 10_44_35-quarantine.launcestonit.com.au - Firewall_ NAT_ Port Forward_ Edit.png)
    ![2017-04-06 10_44_35-quarantine.launcestonit.com.au - Firewall_ NAT_ Port Forward_ Edit.png_thumb](/public/imported_attachments/1/2017-04-06 10_44_35-quarantine.launcestonit.com.au - Firewall_ NAT_ Port Forward_ Edit.png_thumb)



  • Anyone able to help here? I've been trying to set this up for 3 days now and I can't get a simple firewall rule to work


  • LAYER 8 Netgate

    Some voip providers are dumb and even if they receive packets sourced from port 54735 (or another randomly-selected port) they return traffic to port 5060 (or something similar). If they do that it will not be passed by the firewall because there is no state.

    Static outbound NAT means the source port of the outbound connections is not translated, so if your PBX connects outbound sourced from port 5060, the provider will see a connection from your WAN address on port 5060. You want to limit the scope of this to just voip traffic or you will experience seemingly-random instances where two connections try to use the same static port and cannot so one fails.

    Jim was also alluding to the fact that your PBX will tell the provider what IP address to connect back to. Again, some providers are smart and will just use the source IP address they see instead of the one buried in the SIP protocol but some are not. So your PBX should be configured to send the actual outside address in the SIP traffic.

    The VoIP providers, you would think, would have figured out how to describe what it is their services need where NAT is concerned but it often requires packet captures to figure it out.


  • LAYER 8 Netgate

    @pr4499:

    Anyone able to help here? I've been trying to set this up for 3 days now and I can't get a simple firewall rule to work

    You are misplacing blame on the firewall instead of placing it on your SIP provider where it belongs.

    There is no one right answer. All VoIP is different.


Log in to reply