VoIP .. ATA box not able to register
-
Hi,
I have one ATA box (GrandStream HT-701) and my provider is Much VoIP. It work currently on SonicWALL TZ-205
I'm trying to configure my new box with pfSense on it to replicate all config. During my test, I'm not able to find a NAT setting that make it work. ATA box is unable to register.
Someone can help on this? I try the proxy package without Outgoing NAT and Port Fowarding, I try with NAT without the proxy package.
Thanks you any help
-
My guess-
Forget NAT.
You need to build some WAN firewall rules.
Allow your SIP server to get to your ATA LAN address.
You will probably have to make RTP rules as well for the audio streams.
Watch your firewall logs to see whats blocked and adjust your rules accordingly.
One of my client WAN rules attached for reference.
-
If that doesn't work you may need an outbound NAT rule for your ATA that makes your SIP port static.
-
I added a Rule on my VoIP Network to Allow Any to Any for Outgoing
Into WAN Network, another Rule to Allow Any to Grand Stream ATA and it still not work.At this point, it should at least register. If the Outgoing isn't configure to keep static Port, it should minimaly Register to the SIP server, no? (Yes, big hole, small target. We do this to see something working and then secure it until it broke something)
Usually, that approach work fine in about everything I touch but this one, out of luck. Any idea?
Maybe a bit more of the network layout…
MODEM - PUBLIC IP -> BELL ROUTER -> DMZ IP with static private IP -> WAN pfSense -> VoIP Network
NOTE: I use Aliases instead direct TCP/UDP Ports. Aliases for SIP provider is based on FQDN in the Aliases for IP categorie. Can it be something that doesn't work well in some circonstancy? In your customer Rules, you don't use Aliases.. is this for a specific reason?
-
double NAT?
VOIP was never originally designed to work behind a single NAT. It was only hacked into the standard later.
Ive seen people that have made it work but Im not one who has tried. I bid you luck.
If the Outgoing isn't configure to keep static Port, it should minimaly Register to the SIP server, no?
If the SIP server is looking for 5060 only and you do not show up as 5060 then no it will not work. Most VOIP providers these days do not limit your port this way but yours might.
NOTE: I use Aliases instead direct TCP/UDP Ports. Aliases for SIP provider is based on FQDN in the Aliases for IP categorie. Can it be something that doesn't work well in some circonstancy? In your customer Rules, you don't use Aliases.. is this for a specific reason?
Yea- doing it my way is easier and I can go review very quickly. But if you truly have no firewall rules in the way right now then trying a static port is the next step.
-
Hi,
I was working with SonicWALL in the same network layout. Double NAT, yes, maybe but the first one do nothing. It's the cheap mandatory router from Bell in Canada, province of Quebec. We have to keep it for 'Fiber TV' (and their IP phone but I don't use it due to the cost)
But the good new.. I kept the instruction by doing regular firewall rule like I did before without result… but this time, I didn't use Aliases. I put direct IP and Ports into the Rule. I also cleared the State table because it look to be a must when changing rules/NAT.
It work fine and pfSense keep his place for now! Compared to SonicWALL, the interface is nice to work with. Aliases is a bit painful to use and we don't have the grouping option. Protocol is not in Aliases like SonicWALL… Like I did, a group for PS3 that contain all TCP, UDP ports and we set a rule for PS3 object group instead using multiple Rule for a single items if you understand what I mean.\
Thanks a lot for your help.