VoIP SIP phone line keeps stopping behind pfsense



  • I have connected a pfSense firewall to the Internet and an Optus Sagemcom F@ST 3864AC Router to LAN of the pfSense firewall. I have forwarded ports SIP 5060 and RTP 40000 to 60000 to the Optus Sagemcom with static DHCP lease.

    The phone line keeps going to sleep. I try to make a call it fails then try again and it wakes up and works then a few minutes later goes back to sleep. Also Incoming calls stop working when it goes to sleep.

    I also don't get a ping response from the Sagemcom Router WAN.

    I tried following these guides and now outgoing calls work but still not working for incoming calls.

    https://doc.pfsense.org/index.php/PBX_VoIP_NAT_How-to

    https://doc.pfsense.org/index.php/VoIP_Configuration

    Thanks.



  • Hello Syrio
    I have STUN, SIP and RTP forwarded in my personal VOIP at home with sipgate and it works like a charm since 6 month. FW is a SG2220 and a AVM Fritz!Box 7290.
    Maybe your one is using a proxy or tunneling as well? Afair I was told that RTP do not need to be forwarded because your VOIP system is doing the outcall so no extra forwarding needed; I did it anyway and even have a incoming IP limit on the rule.
    Cheers
    Michael

    P.S.: Why not switch on individual log for the fw rules (and the block rule….) and watch what happens there.



  • Remember that VOIP was never originally intended to be behind NAT. Not until it began being used in residential type environments.  NAT was an afterthought and was band-aided  to the SIP standard later..

    That said many different methods are used by providers today. Vonage was sued for patent infringement and still pays to this day. Other VOIP providers have that worry as well so they don't all do things alike. This can make configuring an experiment at times for the user.

    But-  You should never have to port forward anything to your ATA.  NAT information is already in the SIP header. When we set up VOIP for ourselves and customers we simply build firewall rules on the WAN to allow the SIP server and RTP streams access to the ATA devices.  Rarely have we ever done static port but it doesn't hurt.



  • Gargoyle worked fine with this. It is just pfSense doing something and I am finding it a confusing layout and very difficult to find information on what is happening.

    Maybe it is something pfSense does with NAT that is different to other routers I suspect. I really need this to work but don't know how to even see what is going on between the VoIP SIP router and pfSense.



  • Pfsense is a stateful firewall and will block what it sees as unsolicited traffic.  I have many installs all over the place with VOIPO ATA's behind them working just fine.

    Like I mentioned..  Build firewall rules on your WAN to your ATA from your SIP server(s).



  • I'll second chpalmer. I have WAN firewall rules for the SIP and RTP ports my two phones (one Panasonic, one Polycom) use when the connection is originating from my VoIP provider's IP address ranges, and I've never had any issues.

    I'm fortunate that my provider has a support article detailing the address ranges they use, so I was able to set them up. I'm also fortunate that the two phones don't have overlapping default RTP port ranges… though I could probably adjust them anyway. I did have to change the SIP port for one of them though. :)


Log in to reply