PfSense 2.4 and BT Cloud base Phone(Polycom)

Jid

Hi All,
Just installed a New pfsense box(sg-3100) ,everything seems to work well ,apart from the Phones (x5nos.),which stop working after about 20 mins connected .(shows Unregistering )
Created firewall rule to allow all BT Sip and RIP server from outside to inside lan on the WAN and a reverse of this on the LAN side. For all this rules Increase TCP timeout to 300sec
Change NAT to option2 (Manual NAT etc) .
Change the algorithm to Conservative.
Am i missing something , a step by step (or detailed approach ) will be appreciated.
Thanks

stephenw10

Nothing should be required for just phones behind the firewall normally.
Setting the firewall to 'conservative' should help if the phones keep-alive pings have a very long time gap.

Incoming firewall rules generally cannot help unless you are not using NAT.

20mins seems almost like an ARP issue.

Do you see blocked traffic in the firewall log?

What do you do to get the phones to re-register?

Steve

Jid

@stephenw10
Thanks for replying.
All I see in the logs are some BT ip being dropped by the FW hence I created WAN rule.
".. unless you are not using NAT"
Are u saying I should have Portwarding to the phones from the outside??
"20mins seems almost like an ARP issue."
All devices- phones and computers are in same vlan, though a large /8, and it successfully register once the FW is rebooted, then phone, drops off showing "unregistered.
One outside IP by the way.
Thanks

stephenw10

The only way open connections to the phones would be to have port forwards setup to each phone on ports the pbx knows about. That's never going to happen. This sort of setup replies on the phones connecting out to the pbx which can then reply back to the phones via the same connection state. The phones hold that connection open with keep-alive packets if no other traffic is flowing.

It seems that is not happening in your case. For some reason the outgoing state is closing resulting in the firewall hits you see coming in on WAN. And a new state is not being opened.

The phones may not be trying to open it for some reason. Perhaps they are trying to resolve something that's failing.

The traffic from the phones may be being blocked. By Snort/Suricata for example.

The firewall may be opening a state incorrectly and traffic from the phones is using that and never reaching the PBX.

I would take one specific phone, note it's IP and wait for it to lose registration. Then see if it has lost its IP or if it cannot ping out. Run a packet capture on LAN for it's IP and see what it's doing if it's doing anything.

Steve

Jid

Thanks@stephenw10
But do you think pfsense should normally work out of the box in this scenerio i.e. (x5 BT phones in Lan ,SIP in Cloud) ,without ANY pfsense configtn. e.g FW rule ,Portforwarding etc
Will try out your recommendation ,business permitting.

stephenw10

Yes.
The only setting you might need is to set the firewall optimisation to conservative if the keep-alive times are too long. But even that is not usually required for recent phones.

Steve

Jid

@stephenw10
Just a quick update -for some odd reason ,this as now working as expected . Not quite sure what resolved my issue.
anyway thanks for your help.

stephenw10

Hmm, odd. That is what I'd expect though.
Anyway thanks for the update.

Steve

wesleylc1

@Jid Hello how are you?
Were you able to set up your Polycom in pfsense?

stephenw10

There should be nothing special required if it's just phones behind pfSense connecting to an external pbx.

Steve

wesleylc1

@stephenw10
My case is a "polycom VSX 7000" videoconference, I already opened a case in the community, but couldn't find a solution.

stephenw10

Ah, that's completely different then. Please continue this in your other thread.

Steve

Jid

@wesleylc1
There should be nothing to set for basic telephones.