PfSense 2.4 and BT Cloud base Phone(Polycom)



  • Hi All,
    Just installed a New pfsense box(sg-3100) ,everything seems to work well ,apart from the Phones (x5nos.),which stop working after about 20 mins connected .(shows Unregistering )
    Created firewall rule to allow all BT Sip and RIP server from outside to inside lan on the WAN and a reverse of this on the LAN side. For all this rules Increase TCP timeout to 300sec
    Change NAT to option2 (Manual NAT etc) .
    Change the algorithm to Conservative.
    Am i missing something , a step by step (or detailed approach ) will be appreciated.
    Thanks


  • Netgate Administrator

    Nothing should be required for just phones behind the firewall normally.
    Setting the firewall to 'conservative' should help if the phones keep-alive pings have a very long time gap.

    Incoming firewall rules generally cannot help unless you are not using NAT.

    20mins seems almost like an ARP issue.

    Do you see blocked traffic in the firewall log?

    What do you do to get the phones to re-register?

    Steve



  • @stephenw10
    Thanks for replying.
    All I see in the logs are some BT ip being dropped by the FW hence I created WAN rule.
    ".. unless you are not using NAT"
    Are u saying I should have Portwarding to the phones from the outside??
    "20mins seems almost like an ARP issue."
    All devices- phones and computers are in same vlan, though a large /8, and it successfully register once the FW is rebooted, then phone, drops off showing "unregistered.
    One outside IP by the way.
    Thanks


  • Netgate Administrator

    The only way open connections to the phones would be to have port forwards setup to each phone on ports the pbx knows about. That's never going to happen. This sort of setup replies on the phones connecting out to the pbx which can then reply back to the phones via the same connection state. The phones hold that connection open with keep-alive packets if no other traffic is flowing.

    It seems that is not happening in your case. For some reason the outgoing state is closing resulting in the firewall hits you see coming in on WAN. And a new state is not being opened.

    The phones may not be trying to open it for some reason. Perhaps they are trying to resolve something that's failing.

    The traffic from the phones may be being blocked. By Snort/Suricata for example.

    The firewall may be opening a state incorrectly and traffic from the phones is using that and never reaching the PBX.

    I would take one specific phone, note it's IP and wait for it to lose registration. Then see if it has lost its IP or if it cannot ping out. Run a packet capture on LAN for it's IP and see what it's doing if it's doing anything.

    Steve



  • Thanks@stephenw10
    But do you think pfsense should normally work out of the box in this scenerio i.e. (x5 BT phones in Lan ,SIP in Cloud) ,without ANY pfsense configtn. e.g FW rule ,Portforwarding etc
    Will try out your recommendation ,business permitting.


  • Netgate Administrator

    Yes.
    The only setting you might need is to set the firewall optimisation to conservative if the keep-alive times are too long. But even that is not usually required for recent phones.

    Steve



  • @stephenw10
    Just a quick update -for some odd reason ,this as now working as expected . Not quite sure what resolved my issue.
    anyway thanks for your help.


  • Netgate Administrator

    Hmm, odd. That is what I'd expect though.
    Anyway thanks for the update. 👍

    Steve