problems unblocking my sip provider



  • So i barely use my "land line" except for out going calls and they have mostly worked for me, but i haven't been able to receive incoming calls since i switched to pfSense. (not such a bad thing, no telemarketers) the reason its turned into a problem is my outgoing calls that last longer then 15 minutes get cut, i think, by pfSense.

    Tonight i had the idea to use wire shark, worked out the packet capturing and discovered the external IP address of the sip server. i have now worked out snort was blocking the incoming packets as an unknown sip.
    i unblocked the IP in snort and now its being blocked by the default deny rule.

    i have added the IP and all the relevant sockets to the pass lists on the WAN interface but its still being denied by the block rule...

    0_1551695486569_1ca36890-a235-4961-881e-25215e9ca3e9-image.png

    0_1551695502979_4aa22d56-1b0d-44c4-ac94-fcd2367d11a0-image.png

    is this just me getting the syntax incorrect or is there something else i need to change.


  • Galactic Empire

    @randomaustralian said in problems unblocking my sip provider:

    ave added the IP and all the relevant sockets to the pass lists on the WAN interface but its still being denied by the block rule.

    Try killing the firewall states.



  • @nogbadthebad said in problems unblocking my sip provider:

    @randomaustralian said in problems unblocking my sip provider:

    ave added the IP and all the relevant sockets to the pass lists on the WAN interface but its still being denied by the block rule.

    Try killing the firewall states.

    does not appear to have helped, a reboot did nothing either.


  • Galactic Empire

    What's with the top rule ?

    You are passing everything from Telstra to 10.0.0.150

    inetnum: 58.160.0.0 - 58.175.255.255
    netname: TELSTRAINTERNET42-AU
    descr: Telstra Internet
    descr: Locked Bag 5744
    descr: Canberra
    descr: ACT 2601
    country: AU
    org: ORG-TC6-AP
    admin-c: TIAR-AP
    tech-c: TIAR-AP
    remarks: -----
    remarks: All reports regarding SPAM or security breaches
    remarks: should be addressed to abuse@telstra.net
    remarks: ------
    status: ALLOCATED PORTABLE
    mnt-by: APNIC-HM
    mnt-lower: MAINT-AU-TIAR-AP
    remarks: --------------------------------------------------------
    remarks: To report network abuse, please contact mnt-irt
    remarks: For troubleshooting, please contact tech-c and admin-c
    remarks: Report invalid contact via www.apnic.net/invalidcontact
    remarks: --------------------------------------------------------
    mnt-irt: IRT-TELSTRA-AU
    last-modified: 2017-09-26T23:28:48Z
    source: APNIC

    FYI I've sat on conf calls for hours and not been cut off, don't think its a pfSense issue.



  • @nogbadthebad
    Telstra is my sip provider. I started of with only the single IP address that i was tracking then added the entire network cause the IP address that was sending me sip packets kept changing.

    on my previous firewall i only had to open the ports and the SIP connections worked perfectly. but pfsense keep auto blocking the telstra IP addresses


  • Galactic Empire

    The connection should originate from the phone, i'm surprised you need any rules on the WAN interface.

    I use a SIP phone and don't require any rules on the WAN interface.

    https://docs.netgate.com/pfsense/en/latest/nat/configuring-nat-for-voip-phones.html?highlight=voip

    Maybe try installing Siproxd

    https://docs.netgate.com/pfsense/en/latest/packages/siproxd-package.html

    Out of interest does the WAN interface have a RFC 1918 IP address ?

    https://www.netgate.com/resources/videos/firewall-best-practices-for-voip-on-pfsense.html


  • Netgate Administrator

    Hmm, yeah if you just have a phone I would not normally expect anything to be required. Some providers might require static outbound NAT.

    I assume you have port forwards in place for all those ports? Those doen't look to have been added automatically by the port forwards though.

    What happens if you have none of those rules enabled? Does the phone register?

    15mins sounds like a state timeout of some sort. Try setting the 'Firewall Optimization' to Conservative in System > Advanced > FIrewall&NAT if you have not already done so.

    Steve



  • @nogbadthebad & @stephenw10

    connection should originate from the phone

    outbound connections do work, inbound ones dont.

    my previous firewall (IPFire) i had to put in exceptions for those ports or incoming didn't work. with pfsense the packets are still coming up as blocked in the logs.

    I'll try siproxyd


  • Netgate Administrator

    Hmm, curious. How do Telstra expect this to work? Do they supply their own router with SIP ALG included?

    What you're describing is well beyond the ability of the average user...



  • @stephenw10

    I got it to work easily enough last time. i have used a 3rd party router since i got FTTP NBN cause its all PPOE. They don't at all support what i'm doing. I'm putting my ISP supplied router behind my 3rd party router so i can still use all the ISP features that require my ISP supplied router to be used.

    But it think pfSense is more secure then IPFire. even when i try to allow the ports and IP addresses in my firewall rules i still can't get incoming calls to work.


  • Galactic Empire

    Double NAT is the issue then.



  • @nogbadthebad said in problems unblocking my sip provider:

    Double NAT is the issue then.

    not at all.

    i'm not connecting anything through the supplied router... its just sitting on my network like any other device. and the WiFi on it does work on my phone so it cant be a double nat issue. at least it wasn't a problem previously

    i'm just using it like a wifi hotspot and a sip device


  • Galactic Empire

    Have a look at a SIP packet from a packet capture from pfsense.



  • @nogbadthebad said in problems unblocking my sip provider:

    Maybe try installing Siproxd

    i don't think this is my solution as this seems to be a server that runs sip on my lan, when i already have a stand alone box that does it.


  • Netgate Administrator

    I agree, capture some SIP packets and see what's happening.

    Sounds like it's registering it's internal IP maybe or something similar. SIProxd might actually help if that is the case.

    Steve



  • Insert the :rolleys: smiley here.. SIP was not originally designed to be behind NAT!

    It was written in later when services such as Vonage and a couple earlier started to look at the residential market. And it does not work all that well.. Double NAT is not in the spec. If you try your on your own.

    In the SIP header you will find (normally) your NATted address. Yes. Building a WAN firewall rule will help in some cases depending on the carrier. Sometimes you need to pay attention to your states when you try to make a call and see what carrier your device is connecting to. SIP from your provider.. RTP from the carrier they use. It is truly a case by case basis.

    Few SIP providers will also need static port enabled. Very few these days.

    I never port forward to any client devices. All of my SIP customers work flawlessly.



  • so for an incoming call
    if i turn off all the rules i get this:

    0_1551768763279_75a3adc9-597d-4a5e-b8fa-779062f7d7ee-image.png

    if i open just all the ports in my rules i get:

    0_1551768922390_b328c958-e9cf-4cdf-ac4c-1c7b65bc2241-image.png
    with
    0_1551769078993_acd14969-7a26-422c-a539-6b4e4855e338-image.png

    capturing a sip packet i get... a ringing phone? WTF?!?!?!

    0_1551769317120_8d8d3472-f4c4-4178-9365-3c64d96a3bd5-image.png

    seems its a 1 off though as it didn't ring the next 3 attempts

    0_1551769578127_def7901b-ddf0-4557-92e7-f4bbf7d88698-image.png


  • Netgate Administrator

    What I expect to happen here is the phone connects out to the SIP server at port 5060. If you don't have static outbound NAT set for the phone IP the source port as that leaves the WAN will be randomised. The phone holds that state open with keepalive packets so that when the provider sends traffic to it for an inbound call it still passes through the firewall.

    Since you are seeing it blocked that state is either not being held open or the provider is replying to the wrong port.

    Check your state table for the phones IP. See what source port it is using, is it port 5060?
    Is it holding open a SIP state at all?

    It could be you need a static outbound NAT rule.

    Can we see that actual packet capture file? The SIP packets there likely contain useful info.

    Steve



  • You have ovcercomplicated this and now your troubnleshooting is going to be far more complicated.

    I am running a Cisco SIP phone behind pfSense and have been doing it for years with no issues. I also run a SIP client (Bria) on my iOS phone as well as my Mac. All three of them have no issues running behind pfSense.

    Your SIP phone will initiate a connection from itself to the SIP provider. Since that connection is initiated on pfSense’s LAN, it also manages the incoming connection back to the phone with no additional configurations required. If you installed a default pfSense box as your router with no additional configurations (other than the ones you need to get your LAN to communicate with the Internet), your phone will work with no issues. The problem is the complexity of your configuration and trying to acutely manage this traffic. Let pfSense do it’s job and when the outgoing connection starts, pfSense will manage the inflow too.

    I was on hours of conference calls yesterday with no issues whatsoever. I have a minimal pfSense installation with very few rules in order to reduce the complexity of the installation to ensure that stuff works without me having to go in and continually tweak stuff.

    So try ratcheting back all of the features and config you have first. Reduce the complexity and then build up rules from there. When you enable the rule or config that’s killing your SIP connection, you’ll find it this way.

    IMHO, YMMV...



  • @randomaustralian said in problems unblocking my sip provider:

    @stephenw10

    I got it to work easily enough last time. i have used a 3rd party router since i got FTTP NBN cause its all PPOE. They don't at all support what i'm doing. I'm putting my ISP supplied router behind my 3rd party router so i can still use all the ISP features that require my ISP supplied router to be used.

    But it think pfSense is more secure then IPFire. even when i try to allow the ports and IP addresses in my firewall rules i still can't get incoming calls to work.

    I just realized i didn't answer your question properly.
    telstra don't expect this to work. the sip host is on their provided edge router and they do not support what i am trying to do...
    the thing is I got it to work easily on ipfire. I'm having troubles with pfsense because it seems pfsense is more secure/intelligent with what is allows through.



  • 0_1551907391062_packetcapture.7z @stephenw10 said in problems unblocking my sip provider:

    What I expect to happen here is the phone connects out to the SIP server at port 5060. If you don't have static outbound NAT set for the phone IP the source port as that leaves the WAN will be randomised. The phone holds that state open with keepalive packets so that when the provider sends traffic to it for an inbound call it still passes through the firewall.

    Since you are seeing it blocked that state is either not being held open or the provider is replying to the wrong port.

    Check your state table for the phones IP. See what source port it is using, is it port 5060?
    Is it holding open a SIP state at all?

    It could be you need a static outbound NAT rule.

    Can we see that actual packet capture file? The SIP packets there likely contain useful info.

    Steve

    i have tried a LAN rule that allows all outbound from the static address i have assigned to the sip controller device to any wan address. makes no difference.

    I'm still pretty sure that pfsense is killing off connections after 15 minutes cause my call cuts out to the second.

    0_1551907406899_packetcapture.7z



  • I am also no longer confident that outbound just "works" cause i've realized i have to call the one number multiple times and the call only goes through after 2 or 3 attempts some times. i didn't realize it before because i got the engaged noise and just thought they were already on the phone. i only noticed now because i have been calling my own mobile/cell so much for generating logs to see whats going on.


  • Netgate Administrator

    So you tried an outbound NAT rule with static ports? Not a static IP?

    IPFire includes a SIP ALG, do you recall if it needed to be enabled?
    If so SIProxd might work for you here.

    Steve



  • @stephenw10 said in problems unblocking my sip provider:

    So you tried an outbound NAT rule with static ports? Not a static IP?

    IPFire includes a SIP ALG, do you recall if it needed to be enabled?
    If so SIProxd might work for you here.

    Steve

    Someone mentioned SIProxy before. i had a quick look at it and i've never seen anything like it before. and as i keep saying....

    i never had to use more then the settings i'm using now on my previous configuration and never had issues.



  • is there a way to can make pfSense stop blocking anything incoming on that port. i know its a security risk i want to try it temporarily and see if it solves my problem



  • So i have added so many firewall rules now that nothing shows up in my logs to do with any incoming or outgoing call attempts. I have also tried disabling snort cause i read a post from 3 years ago that "pfSense works perfectly with snort disabled"

    but i am still having the same problems.


  • Netgate Administrator

    Try adding a 1:1 NAT rule to the SIP device. Then add a firewall rule on WAN allowing all traffic to that internal IP.

    Yes, that's a big risk it exposes the SIP device completely. But that will add static outbound NAT and will pass everything.

    If it still doesn't work there's some NAT issue like it's sending it's internal IP. That can only be solved by configuring the SIP device not to do that or using a SIP ALG that translates that.

    Steve



  • are you sure its a 1:1 nat rule? i cant specify ports

    isnt this what i want?
    0_1552360387150_5de0f7f6-aec6-4eb6-8770-a0f438db2e54-image.png

    its doesn't work though


  • Netgate Administrator

    With a 1:1 rule all ports are forwarded. All incoming traffic will be sent to the SIP device. All outgoing traffic will leave using the same source ports the SIP device sets. That eliminates a number of possible problems.

    1:1 NAT rules do not automatically open firewall rules though so you need to add a rule to pass what you need. As a test I suggest just passing everything.

    However that will not help if, for example,m the SIP device is using it's private IP is SIP packets as the response address. Only looking at those packets will tell you that. If it is SIProxd could help.

    Steve



  • Is there a nice guide for setting up siproxy?
    as this is my second dabble with connecting sip devices i really have no idea what i am doing


  • Netgate Administrator

    Not other than this: https://docs.netgate.com/pfsense/en/latest/packages/siproxd-package.html

    That really doesn't tell you much but generally it is discouraged.

    The 1:1 NAT did nit help at all? Did you still see blocked traffic?

    Have you tried looking at the SIP packets yet to see what IPs the device is sending?

    Steve



  • i haven't tried the 1:1 NAT because the incoming IP address in not static, and at one point i had added so many rules added into the firewall that there was nothing appearing in the logs.

    i still have the issue were outgoing calls drop after 15 minutes too


  • Netgate Administrator

    Might need to review at this point. What exactly do you have in place right now in terms of port forwards and firewall rules and SIProxd?

    What VoIP issues are you now seeing?

    Steve



  • I have tried to open incoming traffic from telstra's entire sub net range.

    the 5060-5065, 5004, 3487 ports are all allowed in firewall rules and NAT rules to forward them to my telstra sip device. i have included up to 5065 because i noticed in the logs that the incoming calls didn't only seem to come from 5060.

    i had installed snort so I have tried removing it again.

    Incoming calls almost never work and outgoing calls always get cut after about 15 minutes.

    It can't be a double NAT issue and my mobile/cell phone uses the telstra device for its WiFi hot spot and it works fine.

    I did not have these issues with the previous software firewall/gateway i used and all it took was to port forward the same ports i have currently configured into pfSense.


  • Netgate Administrator

    Ok, well there are two possibilities. It requires some static source NAT outbound that the old router provided. It requires a SIP ALG which the old router provided.

    Just using 1:1 NAT and opening the phone up completely will test theory one.

    To test theory two I would capture the SIP traffic and check the contents to see what's actually happening. Then deploy SIProxd if it's appropriate.

    Steve



  • c316b0db-e650-43ef-9621-6935fb804b24-image.png

    Just taking a complete guess at this.

    i never specified a nat source for outbound previously, nor a SIP ALG. i just forwarded the ports



  • 3d4c4ad7-2996-4761-aa75-19c3e11aa9e9-image.png



  • ecdbd704-ae63-4c16-8db8-17657689a16e-image.png

    I'm sure THIS is why its not working... even when i managed to get that to stop showing up it still seems to be blocking it



  • i also can't list a nat rule like this

    8485a2f5-aee6-4e51-89ff-ce9e4519eb47-image.png

    it requires me to put a redirected port in.. but the source it transmitting from port 5060 to 44780.

    a0419300-3bc6-4d55-962d-d6fd56ede355-image.png

    i cant just specify any port recieved from the source port of 5060 to forward it



  • am i reading these logs wrong.. it looks like my provider is trying to send sip packets from port 5060 to a random port on my gateway, where pfSense seem to want to to come from a random port from the source and arrive at port 5060


Log in to reply