pfSense Service or DL Package for SIP-ALG?

  • Hello I have this:


    And I am working on deploying a new VoIP product and service for our SMB and they require data on SIP-ALG for optimal network set up,

    I examined our firewall but I do not see this service.

    Am I missing something? Should I search package manager?


  • Banned

  • Netgate Administrator

    Requiring an ALG is often a sigb your SIP product is configured incorrectly.

    What issues are you seeing without it?


  • Hi Stephen,

    Currently the first phase of implementation is just now commencing so nothing has been monitored yet with this.

    The reason I want to know about ALG is because this VoIP company states it in their network parameters summary for using their product.

    I am just trying to account for all potential points of failure when I fully deploy this.

    They list QoS, Bandwidth Limiting, SNMP, Port Blocking capabilities as being required and that SIP-ALG be turned off.

    It appears I aggrandized this as SIP-ALG only pertains to enterprise legacy network infrastructure systems I suppose?

    Not modern ones?

  • Netgate Administrator

    @virtuousmight said in pfSense Service or DL Package for SIP-ALG?:

    SIP-ALG be turned off.

    Ah well you're good then! 😀

    Most recent SIP systems do not require an ALG and in fact it can often do more harm than good. There is no SIP-ALG in pfSense by default and the only thing available is SIProxd. That's usually only required for some ancient SIP phones that insist on using 5060 as the source port and cannot connect if it's randomised like most traffic. In that situation you can only have one phone behind the firewall without a proxy of some sort.
    Anyway none of that applies to you and the other requirements can also be met.


  • Stephen, for whitelisting traffic from remote IP addresses to conform to this...

    ..does this require (out of necessity or optimization ) an external software package or can this be done directly in Interface settings?

  • Netgate Administrator

    Those would not be blocked anyway unless you have restrictive outbound rules.

    You can add those to an alias and they will update when the filter is reloaded BUT they will be resolved at that time to an IP and that IP will be used. Some of those will probably resolve to multiple IPs and not all of them will be included.
    If they have IP lists also you could add both to sure.

    Looks like they also recommend disabling stateful packet inspection which is possible in pfSense but we definitely do not recommend that and I can no reason to do so.


  • So do you think I should notify them that SPI will remain enabled, because if I disable it then the SG pf sense machine would revert to a routing only platform with no firewall functionality which I think is enacted by disabling all packet filtering (SPI?) in the firewall advanced settings correct?

    Which not something I am going to do so they must ensure that their product VoIP data packets are not going to be compromised so we do not get latency, jitter, or packet loss.

  • LAYER 8 Rebel Alliance

    I don‘t know dialpad but just as a note...we use 3 totally different SIP providers with pfSense without any problems.
    Most do not require any fancy configuration. :-)
    Maybe they can offer you some-days-trial-account so you can try first with your setup?


  • Yes Rico, that is analysis phase that I must do and the trial begins next week, then I can monitor how their VoIP product performs against our network system set up to the best of my abilities. We had Ring Central VoIP before I started working here so I do not know whether or not any special configurations had to be set in our firewall for that and perhaps they current scheme will still work without a problem. Only thing I changed was the Firewall optimization option from Normal to Conservative.

    Not sure if you meant SPI over SIP, but within the context I think I can infer correctly.

  • LAYER 8 Rebel Alliance

    Of course I have SPI still enabled in pfSense. :-)


Log in to reply