Configuration with Two SIP Connections

lusekelo · Feb 19, 2020, 3:38 PM

I recently configured a SIP Trunk connection in the pfSense using the IP, Subnet Mask, Gateway, SIP Server, Media Server and is working as it should using

I also sourced another SIP Trunk connection from a different provider and would like to configure in such a way both should allow call concurrently. But the problem is I don't understand how I can achieve this.

Anyone with an idea on how to go about will be much appreciated

chpalmer · Feb 19, 2020, 5:38 PM

Generally you should not have to port forward anything no matter what anyone tells you. But you probably will need firewall rules from their servers to your devices on your WAN tab. Source= their IP destination = your LAN device. Ports 5060 (if they use that port) for SIP and whatever you have set up for RTP. Generally I will watch my states during calls to determine what ports they use but I use 32000-65000 for "source" ports.

You need to find out what SIP ports and RTP ports each carrier will want to use. If one carrier uses 5060 then set up your other device to use 5062.. ect. But if you are using two separate devices this probably is not necessary.

The SIProxd package might be a good fit for you as well if all else fails. In that case you would create your firewall rules with "WAN address" as the destination.

This is a WAN rule I use here for SIProxd. Only difference without is that destination would be your LAN address of your device.

stephenw10 · Feb 20, 2020, 6:52 PM

@chpalmer said in Configuration with Two SIP Connections:

Generally you should not have to port forward anything no matter what anyone tells you. But you probably will need firewall rules from their servers to your devices on your WAN tab

I can't really agree with that. If you don't have port forwards firewall rules on the WAN interface cannot pass anything except to the firewall itself which isn't generally useful. Unless I'm misreading that.

You have an internal PBX behind pfSense I'm assuming?

Steve

chpalmer · Feb 20, 2020, 9:53 PM

@stephenw10 said in Configuration with Two SIP Connections:

@chpalmer said in Configuration with Two SIP Connections:

Generally you should not have to port forward anything no matter what anyone tells you. But you probably will need firewall rules from their servers to your devices on your WAN tab

I can't really agree with that. If you don't have port forwards firewall rules on the WAN interface cannot pass anything except to the firewall itself which isn't generally useful. Unless I'm misreading that.

Im assuming SIP client devices here. Maybe Im reading it wrong.

I do this all the time with clients. The information as to where the SIP server needs to contact the client is already in the SIP header. There is no need to lock down ports to one client via port forwarding. If you want to run multiple SIP clients and then port forward all your RTP to one device then you can no longer use those ports for the second (or more) device(s). I generally bring this up to anybody that tries to say that NAT is a good security measure. Put your network behind a device that just does NAT and look at your clients onboard firewall logs and then try and tell me that no one can get past NAT inbound..

Simply allowing the SIP server access to your client devices is all that is needed.

If this is indeed a PBX behind the firwall situation then I have not attempted that personally.

lusekelo · Feb 21, 2020, 8:35 AM

Dear all, thanks for the answers you have given. I have considered to post the picture of my current setup so that you may know exactly how to advise me.

I have Two providers (ISP 1 & ISP 2) that I have them terminated into my pfSense as shown. Similarly I have a IP PBX and VOIP Phones(extensions) connected to the switch as shown.

I have already configured all extensions and the PBX and all seem to work well. But I fail to find the correct way to configure SIP to work in my network.

Looking forward to your help.

stephenw10 · Feb 21, 2020, 3:26 PM

Ok, so in a situation with only phones behind the firewall and an external PBX you usually do not need to do anything on the firewall. No port forwards are required and firewall rules on WAN cannot do anything without port forwards.

Here you have the PBX behind pfSense so you would normally require SIP and RDP ports forwarding to to it.
There should be no reason why you cannot forward SIP and RDP from both providers to the PBX though.

What problem are you actually seeing here?

Steve

lusekelo · Feb 22, 2020, 11:14 AM

@stephenw10

I have configured SIP and RDP and they seem to work for one Provider whose Gateway is the default. But for the other I am still facing an issue. I am trying to ping the provider SIP Server but I cannot get it. Is there anything to be done in the routing since the packets seem to go to the default gateway.

stephenw10 · Feb 22, 2020, 1:53 PM

Ah, it's actually two VoIP providers and two ISPs?

Then, yes, you will need a rule on the internal interface to pass traffic going to the new provider with the 2nd gateway set so it leaves that way. Make sure that rule is above any default pass rule.

Steve

lusekelo · Feb 22, 2020, 1:53 PM

@stephenw10

Yes I have two ISPs who also provide me the VOIP service. I will apply the suggestion given to see how things work.

Thanks Steve.

lusekelo · Feb 24, 2020, 10:56 AM

@stephenw10

To which interface will I exactly apply these rules. Will they be applied to the associated interface where the ISP link is connected or just to the LAN interface.

Suppose I want to make a call using a specific provider will it be necessary to define static routes.

Thanks
-Lusekelo

stephenw10 · Feb 24, 2020, 12:36 PM

You just need to make sure the PBX uses the correct WAN to reach the whichever provider it's connecting to. So you can policy route that using a firewall rule on the internal interface as I suggested or you could add static routes. Static routes will apply globally where as a policy route could be applied to only traffic from the PBX for example. In this case it probably doesn't make much difference as only the PBX should be connecting to the provider.

Steve

chpalmer · Feb 24, 2020, 6:50 PM

Double NAT'd behind both WAN's

stephenw10 · Feb 28, 2020, 7:14 AM

Ah, I had assumed those 10. IPs were just examples and that the two WANs were real public IPs.

If they are not it's hard to see how the first connection works. But you would certainly have to forward all the traffic through each ISP router in that case.

Steve

lusekelo · Feb 28, 2020, 6:58 AM

@chpalmer

I have applied 1:1 NAT to each WAN for Voice Connection to PBX but it does not produce the expected result. Only one WAN seems to work which is in default gateway. Is there any rule or anything else I need to apply?

Thanks
-Lusekelo

lusekelo · Feb 28, 2020, 7:14 AM

@stephenw10

You are right Stephen, the IPs are not actual. However one provider is using Private and the other has provided a Public IP. I have added routes back to providers network but still cannot reach the SIP Server of one provider. The provider who is using a public IP is reachable by the PBX

Thanks,
-Lusekelo

stephenw10 · Feb 28, 2020, 2:09 PM

Is the second providers network reachable at all? From anywhere?

I assume you mean they supplied a modem/router device and it is NATing the connection?

If they are really giving you a private IP to connect to as the SIP trunk I'm not sure how you're supposed to reach it.

Steve

lusekelo · Feb 28, 2020, 3:20 PM

@stephenw10

Thank you for your concern in my case.

When the configuration from the second provider is directly done to the PBX Box while the first is through pfsense, I can use both Providers at the same time. My situation is, I do not want to hook providers into into the PBX hoping in the future I may have other Voice Connection from other providers as well. Connecting the PBX through the switch I think in my case is the optimal one just as I described in the diagram.

-Lusekelo