• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Wifi calling setup in PFSense

Scheduled Pinned Locked Moved Firewalling
13 Posts 5 Posters 1.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    rcoleman-netgate Netgate @JT40
    last edited by Nov 1, 2022, 1:39 AM

    @jt40 said in Wifi calling setup in PFSense:

    I have an iPhone and I need to enable the ports 500 and 4500 with UDP

    Is this for a VOIP system run over a VPN?
    Those ports aren't needed for carrier calling over WiFi

    Ryan
    Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
    Requesting firmware for your Netgate device? https://go.netgate.com
    Switching: Mikrotik, Netgear, Extreme
    Wireless: Aruba, Ubiquiti

    1 Reply Last reply Reply Quote 0
    • S
      SteveITS Galactic Empire @JT40
      last edited by Nov 1, 2022, 2:07 PM

      @jt40 said in Wifi calling setup in PFSense:

      I need to disconnect the iPhone from WiFi to see the changes applied to those rules,

      If there are open states those need to be terminated.
      https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#check-the-state-table

      Define "enable the ports"?

      You don't need any inbound NAT or firewall rules for the phone to connect out.

      There have been past threads about Wi-Fi calling problems but I have never had to do anything special.

      What cellular company do you have?

      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
      Upvote 👍 helpful posts!

      1 Reply Last reply Reply Quote 0
      • J
        JT40 @JKnott
        last edited by JT40 Nov 1, 2022, 6:45 PM Nov 1, 2022, 6:45 PM

        @jknott said in Wifi calling setup in PFSense:

        @jt40

        I use WiFi calling and it works fine. I didn't have to do anything to enable it.

        Very strange, you need to allow the inbound, I just tested it.
        Inbound communications are blocked by default, it would be VERY STRANGE if it wasn't like that, especially for traffic coming from WAN.
        Anyway, my WAN is nothing else than another LAN, but the router above doesn't block anything :D .

        @rcoleman-netgate said in Wifi calling setup in PFSense:

        @jt40 said in Wifi calling setup in PFSense:

        I have an iPhone and I need to enable the ports 500 and 4500 with UDP

        Is this for a VOIP system run over a VPN?
        Those ports aren't needed for carrier calling over WiFi

        It's for WiFi calling, no VOIP, probably the protocol is the same, but it's called WiFi calling and it requires ports 500 and/or 4500 with UDP, I just tested it.

        @steveits said in Wifi calling setup in PFSense:

        @jt40 said in Wifi calling setup in PFSense:

        I need to disconnect the iPhone from WiFi to see the changes applied to those rules,

        If there are open states those need to be terminated.
        https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#check-the-state-table

        Define "enable the ports"?

        You don't need any inbound NAT or firewall rules for the phone to connect out.

        There have been past threads about Wi-Fi calling problems but I have never had to do anything special.

        What cellular company do you have?

        Thanks for that link, I'll verify if it was my case.

        I don't need Inbound rules to connect out, but I need both :D , that is:

        OUTBOUND AND INBOUND rules for port 500 and 4500 with UDP
        

        My setup is the following:
        ISP modem/router
        PFSense Router
        L2 Switch
        AP

        Basically, the PFSense WAN points to another LAN.
        Due to my Private VLANs, I need those rules, but by default, my FW always blocked every communication, in inbound and outbound.
        In fact, without an ALLOW ALL OUTBOUND I was never able to leave the VLAN, for internal and external communications.
        I don't have doubt on the INBOUND because this is always blocked by default, hence, without an INBOUND rule no one can call me.

        Thanks everyone, we may close this thread, unless someone wants to add something, your answers are suspicious, quite different from my testing, no offense, I'm just trying to fully understand if it was me not explaining the problem well, or having wrong knowledge about firewalls (I'm not an expert), or I made some weird setup initially.

        J 1 Reply Last reply Nov 1, 2022, 7:44 PM Reply Quote 0
        • J
          JKnott @JT40
          last edited by Nov 1, 2022, 7:44 PM

          @jt40 said in Wifi calling setup in PFSense:

          Very strange, you need to allow the inbound, I just tested it.

          Normally, the firewall recognizes the inbound as part of the same connection as the outbound.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          J 1 Reply Last reply Nov 1, 2022, 8:25 PM Reply Quote 1
          • J
            JT40 @JKnott
            last edited by Nov 1, 2022, 8:25 PM

            @jknott said in Wifi calling setup in PFSense:

            @jt40 said in Wifi calling setup in PFSense:

            Very strange, you need to allow the inbound, I just tested it.

            Normally, the firewall recognizes the inbound as part of the same connection as the outbound.

            I think you're right, I just tested it after having rebooted the router, just to be sure.
            I have a question, I understand that point, but is this not in direct contrast with DENY all in INBOUND by default?
            Or is it just an automated way to process rules in order to avoid to do it manually?

            S J 2 Replies Last reply Nov 1, 2022, 8:41 PM Reply Quote 0
            • S
              SteveITS Galactic Empire @JT40
              last edited by Nov 1, 2022, 8:41 PM

              @jt40 Denying inbound on WAN handles unsolicited connections. If a device connects out, then it is expected the server response should be allowed. The open "state" of the connection allows this.

              Some don't even hold the connection open, for instance the app may subscribe to a "push notification" which despite its name, isn't a direct connection from some random server on the Internet to the device. The notification tells the app to connect out and process the call, for example. (or retrieve an email, etc.)

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote 👍 helpful posts!

              1 Reply Last reply Reply Quote 1
              • B
                Bob.Dig LAYER 8 @JKnott
                last edited by Bob.Dig Nov 1, 2022, 8:43 PM Nov 1, 2022, 8:42 PM

                @jknott said in Wifi calling setup in PFSense:

                I use WiFi calling and it works fine. I didn't have to do anything to enable it.

                Same.

                A VPN on the phone might be the problem.

                R 1 Reply Last reply Nov 1, 2022, 8:52 PM Reply Quote 1
                • R
                  rcoleman-netgate Netgate @Bob.Dig
                  last edited by Nov 1, 2022, 8:52 PM

                  @bob-dig said in Wifi calling setup in PFSense:

                  A VPN on the phone might be the problem.

                  That's the only logical reason 500 and 4500 would be in play.

                  Ryan
                  Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                  Requesting firmware for your Netgate device? https://go.netgate.com
                  Switching: Mikrotik, Netgear, Extreme
                  Wireless: Aruba, Ubiquiti

                  J 1 Reply Last reply Nov 1, 2022, 10:08 PM Reply Quote 1
                  • J
                    JKnott @JT40
                    last edited by Nov 1, 2022, 8:58 PM

                    @jt40

                    It depends on where the connection originates. With outgoing connections, incoming is matched to it. With incoming, there is no outgoing to match with and so it's dropped.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 1
                    • J
                      JT40 @rcoleman-netgate
                      last edited by JT40 Nov 1, 2022, 10:12 PM Nov 1, 2022, 10:08 PM

                      @rcoleman-netgate said in Wifi calling setup in PFSense:

                      @bob-dig said in Wifi calling setup in PFSense:

                      A VPN on the phone might be the problem.

                      That's the only logical reason 500 and 4500 would be in play.

                      Auch, I have a VPN, but it's the stupid VPN for filtering the traffic by my AV, which honestly seems doing nothing...
                      Definitely it doesn't tunnel my traffic, it's called VPN but I think it's just a proxy for traffic monitoring, that can eventually block your traffic if you visit unsafe remote addresses.

                      I noticed that not only with iPhone, but also with Android if I remember well.

                      In any case, the ports 500 and 4500 are required by Apple, not even my carrier: https://support.apple.com/en-us/HT202944

                      Switching scenario, I think that the port requirement is the reason why I can't record my calls with iPhone, unless I install some third party applications and give App permissions... Apple doesn't allow you to record calls, you don't even have a way to set permissions...
                      (The cost of these apps is unbelivable...)

                      R 1 Reply Last reply Nov 1, 2022, 10:49 PM Reply Quote 0
                      • R
                        rcoleman-netgate Netgate @JT40
                        last edited by Nov 1, 2022, 10:49 PM

                        @jt40 said in Wifi calling setup in PFSense:

                        In any case, the ports 500 and 4500 are required by Apple, not even my carrier: https://support.apple.com/en-us/HT202944

                        " IKEv2"

                        It's for a VPN.
                        You initiate it locally, it goes out and locks on to the Carrier's system.

                        Screenshot 2022-11-01 at 5.49.38 PM.png

                        Ryan
                        Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                        Requesting firmware for your Netgate device? https://go.netgate.com
                        Switching: Mikrotik, Netgear, Extreme
                        Wireless: Aruba, Ubiquiti

                        1 Reply Last reply Reply Quote 0
                        13 out of 13
                        • First post
                          13/13
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received