Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VOIP Phone Will not register

    General pfSense Questions
    2
    5
    774
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mrchip
      last edited by

      Can't connect voip handset to my offiste PBX (fusionpbx).
      With siproxd I was able to register phone with offsite pbx & connect but was temperamental. Removed siproxd and followed netgate guide on youtube "Firewall Best Practices for VoIP on pfSense" But phone will not register at all now.

      I did a packet capture but dont know how to interpret the results in wireshark.
      I got an icmp destination unreachable with a source of 209.205.110.197 (not my wan or pbx ip but whois shows it's cipherkey)
      I get a red line of :
      24 67.334440 192.168.2.125 255.255.255.255 UDP 70 55656 → 55656 Len=28

      I think the problem is the udp port 55656 but don't know what to do about it. Fusionpbx docs says that it uses RTP UDP 16384-32768. Would I need to create a rule for ports 16384-32768 to go to the ip of the offsite pbx?

      Running latest pfsense stable version 2.6.0-RELEASE pretty much out of the box.
      Voip phone issued local ip (dhcp Successful)
      Connects to offsite pbx but will not register
      Installed siproxd - Phone successfully registered - able to call (at this point I believe the phone config is successful but some intermittent issues such as cannot hear caller)
      Firewall/NAT/Outbound: set to automatic
      Port fwd: I only have one port fwd set to a local server using 443 TCP
      No 1:1 Mappings
      1 Active Wan rule which points to the local server:443 TCP
      1 Active Lan rule - default allow lan to any rule.
      Rest State Tables
      System/Advanced/Firewall & NAT / Firewall optimization- set to conservative

      Any help would be appreciated. Everything I read says that with a offsite pbx it should just work out of the box.

      stephenw10S 1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator @mrchip
        last edited by

        @mrchip said in VOIP Phone Will not register:

        Everything I read says that with a offsite pbx it should just work out of the box.

        Yup, it should. The fact it works to some extent using siproxd implies some ports issue.

        I would try this:
        Set outbound NAT to hybrid mode.
        Add a rule on WAN for only the internal IP of the phone and set static ports.

        Anything vaguely recent should have no problem with dynamic source ports but some older VoIP systems fall down with that.

        Steve

        1 Reply Last reply Reply Quote 0
        • M
          mrchip
          last edited by

          Thank you for your reply @stephenw10. This is what I've now changed - if I understand you correctly but I get a "failed no response".

          Firewall/NAT/Outbound now set to hybrid mode.

          Firewall/Rules/WAN (attempt 1)

          1. IPV4 TCP/UDP, Source-192.168.2.125 (cisco IP Phone), Port 5060, Destination - Any, Port - Any, Gateway - *
          2. IPV4 UDP, Source - 192.168.2.125, Port 16384-32768(from Fusionpbx docs for RTP UDP), Destination - *, Port - *, Gateway - *

          Thought maybe I have the source/destination wrong so I flipped to this but it still fails (attempt 2):

          1. IPV4 TCP/UDP, Source- *, *, Destination - 192.168.2.125, Port - 5060, Gateway - *
          2. IPV4 UDP, Source - *, Port - *, Destination - 192.168.2.125, Port 16384-32768, Gateway - *

          Then I just created four rules in Firewall/Rules/Wan - which is both attempt 1 and attempt 2.
          I do a packet capture and open in wireshark and don't know how to read it but the red lines again are
          58 99.883914 192.168.2.125 255.255.255.255 UDP 70 55656 → 55656 Len=28

          I dont know where port 55656 is coming from but could that be the problem?

          The black line is:
          18 54.913541 209.205.110.197 192.168.2.125 ICMP 102 Destination unreachable (Network unreachable)
          the 209.xxx is for cipherkey...I don't know them or why it's going there. It is NOT my external pbx ip.

          Additionally, I went to shieldsups (https://www.grc.com/) and probed port 5060 and it came back as "true stealth Not a single packet — solicited or otherwise — was received from your system"

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            You should see port 5060 as stealth in SheildsUp since all incoming connections there should be dropped.

            I would start with an outbound NAT rule that is only restricted by the source IP. So all source and destination ports are covered. If that works you can look at what ports it's actually using and restrict it further.

            Steve

            1 Reply Last reply Reply Quote 0
            • M
              mrchip
              last edited by

              Got it figured out. Under Firewall/Virtual IPs/ I had created a virtual ip to my offsite pbx server set to wan. I had followed instructions somewhere that said to do that. Once I turned that off the phone lit green and works! I was able to remove ALL nat port fwd's, 1:1. I kept the "Outbound" as "Hybrid", Firewall optimization set to conservative. Thanks @stephenw10

              1 Reply Last reply Reply Quote 1
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.