Firewall problem / telephony servers (not SIP)?



  • Hello,

    I have problem getting 2 Aastra IntelliGate 2065's to communicate. One of them (master) is on our 10.2.10.x subnet and the other one (slave) is on our 10.5.10.x subnet. We just use routing and no NAT between these subnets.
    In the firewall rules I made a rule that the master can send anything to the slave on all ports and with all protocols. On the slave I did the same: a rule that the slave can send anything to the master on all ports with all protocols.

    What happens: most communication between the 2 devices happens over UDP and all communication happens on high ports (40002, 49152 - 65535) and no matter what I make of the firewall rules (explicitly make a rule that accepts traffic on the high ports) they will not start communication.

    Can it be that PFsense blocks these requests if the originate from high ports?

    This problem is the only one we still have to tackle to be able to replace our Cisco 3750 routing switches.  :(

    Thanx in advance,

    Wil



  • Good morning. Try adding these ports LAN/WAN? UDP 16384 - 32768 RTP and  TCP/UDP 5000 - 31000 SIP

    Hope this help to you.

    Cheers,
    jigp 1.2x



  • @jigpe:

    Good morning. Try adding these ports LAN/WAN? UDP 16384 - 32768 RTP and  TCP/UDP 5000 - 31000 SIP

    I have a document from the manufacturer that describes all ports and protocols used by the devices and in my firewall I even configured that ALL traffic no matter what port/protocol is allowed so I don't think the problem is the ports. What I think is that for some reason PFsense thinks there is some illegal traffic happening (too many sends without an answer/reply?) and then blocks it all.

    So: how can I make PFsense stupid enough to really allow ALL traffic between these 2 devices.

    Thanx in advance



  • Disable packet filtering in System->Advanced.



  • @Eugene:

    Disable packet filtering in System->Advanced.

    thanx for your reply Eugene, but does general firewalling still work after that? Thing is gonna get hooked up to the internet and a DMZ after all. (segments: LAN, LAN2, LAN3, LAN4, DMZ, SAN, GOV_NETWORK, WAN, BACKUP_WAN)



  • No, all firewalling (packet filtering + nat) will be stopped. But you can check whether you have problem with filtering or something else.



  • ok… that's indeed something to try and I will... but what if it works then (what I expect). Is there an option to disable PF between the 2 devices from within pfSense or would my only option be to create 2 new segments/interfaces on the pfSense and use the PF option "set skip on interface"? Problem is that I need firewalling on the interfaces as other traffic also uses them.

    Thanx,

    Wil



  • If it works your next options would be to do networks dumps and analyze them (or show them to us so we could analyze them).


Log in to reply