Can't get SIP working with NAT (on embedded)

  • Hello pfsense community,

    I have been running pfsense for most of this year, and have been happy with it.

    Recently, however, I have been unable to get incoming SIP to work on my embedded (netgate ALIX) 1.2.2 pfsense box.

    I have read a bunch of the postings about this matter both on this board, as well as the freepbx, asterisk and trixbox forums and have not been able to get incoming SIP to work.  As I would really like to stick with pfsense, I would be grateful for any advice that would help me to resolve this.

    To provide a little background:

    I have 5 public IPs and am running various web services behind my pfsense box.  I chose pfsense for the ability to offer wan failover, however at present only have one connection (25 mbps down, 5 mbps up).

    I am running asterisk (elastix distribution) with one circuit over iax2, and a T.38 circuit (for a fax server) that unfortunately requires SIP.  The iax2 circuit has been working flawlessly since May, and I have never been able to get incoming SIP calls to work through pfsense.

    Here are the ports for SIP that I tried to NAT:

    UDP: 5060 –-> (elastix box)
    UDP: 10,001 - 20,000 ---> (elastix box)

    I tried automatic (outbound NAT) as well as advanced.

    I tried static ports as well as non-static

    I I tried with "Disable NAT Reflection" and without.

    I am very hesitant to put this box on a DMZ as I do not want it to be visible to the net (especially because it's a) our PBX, and b) could enable someone to get to the rest of our network).

    I have read posts where people said that there's a problem with pfsense nat'ing port 5060 -- and that suggested to comment out some lines of code.  I can't quite figure out how to do that on the embedded system, however.

    Also -- ever since changing things, I've noticed that (even if I'm set to automatic, and enable: NAT reflection) that the firewall rules are not always in sync with my changes.

    In short -- I'm pretty frustrated and about to either give up on pfsense or SIP.  (Note: I am no fan of SIP, and that's why I use IAX2 on my other circuit... but unfortunately for T.38 faxing it's either SIP or no go...).

    I would greatly appreciate help in resolving this matter.


    PS: I considered trying sipproxy, however because I'm running on an embedded system I can not run packages.

  • I've been impressed with the responsiveness with the pfsense community.

    Is there anyone out there that can offer some advice regarding my post?



  • I run PFsense 1.2.2 (not embedded) and have no issues with my trixbox. First make sure you put a check mark on the rule to allow 5060 to log it. After you've done that, check the logs to see if pfsense is blocking 5060.

    If the iax port rule is working, copy that rule (add another rule based on this one) and just change the port from iax to sip. Then delete the old sip rules you created.

  • Rebel Alliance Developer Netgate


    PS: I considered trying sipproxy, however because I'm running on an embedded system I can not run packages.

    Update to a 1.2.3-RC3 snapshot, then you will be using NanoBSD and can install packages, including the SIP proxy.

Log in to reply