Hosted VOIP and pfSense



  • Hi all. We use OnSIP/Junction Networks for Hosted VOIP. They recommend not to have the phones configured for any special NAT rules. On all networks we tried, it would work fine, except when we were behind our pfSense firewall. siproxyd didn't do anything, which I guess is for if you have your own SIP server. We don't; it's hosted with OnSIP.

    To get it working, I switched Outbound NAT to Manual and added two extra rules. Now, it didn't work until I rebooted, so it's possible that I only needed the first rule. After switching to manual, adding the second, and adding the third rule, I had both phones restarted and it didn't work after saving in pfSense. But after rebooting pfSense, it worked. I might try removing the 2 rules I added to see if they did the trick but it's 5pm on Friday and I'm going home :)

    I hope this helps someone!



  • the 2nd and 3rd rules are useless since they follow the default rule.  delete them and change the default rule to static port = yes and thing should work.



  • As for the static port mapping, I've left it set to "No" and had no problems using OnSip with 7 Polycom IP650's behind the pfSense box.  I did have to set a WAN rule to allow access from 66.227.100.0/23 for OnSip to signal the phones correctly.

    The 2nd & 3rd rule aren't need in your pic as danswartz mentioned.



  • This interesting…. I set up that
    WAN    192.168.100.0/24  *  *  5060  *  *  YES

    but pfsense is sending 5060 using 22xxx port ..... why pfsense with STATIC PORT YES is not sending that using 5060?

    Question for brainy techs ....

    THX



  • Hi,

    I've got the same problem.
    We use an external SIP provider and multiple SIP phones but after switching to PFSense only one phone will get connected to the provider. If I reset states and connect another phone than the other one gets connected but never more than one.
    I've opened the firewall port from SIP provider IP ->WAN->SIP LAN TCP/UDP 5060 and the provider instructed me to open a range of potrs SIP provider IP ->WAN->SIP LAN UDP 6000-6050.
    I've been reading around the net and found people stating that only one SIP device would work at a time and that I'd need siproxd to get it working.
    But I keep trying to configure siproxd but anything I try jst keeps one phone working. Just to see if it works I connected an old linksys wrt54gs to see if it worked and it did all phones synced with the provider.
    I just don't get it.

    What would I have to do to get the phones working?

    Do I just configure the NAT outbound to manual and the default rule to static port yes?
    Or would I configure siproxd but how?

    Thanks for the help and any relevant information.

    Bye



  • I never got siproxd working right.  If you have multiple phones behind pfsense and they go to the same provider, you are screwed unless you can change the ports they register on (reason being: due to NAT the provider will see all requests coming from the same IP/port.)  Alternatively, you could put something like pbx in a flash behind pfsense and have the sip phones register to it and have it register to the provider.



  • Hi,

    well my first thought for a backup plan was to setup a pbx behind the PFS but the provider didn't supply any information for the phone accounts (aka usernames and passwords weren't supplied. Ok usernames, sip addresses and ports aren't a problem since I could have gotten them out of the phone but the passwords can't be gotten). So that option was pretty much out too.

    But I got the thing working anyway with PFS.

    Here's how(I think):

    1. siproxd config:
    inbound if = Tel(the lan that the phones are on)
    outbound if = WAN
    port = 5060
    RTP port range = 6000-6050 (got this from SIP provider)
    Expedited Forwarding = ticked

    2. firewall config:
    SIP registration - WAN rule: IP of SIP provider, ports TCP/UDP 5060 -> Tel(the lan that the phones are on);
    Audio channels - WAN rule: IP of SIP provider, ports UDP 6000-6050 -> Tel(the lan that the phones are on);

    3. NAT config:
    NAT->Outbound
    set to Manual Outbound NAT rule generation
    and added this mapping
    Interface  Source                  Source Port  Destination  Destination Port  NAT Address  NAT Port  Static Port  Description 
    WAN            192.168.5.0/24  *                  *                  *                          *                  *                  NO                 VoIP 
    (the source is the IP range of my local network that the SIP devices are connected to)

    4. Applied the setting
    applied the settings on PFS
    restarted all the phones

    After witch all the phones registered with the SIP provider and I could phone out and in with all the phones running at the same time.
    But I'm still not sure if this is what got it working nor weather siproxd is working(it is running) and is responsible for the phones working.
    If it was one thing or all of the above.
    Well one day I'll give it a try but for now it's working and I don't want to screw it up. By the way in the meanwhile I installed a new PFS on another machine and connected it, copied the config from the working to the new one and plugged it in and everything works.

    Thanks for the help guys and I hope my input also helps someone else.

    Bye



  • the AON rule seems useless to me, since it doesn't look like it does anything the standard invisible rule does?



  • @danswartz

    It is because port 5060 (and I think another one of two) are not covered by the Automatic rule. I read that in the pfSense Definitive Guide book but I think it's also in the docs somewhere.



  • I think you misread that.  What is treated specially for port 5060 is pfsense not doing the rewriting of it.



  • I'm seeing the same thing with our hosted PIAF setup.  We have 4 SPA-942 phones and 1 Aastra 57i CT and they randomly unregister over the course of the day.  Siproxd didn't do anything, manual NAT works until the phones try and re-register and then they fail.



  • Did you put

    nat=yes
    externip=xxx.xxx.xxx.xxx
    externhost = mypbx.mydomain.com
    localnet=192.168.1.0/255.255.255.0
    externrefresh=10

    in SIP_NAT.conf



  • localnet=192.168.1.0/255.255.255.0  make it to match your network



  • @mst:

    localnet=192.168.1.0/255.255.255.0  make it to match your network

    Our PIAf hosted box has a public IP, do I still need this?  Our setup worked perfectly fine with an SG565 in place and Sip Proxy turned on.



  • if you have public IP then no



  • @mst:

    if you have public IP then no

    Thanks for the clarification.  I didn't think it was needed.  Our phones just unregistered again.  I'm pulling this box until this issue is fixed somehow.  I'm beyond frustrated and we NEED our IP Phones to work reliably.





  • My phone ARE getting separate ports when they boot up initially, they only lose the registration when they try and re-register.  I put the SG565 back into service at that office and the phones have been rock solid for the past few hours.


  • Banned

    I use Askozia PBX in VmWare setup… Works like a charm.....



  • @Supermule:

    I use Askozia PBX in VmWare setup… Works like a charm.....

    I don't think this has to do with the PBX so much as the natting of SIP ports.  We are going to demo OnSIP in the coming weeks and I saw one of the threads pertaining to SIP nat.

    I'm just frustrated because this should just work and it's "sort of" working which is worse than not working at all.



  • I tweeted about my problems and Chris sent me this link:

    http://doc.pfsense.org/index.php/VoIP_Configuration

    I think #2 should help me out, but I can't test until next week.


  • Banned

    I know, but I just forward the used ports through PFSense to the PBX, handling the SIP traffic.

    Good audio and no problems at all.

    @rugby:

    @Supermule:

    I use Askozia PBX in VmWare setup… Works like a charm.....

    I don't think this has to do with the PBX so much as the natting of SIP ports.  We are going to demo OnSIP in the coming weeks and I saw one of the threads pertaining to SIP nat.

    I'm just frustrated because this should just work and it's "sort of" working which is worse than not working at all.



  • I changed the System->Advanced-> Firewall Optimization options to conservative and the phones have stayed registered for an hour which is longer than normal.


  • Banned

    Just change the keep connection alive settings in the SIP phones…..



  • I could do that, but with 20 phones in 3 states this was much easier to do.


Log in to reply