SIP behind NAT in PFSENSE 1.2.3 RC1



  • Guys,

    This question maybe is repeated hundreds times, but everyone is telling different story.
    I have IPPhone behind PFSENSE with port set on a line 5060. I set NAT OUTBOUND to MANUAL and

    WAN    192.168.100.0/24  *  *  *  *  * NO

    WAN  192.168.100.0/24 * * 5060  * * YES

    And SIP port is sending to another PFSESNE on port 22623 instead of 5060. This is really starts being crazy
    especially for someone who has spend almost 14 whole days playing with only this ports and nothing had worked. If someone has solution PLEASE explain. Maybe I am missing something. Sorry but I searched the forum, then I tried many possibilities and none of them works.

    My understanding is one pfsense is sending 5060 and the other one who has that port NATED and opened rules to Trixbox should get registered but how if that 5060 has been changed to over 20000 UDP?

    I don't get it…....



  • what are you doing?  if you really have two rules like this, it won't work - the first will match everything.  move the second b4 the first.



  • see I knew it, something like this config is on many posts …. damm I am trying it now.

    Thanks



  • OK i have placed:

    WAN    192.168.100.0/24 *  *  5060  *  * YES

    WAN  192.168.100.0/24 * * 5061 * * YES

    WAN  192.168.100.0/24 * * * * * NO

    Don't know why 3 out of 4 lines did not registered with Trix, I am checking this now …..

    Another question is how I can resolve problem with RTP ports? Lets say the other pfsense has open incoming 10001-20000UDP so the audio needs to be send using these ports. ON IPPHONE RTP START is set to 10500 but these ports aren't leaving pfsense. The other pfsense shows that ports are coming above 55000 UDP ..... any advice please.

    THX



  • I would not even bother with the multiple rules.  Just keep the default rule but set static port to yes.



  • Ive run multiple sip devices on my 1.2.3 box without any fancy forwarding and outbound nat set to auto for over a year.   Now Im running Freeswitch and still have an ata registering to a provider not part of Freeswitch.

    Simply make a firewall rule to allow your poviders server(s) access to your network

    Proto          Source IP               Port       Destination         Port    Gateway
    UDP   123.45.67.890   *        *                      *   *

    Leave any port forwarding out and try it…



  • You could limit your sip provider to only one ip (your ata) in that rule also…



  • it would help if the OP would describe his network setup a little more clearly.  i get the impression he has two sites with a pfsense at each one (although that might be mistaken).  if something like that is true, the best answer is to set up a site to site vpn using openvpn and eliminate the whole issue.



  • Yes, I do have one FW at home, the other one wt work and both pfsens' 1.2.3 RC1
    At work, Aterisk is behind pfsense. Port 5060 is nated and FW rules are set as shown on pictures.

    Asterisk has SIP_NAT.CONF configured correctly to show external IP on outside.

    Phone is Astra 57i and uses port 5060 as the extension on Asterisk - 5060. Why that line can't register with Asterisk.

    Aastra 57i –----pfsense-----WAN-----pfsense------ASterisk

    SIP can be max twice nated so it is. It should work..... it should..... but it does not. If you can provide one working example that I can compare and check WHY and WHAT is wrong with mine configuration would be great.

    MST













Locked