Setting up NAT for a single VOIP phone, not Asterisk

digininja

I'm trying to get the firewall setup so that I can get both inbound and outbound access for my VOIP softphone (either Twinkle or Ekiga).

I've setup NAT and firewall rules for ports 5060-5080 and 10000-20000 so all traffic can get to the machine running the phone. If I call outbound then it works but if I get an inbound call I don't get the audio from the other end but my outbound audio is fine.

I've read a lot of entries in the forums, people talking about having to enable AON but then others saying it isn't needed as of a recent version and I'm on 1.2.3 so that should mean I don't have to worry about it.

Looking in the logs the firewall the port the traffic wants to come in on always seems to be rising above the last 50xx port I opened, at the moment the traffic is coming in on 5082, when I open that I expect it will go up to 5082.

I read one post that said traffic to port 5060 is handled specially and that some rules aren't needed because of this, have I added too much?

danswartz

Asterisk has nothing to do with any of this.  The problem is that the RTP port pair your IP phone sends is being rewritten by pfsense.  Change to AON and enable static port for the entry you will see then.

digininja

From reading the warning about doing this it looks like I could be setting myself up for all sorts of problems in the future by enabling this. How much extra admin does this add to normal tasks? I've got a set of NAT and firewall rules in place that are going to be fairly static now they are setup so it would just be any config to get the system working and then knowing what, if anything, I'd need to do when adding new things in the future.

I'll have a google around for the answer as well but any comments would be welcome.

danswartz

I'm not sure what you mean.  Normally, there is at least one invisible rule that does outbound NAT, including rewriting some ports.  If you switch to AON, you get a rule created for you that does the same thing.  You can either toggle the 'static port' switch on for it, or (what I have done), add another rule that only does static port outbound NAT for my asterisk server, and put that ahead of the default rule.  One extra rule is not even going to be detectable as far as overheard is concerned.

digininja

From my reading it looked as though I would have to do extra work adding new rules myself for outbound stuff as well as inbound whenever I wanted to change anything, if one default rule is the same as the current settings then thats ok, I'll give it a go.

Thanks

danswartz

Very seldom are you going to be playing with new outbound NAT rules.  If you are talking about restricting outbound services, then I think you may have confused outbound rules with outbound NAT?

digininja

The reason I was worried about it is that I don't know what it does so more than just confused! From what you've said I'll just turn it on, add the rule for SIP and leave it alone after that

digininja

I've set up a rule that looks like this:

WAN    	 192.168.0.0/24  	 *  	 *  	 *  	 *  	 *  	YES

But I'm sure this is too generic. Is it OK to leave it like this or should I make it more specific?

danswartz

This is most likely fine.  Exactly what I do.