Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setting up NAT for a single VOIP phone, not Asterisk

    Scheduled Pinned Locked Moved NAT
    9 Posts 2 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      digininja
      last edited by

      I'm trying to get the firewall setup so that I can get both inbound and outbound access for my VOIP softphone (either Twinkle or Ekiga).

      I've setup NAT and firewall rules for ports 5060-5080 and 10000-20000 so all traffic can get to the machine running the phone. If I call outbound then it works but if I get an inbound call I don't get the audio from the other end but my outbound audio is fine.

      I've read a lot of entries in the forums, people talking about having to enable AON but then others saying it isn't needed as of a recent version and I'm on 1.2.3 so that should mean I don't have to worry about it.

      Looking in the logs the firewall the port the traffic wants to come in on always seems to be rising above the last 50xx port I opened, at the moment the traffic is coming in on 5082, when I open that I expect it will go up to 5082.

      I read one post that said traffic to port 5060 is handled specially and that some rules aren't needed because of this, have I added too much?

      1 Reply Last reply Reply Quote 0
      • D
        danswartz
        last edited by

        Asterisk has nothing to do with any of this.  The problem is that the RTP port pair your IP phone sends is being rewritten by pfsense.  Change to AON and enable static port for the entry you will see then.

        1 Reply Last reply Reply Quote 0
        • D
          digininja
          last edited by

          From reading the warning about doing this it looks like I could be setting myself up for all sorts of problems in the future by enabling this. How much extra admin does this add to normal tasks? I've got a set of NAT and firewall rules in place that are going to be fairly static now they are setup so it would just be any config to get the system working and then knowing what, if anything, I'd need to do when adding new things in the future.

          I'll have a google around for the answer as well but any comments would be welcome.

          1 Reply Last reply Reply Quote 0
          • D
            danswartz
            last edited by

            I'm not sure what you mean.  Normally, there is at least one invisible rule that does outbound NAT, including rewriting some ports.  If you switch to AON, you get a rule created for you that does the same thing.  You can either toggle the 'static port' switch on for it, or (what I have done), add another rule that only does static port outbound NAT for my asterisk server, and put that ahead of the default rule.  One extra rule is not even going to be detectable as far as overheard is concerned.

            1 Reply Last reply Reply Quote 0
            • D
              digininja
              last edited by

              From my reading it looked as though I would have to do extra work adding new rules myself for outbound stuff as well as inbound whenever I wanted to change anything, if one default rule is the same as the current settings then thats ok, I'll give it a go.

              Thanks

              1 Reply Last reply Reply Quote 0
              • D
                danswartz
                last edited by

                Very seldom are you going to be playing with new outbound NAT rules.  If you are talking about restricting outbound services, then I think you may have confused outbound rules with outbound NAT?

                1 Reply Last reply Reply Quote 0
                • D
                  digininja
                  last edited by

                  The reason I was worried about it is that I don't know what it does so more than just confused! From what you've said I'll just turn it on, add the rule for SIP and leave it alone after that

                  1 Reply Last reply Reply Quote 0
                  • D
                    digininja
                    last edited by

                    I've set up a rule that looks like this:

                    WAN    	 192.168.0.0/24  	 *  	 *  	 *  	 *  	 *  	YES
                    

                    But I'm sure this is too generic. Is it OK to leave it like this or should I make it more specific?

                    1 Reply Last reply Reply Quote 0
                    • D
                      danswartz
                      last edited by

                      This is most likely fine.  Exactly what I do.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.