Asterisk Server behind pfSense doesn't work. -*Solved*-

kwag · Oct 23, 2006, 2:02 AM

Hi all,

Any solution for the problem of an Asterisk server sitting behind a pfSense server on the LAN?
I've followed all forum recomendations, and even followed pf documents, and this is a "no go".
External sip devices, devices outside the WAN, can connect and authenticate correctly to the Asterisk box. But once a call is made, there's no audio on either direction.
Anyone here able to operate an Asterisk box inside a LAN, behind pfSense?
I'm using pfSense 1.0 RELEASE.
I've forwarded TCP/UDP ports 5004 to 5080 and UDP 8000 to 10500, all to the internal IP of the Asterisk server.
And I made a (Advanced NAT) static port rule also pointing to the Asterisk box.
The recommendations here didn't work: http://faq.pfsense.com/index.php?sid=120897&lang=en&action=artikel&cat=1&id=177&artlang=en&highlight=asterisk

Thanks,
-Karl

hoba · Oct 20, 2006, 9:10 PM

Reset states to make sure the states get established with the static ports. Also have a look at diagnostics>states to make sure your static port rule works correctly.

kwag · Oct 20, 2006, 11:47 PM

Hi hoba,

@hoba:

Reset states to make sure the states get established with the static ports.

Yes, I did that several times.

Also have a look at diagnostics>states to make sure your static port rule works correctly.

What exactly should I be looking for on the states table.

Thanks,
-Karl

hoba · Oct 20, 2006, 11:54 PM

make sure the natted states going out from your asterisk don't change sourceports anymore.

kwag · Oct 21, 2006, 2:06 AM

Ok. Made a quick test and it seems static port is indeed working.
I set up a rule for an internal LAN IP 172.20.2.195, for a Grandstream ATA that connects to a test account on the Internet, and here's what I saw.

With a static rule for IP 172.20.2.195, I clearly see source port stays at 5060 on the WAN (10.10.1.2)
self udp 172.20.2.195:5060 -> 10.10.1.2:5060 -> x.x.x.x:5060 MULTIPLE:MULTIPLE

Without the rule, I get this:
self udp 172.20.2.195:5060 -> 10.10.1.2:54653 -> x.x.x.x:5060 MULTIPLE:MULTIPLE

I can also see the rule by grepping on the ssh command line:

pfctl -s all | grep static

nat on xl0 inet from 172.20.2.195 to any -> (xl0) round-robin static-port

So far, so good.
I'm going to try and test this on the Asterisk box at work tomorrow. I can't now, because I left the Asterisk box off-line :(

I can see that this will solve the outgoing (originating) connections from the LAN, but what about the incoming issues? That is, ATA/SIP adapters on the Internet that are registering into the Asterisk box on the LAN?
I'll report my findings tomorrow.

Thanks again,
-Karl

kwag · Oct 23, 2006, 2:01 AM

Thanks guys!
All issues are now resolved :)
The static port did work correctly, and now we have SIP devices (ATA Grandstreams) registering from the Internet into our Asterisk box, which is behind the primary pfSense firewall :)
As a matter of fact, the internal LAN ATA boxes, which are behind another pfSense, also work correctly. So SIP is traversing correctly through TWO pfSenses :)
On the internal pfSense (the one used for internal LAN protection), I set static port option on the WAN interface for the complete segment, so any machine/adapter on the LAN of that machine will work correctly, instead of having to specify an IP address for each device.
Our final setup was one main pfSense firewall that connects to a T-1 public IP, then internally we used two more pfSense machines. One for the LAN (office machines), and another pfSense for the production servers.
So basically protecting the production machines by isolating them on a local sub net, which can't be accessed by the LAN (office) machines.
And as a bonus, our Hamachi clients are also now working, either behind the main pfSense (guess we'll now call it the second DMZ), or on the office LAN behind the second pfSense
pfSense is working like a charm on all three machines ;)

Thanks,
-Karl

aligzaidi · Feb 8, 2007, 3:16 PM

Hi,

I have allmost same issue port doesn't stay 5060 on my WAN IP

With a static rule for IP 192.168.1.25, I don't see port stays as 5060 on the WAN (w.w.w.w) my ITSP (x.x.x.x)

self udp 192.168.1.25:5060 -> w.w.w.w:54654 -> x.x.x.x:5060 MULTIPLE:MULTIPLE

Without the rule, I get this:
self udp 192.168.1.25:5060 -> w.w.w.w.w:54654 -> x.x.x.x:5060 MULTIPLE:MULTIPLE

I resetted stats many time but i dont see 5060. I'm resetting from remote site may be thats why it is not resetting properly? however, When i reset stats i get disconnected from firewall, does that mean sats resetted properly?
I was confused why port is not staying as 5060, so i rebooted the firewall remotely but still no success, does rebooting a firewall means flushing all stats?

Please help… Any Screenshots? maybe i'm missing something at somwhere.

Ali...

hoba · Feb 18, 2007, 7:58 PM

There are some posts with screenshots around in this forum. Please search.