• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Asterisk Server behind pfSense doesn't work. -*Solved*-

Scheduled Pinned Locked Moved NAT
8 Posts 3 Posters 14.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • K
    kwag
    last edited by Oct 23, 2006, 2:02 AM Oct 20, 2006, 8:50 PM

    Hi all,

    Any solution for the problem of an Asterisk server sitting behind a pfSense server on the LAN?
    I've followed all forum recomendations, and even followed pf documents, and this is a "no go".
    External sip devices, devices outside the WAN, can connect and authenticate correctly to the Asterisk box. But once a call is made, there's no audio on either direction.
    Anyone here able to operate an Asterisk box inside a LAN, behind  pfSense?
    I'm using pfSense 1.0 RELEASE.
    I've forwarded TCP/UDP ports 5004 to 5080 and UDP 8000 to 10500, all to the internal IP of the Asterisk server.
    And I made a (Advanced NAT) static port rule also pointing to the Asterisk box.
    The recommendations here didn't work: http://faq.pfsense.com/index.php?sid=120897&lang=en&action=artikel&cat=1&id=177&artlang=en&highlight=asterisk

    Thanks,
    -Karl

    1 Reply Last reply Reply Quote 0
    • H
      hoba
      last edited by Oct 20, 2006, 9:10 PM

      Reset states to make sure the states get established with the static ports. Also have a look at diagnostics>states to make sure your static port rule works correctly.

      1 Reply Last reply Reply Quote 0
      • K
        kwag
        last edited by Oct 20, 2006, 11:47 PM

        Hi hoba,

        @hoba:

        Reset states to make sure the states get established with the static ports.

        Yes, I did that several times.

        Also have a look at diagnostics>states to make sure your static port rule works correctly.

        What exactly should I be looking for on the states table.

        Thanks,
        -Karl

        1 Reply Last reply Reply Quote 0
        • H
          hoba
          last edited by Oct 20, 2006, 11:54 PM

          make sure the natted states going out from your asterisk don't change sourceports anymore.

          1 Reply Last reply Reply Quote 0
          • K
            kwag
            last edited by Oct 21, 2006, 2:06 AM

            Ok. Made a quick test and it seems static port is indeed working.
            I set up a rule for an internal LAN IP 172.20.2.195, for a Grandstream ATA that connects to a test account on the Internet, and here's what I saw.

            With a static rule for IP 172.20.2.195, I clearly see source port stays at 5060 on the WAN (10.10.1.2)
            self udp 172.20.2.195:5060 -> 10.10.1.2:5060 -> x.x.x.x:5060      MULTIPLE:MULTIPLE

            Without the rule, I get this:
            self udp 172.20.2.195:5060 -> 10.10.1.2:54653 -> x.x.x.x:5060      MULTIPLE:MULTIPLE

            I can also see the rule by grepping on the ssh command line:

            pfctl -s all | grep static

            nat on xl0 inet from 172.20.2.195 to any -> (xl0) round-robin static-port

            So far, so good.
            I'm going to try and test this on the Asterisk box at work tomorrow. I can't now, because I left the Asterisk box off-line  :(

            I can see that this will solve the outgoing (originating) connections from the LAN, but what about the incoming issues? That is, ATA/SIP adapters on the Internet that are registering into the Asterisk box on the LAN?
            I'll report my findings tomorrow.

            Thanks again,
            -Karl

            1 Reply Last reply Reply Quote 0
            • K
              kwag
              last edited by Oct 23, 2006, 2:01 AM

              Thanks guys!
              All issues are now resolved :)
              The static port did work correctly, and now we have SIP devices (ATA Grandstreams) registering from the Internet into our Asterisk box, which is behind the primary pfSense firewall :)
              As a matter of fact, the internal LAN ATA boxes, which are behind another pfSense, also work correctly. So SIP is traversing correctly through TWO pfSenses :)
              On the internal pfSense (the one used for internal LAN protection), I set static port option on the WAN interface for the complete segment, so any machine/adapter on the LAN of that machine will work correctly, instead of having to specify an IP address for each device.
              Our final setup was one main pfSense firewall that connects to a T-1 public IP, then internally we used two more pfSense machines. One for the LAN (office machines), and another pfSense for the production servers.
              So basically protecting the production machines by isolating them on a local sub net, which can't be accessed by the LAN (office) machines.
              And as a bonus, our Hamachi clients are also now working, either behind the main pfSense (guess we'll  now call it the second DMZ), or on the office LAN behind the second pfSense
              pfSense is working like a charm on all three machines ;)

              Thanks,
              -Karl

              1 Reply Last reply Reply Quote 0
              • A
                aligzaidi
                last edited by Feb 8, 2007, 3:16 PM Feb 8, 2007, 3:10 PM

                Hi,

                I have allmost same issue port doesn't stay 5060 on my WAN IP

                With a static rule for IP 192.168.1.25, I don't see port stays as 5060 on the WAN (w.w.w.w) my ITSP (x.x.x.x)

                self udp 192.168.1.25:5060 -> w.w.w.w:54654 -> x.x.x.x:5060       MULTIPLE:MULTIPLE

                Without the rule, I get this:
                self udp 192.168.1.25:5060 -> w.w.w.w.w:54654 -> x.x.x.x:5060       MULTIPLE:MULTIPLE

                I resetted stats many time but i dont see 5060. I'm resetting from remote site may be thats why it is not resetting properly? however, When i reset stats i get disconnected from firewall, does that mean sats resetted properly?
                I was confused why port is not staying as 5060, so i rebooted the firewall remotely but still no success, does rebooting a firewall means flushing all stats?

                Please help… Any Screenshots? maybe i'm missing something at somwhere.

                Ali...

                1 Reply Last reply Reply Quote 0
                • H
                  hoba
                  last edited by Feb 18, 2007, 7:58 PM

                  There are some posts with screenshots around in this forum. Please search.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received