At a loss … IAX2 through pfSense



  • Hi,

    I'm hoping somebody can help me as I'm at a loss. Just as quick note I have trawled through here and the internet for the past few hours. 99.9% of problems seem to deal with SIP (which is why I use IAX) and are simply not applicable, hence why I'm at a loss!

    I have a PBX In A Flash PBX which has been running fine for about two years sitting in the DMZ (see below for network diag) with no problems at all. I have decided to move this to behind pfSense for security as previously it was simply behind a Netgear router. I now can get no outgoing calls and incoming calls are very slow to connect and the audio breaks up. I have checked the PBX config and it's fine. The test phone works internally to other extensions and voicemail etc.

    The new IP is a .10 network. Old IP was .11 network.

    My network setup is:

    LAN (.10 network) -> pfSense interface -> DMZ (.11 network) -> router -> internet

    I have the following rules setup in Port Forwarding in pfSense:

    UDP 10000 - 20000
    UDP 5000 - 5082
    UDP 4569
    UDP 2727

    All obviously point to the PBX.

    Now I know the top 2 are for SIP only but I was at the stage where I had had enough and put those in there too in case I was missing something. Better to have everything in there just in case.

    I have created a rule in the firewall to ALLOW and to log ALL traffic to and from the PBX that goes through the firewall. The vast majority of traffic is simply NTP and DNS stuff. When I call into the external VoIP number I can see port 4569 being used and the states look like this:

    udp VOIPHOST.201:4569 -> 10.10.10.8:4569 MULTIPLE:MULTIPLE
    udp VOIPHOST.205:4569 -> 10.10.10.8:4569 MULTIPLE:MULTIPLE
    udp 10.10.10.8:4569 <- 10.10.11.2:4569 <- VOIPHOST.201:4569 MULTIPLE:MULTIPLE
    udp 10.10.10.8:4569 <- 10.10.11.2:4569 <- VOIPHOST.205:4569 MULTIPLE:MULTIPLE

    It takes around 10-15 seconds for me to hear the initial voice prompt on the PBX when in the new .10 network. Before in the .11 network it was 1-2 seconds tops (usually instant). Additionally if I dial the external number, listen to the voice prompt to ensure it's connected, and then hang up the call STILL continues and get's put through to the extension. Once I actually called, heard the prompt, hung up, called back immediately and ended up in the middle of the prompt just as if I had never disconnected! Another thing I've noticed is that I'm listening to internet radio (it uses TCP port 1935) just now to while away the time. When I call in to the PBX, the internet radio drops and I have to start it again …

    When I dial out from my phone I get all the Asterisk stuff in the logs. After about 30 seconds I get the 'All circuits are busy now" and the message "TRUNK Dial failed due to CHANUNAVAIL" in the Asterisk logs. Nothing shows up in the pfSense logs at all.

    At a complete loss now. No idea where to go.

    I chose IAX2 trunks as they are supposed to be firewall friendly so I can only assume this is something to do with me and my setup.

    Any help gratefully appreciated.



  • I am suspicious that you have two external VOIP hosts?  Is that correct?



  • @danswartz:

    I am suspicious that you have two external VOIP hosts?  Is that correct?

    That's exactly what I thought - but then I've never looked at this before so I wasn't sure what was what. I actually have one host - specified by a hostname in the PBX config. I assume it's load balanced with multiple IP's but not sure why it would try and connect from two IP's. I have just made another couple of calls into the PBX and they too have come from two IP's (different from the first ones) but there are still two of them. The config hasn't changed at all between the move.

    I noticed that the IAX connections were unmonitored so I searched for that. I added qualify=yes to the config on the outbound IAX connection. The connect then came up UNREACHABLE and the folllowing was in the state table:

    127.0.0.1:19000 <- 193.111.201.100:4569 <- 192.168.10.8:4569

    This confuses me - where did the loopback come from? I remember reading something in here about the NAT reflection using ports 19000. I turned that off and VOILA I can actually connect outbound. However I had this turned off earlier and it didn't make any difference so I assume it's a combination of this.

    I still have lengthy delays in connecting to the PBX and the delay between the external phone being hung up and that getting to the PBX. Is this likely to be pfSense noting that before in the old network I didn't have this problem (delay between hanging up and PBX hanging up was around 1 second.



  • I am surprised at the loopback oddity.  Sounds like something internal accessing the external name (pfsense?)  Hard to say more without seeing config&rules.  One thing: do you have the localnet/externhost stuff in asterisk?  In the appropriate sip config file something like this:

    externhost=myexternalname.mydomain.com (sanitized here)
    externrefresh=120
    localnet=10.0.0.0/255.255.255.0 (change to 192.168.10.0/255.255.255.0)

    the above assumes you have a dynamic IP, in which case the externhost name should be something that gets updated with some kind of dyndns client.  If it is a static public IP, you would use the externip (IIRC) directive instead and omit the refresh directive.  I know this can wreak havoc since asterisk is not passing the correct IP addresses in the INVITE headers.  I know you didn't need to do this b4, but pfense (well, any pf based firewall) can be more finicky about this stuff.



  • Thanks for coming back to me so quickly. I had all that stuff in sip config file but remember, this is IAX (although to be fair I do have a SIP line that doesn't work just now but I'm concentrating on the IAX stuff and will tackle that at a later date) :) I check the IAX configs and there is no similar directives in there.



  • Oh, boy, sorry about wasting your time.  Totally forgot that is all SIP-related :(



  • Hey you didn't waste my time. I appreciate the help!


Locked