Help with VoIP and DMZ?
-
I'll start by saying that I've spent the last 5 hours trying to make this work, so I've done some research before asking this. I've searched the forum already, and either can't find that I need, or don't understand the answer. I'm not a complete newb at this, but I am definitely not an expert.
I'm currently running 1.0-RELEASE built on Fri Oct 13 03:11:47 UTC 2006
So I just got a Cisco IP Phone 7940 through bandwidth.com. I get a dialtone, and can dial out and receive calls, but I'm not receiving the configurations that I need, so I'm stuck with only basic phone functionality.
They had me open the following UDP ports in my firewall: 161-162, 1056-1255, 2427-2432, 2727, 5060, 5075
Also, I have TCP ports 21, 80, and 123 open.Their tech support guy checked the server logs, and for some reason they're not receiving my phones requests for the config. As a test, he also had me try the following from the windows command prompt: tftp -i xxx.xxx.xxx.xxx get somefile.cnf but it just times out. He said the request was getting sent out via UDP 69 but getting blocked or something.
He recommended that I set a DMZ for my phone, but I can't figure out how to do that. So I suppose my question is do I need to and HOW DO I do that? Or is there a better/easier option to make it work?
As a final note, I also tried setting my NAT port forwarding for all of those port ranges to my phone's IP address, but no improvement. If my hair was a little longer, I'd be pulling it out here! Thanks in advance for any help!
-
Just updated to version 1.0.1 built on Sun Oct 29 01:13:05 UTC 2006. No improvement.
-
Try to use static ports for your phone. At firewall>nat, outbound enable advanced outbound nat. Then add a rule on top of the auto created rule for LAN like this:
No NAT unchecked
Interface WAN
source network, <ip of="" phone="">/32
port (blank)
destination any
destinationport (blank)
translation interface adress
static port checkedSave and apply.
After that reset states at diagnostics>states, reset states. Also reboot the phone just to make sure.</ip>
-
trying that right now…
-
got this when I followed those directions:
php: : There where error(s) loading the rules: /tmp/rules.debug:22: the 'static-port' option is only valid with nat rules pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [22]: no nat on $ng0 from 10.0.0.0/24 to any static-port
Edit NM, I reread your post. With the new rule on top, I still get that same error.
-
You have to leave the no nat unchecked, read more closely ;)
Yes the autocreated rule is needed. It's what it does when advanced outbound nat is disabled automagically. Make sure the static port rule is above the autocreated rule.
-
heh. Funny how two little letters "U" and "N" make a difference eh? I no longer get errors, but the phone's still not getting the configuration. Any more ideas? I just don't know what else to try…
-
You did reset the states and reboot the phone? If yes I'm out of ideas for now :-\
-
yes to both. Thanks for the help so far.
On a side note, I also added a static mapping for my computer to see if I could do the tftp thing, but it still times out - dunno if that helps or not.
-
TFTP will not work without a helper. Unfortunately 1.0 does not have a helper for this protocol.
-
is there something I can do? i'd really love to keep pfSense.
If it's not possible, could you recommend another option to me?
-
Sorry, I don't know of any other workarounds.
-
Guess something like that would be needed: http://www.openbsd.org/cgi-bin/man.cgi?query=tftp-proxy&sektion=8&manpath=OpenBSD+4.0