Help with VoIP and DMZ?

austinkp

I'll start by saying that I've spent the last 5 hours trying to make this work, so I've done some research before asking this.  I've searched the forum already, and either can't find that I need, or don't understand the answer.  I'm not a complete newb at this, but I am definitely not an expert.

I'm currently running 1.0-RELEASE built on Fri Oct 13 03:11:47 UTC 2006

So I just got a Cisco IP Phone 7940 through bandwidth.com.  I get a dialtone, and can dial out and receive calls, but I'm not receiving the configurations that I need, so I'm stuck with only basic phone functionality.
They had me open the following UDP ports in my firewall: 161-162, 1056-1255, 2427-2432, 2727, 5060, 5075
Also, I have TCP ports 21, 80, and 123 open.

Their tech support guy checked the server logs, and for some reason they're not receiving my phones requests for the config.  As a test, he also had me try the following from the windows command prompt: tftp -i xxx.xxx.xxx.xxx get somefile.cnf but it just times out.  He said the request was getting sent out via UDP 69 but getting blocked or something.

He recommended that I set a DMZ for my phone, but I can't figure out how to do that.  So I suppose my question is do I need to and HOW DO I do that?  Or is there a better/easier option to make it work?

As a final note, I also tried setting my NAT port forwarding for all of those port ranges to my phone's IP address, but no improvement.  If my hair was a little longer, I'd be pulling it out here!  Thanks in advance for any help!

austinkp

Just updated to version 1.0.1 built on Sun Oct 29 01:13:05 UTC 2006.  No improvement.

hoba

Try to use static ports for your phone. At firewall>nat, outbound enable advanced outbound nat. Then add a rule on top of the auto created rule for LAN like this:

No NAT unchecked
Interface WAN
source network, <ip of="" phone="">/32
port (blank)
destination any
destinationport (blank)
translation interface adress
static port checked

Save and apply.

After that reset states at diagnostics>states, reset states. Also reboot the phone just to make sure.</ip>

austinkp

trying that right now…

austinkp

got this when I followed those directions:

php: : There where error(s) loading the rules: /tmp/rules.debug:22: the 'static-port' option is only valid with nat rules pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [22]: no nat on $ng0 from 10.0.0.0/24 to any static-port

Edit NM, I reread your post.  With the new rule on top, I still get that same error.

hoba

You have to leave the no nat unchecked, read more closely  ;)
Yes the autocreated rule is needed. It's what it does when advanced outbound nat is disabled automagically. Make sure the static port rule is above the autocreated rule.

austinkp

heh.  Funny how two little letters "U" and "N" make a difference eh?  I no longer get errors, but the phone's still not getting the configuration.  Any more ideas?  I just don't know what else to try…

hoba

You did reset the states and reboot the phone? If yes I'm out of ideas for now  :-\

austinkp

yes to both.  Thanks for the help so far.

On a side note, I also added a static mapping for my computer to see if I could do the tftp thing, but it still times out - dunno if that helps or not.

sullrich

TFTP will not work without a helper.  Unfortunately 1.0 does not have a helper for this protocol.

austinkp

is there something I can do?  i'd really love to keep pfSense.

If it's not possible, could you recommend another option to me?

sullrich

Sorry, I don't know of any other workarounds.

hoba

Guess something like that would be needed: http://www.openbsd.org/cgi-bin/man.cgi?query=tftp-proxy&sektion=8&manpath=OpenBSD+4.0