Help with VoIP and DMZ?



  • I'll start by saying that I've spent the last 5 hours trying to make this work, so I've done some research before asking this.  I've searched the forum already, and either can't find that I need, or don't understand the answer.  I'm not a complete newb at this, but I am definitely not an expert.

    I'm currently running 1.0-RELEASE built on Fri Oct 13 03:11:47 UTC 2006

    So I just got a Cisco IP Phone 7940 through bandwidth.com.  I get a dialtone, and can dial out and receive calls, but I'm not receiving the configurations that I need, so I'm stuck with only basic phone functionality.
    They had me open the following UDP ports in my firewall: 161-162, 1056-1255, 2427-2432, 2727, 5060, 5075
    Also, I have TCP ports 21, 80, and 123 open.

    Their tech support guy checked the server logs, and for some reason they're not receiving my phones requests for the config.  As a test, he also had me try the following from the windows command prompt: tftp -i xxx.xxx.xxx.xxx get somefile.cnf but it just times out.  He said the request was getting sent out via UDP 69 but getting blocked or something.

    He recommended that I set a DMZ for my phone, but I can't figure out how to do that.  So I suppose my question is do I need to and HOW DO I do that?  Or is there a better/easier option to make it work?

    As a final note, I also tried setting my NAT port forwarding for all of those port ranges to my phone's IP address, but no improvement.  If my hair was a little longer, I'd be pulling it out here!  Thanks in advance for any help!



  • Just updated to version 1.0.1 built on Sun Oct 29 01:13:05 UTC 2006.  No improvement.



  • Try to use static ports for your phone. At firewall>nat, outbound enable advanced outbound nat. Then add a rule on top of the auto created rule for LAN like this:

    No NAT unchecked
    Interface WAN
    source network, <ip of="" phone="">/32
    port (blank)
    destination any
    destinationport (blank)
    translation interface adress
    static port checked

    Save and apply.

    After that reset states at diagnostics>states, reset states. Also reboot the phone just to make sure.</ip>



  • trying that right now…



  • got this when I followed those directions:

    php: : There where error(s) loading the rules: /tmp/rules.debug:22: the 'static-port' option is only valid with nat rules pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [22]: no nat on $ng0 from 10.0.0.0/24 to any static-port

    Edit NM, I reread your post.  With the new rule on top, I still get that same error.



  • You have to leave the no nat unchecked, read more closely  ;)
    Yes the autocreated rule is needed. It's what it does when advanced outbound nat is disabled automagically. Make sure the static port rule is above the autocreated rule.



  • heh.  Funny how two little letters "U" and "N" make a difference eh?  I no longer get errors, but the phone's still not getting the configuration.  Any more ideas?  I just don't know what else to try…



  • You did reset the states and reboot the phone? If yes I'm out of ideas for now  :-\



  • yes to both.  Thanks for the help so far.

    On a side note, I also added a static mapping for my computer to see if I could do the tftp thing, but it still times out - dunno if that helps or not.



  • TFTP will not work without a helper.  Unfortunately 1.0 does not have a helper for this protocol.



  • is there something I can do?  i'd really love to keep pfSense.

    If it's not possible, could you recommend another option to me?



  • Sorry, I don't know of any other workarounds.




Locked