Trouble with SIP and various other NAT'ing

  • Ok I've been at this for a couple of days now and my head is about to explode.  ???

    First off, I'll say that pfSense is the best and most awesome firewall I have ever put my hands on. I have used iptables on a linux box for years because I could never find a pre-built firewall distribution that would allow me to have the flexibility I needed until I encountered pfSense. I swear, everything I could have ever criticized or complained about not working correctly or simply not present is built into pfSense! Hats off to the development team, you have produced a top notch quality product :)

    So here's the deal. I have a modest home network that is way too complicated for what I am doing, but I play amateur network engineer in my spare time in an attempt to learn. I have pfSense 2.0-RC1 running on a dedicated 1U server with two gigabit onboard Realtek NIC's cabled to a Comcast business class gateway with 5 static IP's and Netgear gigabit "smart" switch on the LAN side. I also setup an 802.1q VLAN trunk for a handful of servers. Here's a diagram:

    I'm able to pass traffic locally without issue. The problem comes when I try to NAT that traffic externally. I'll start with the Asterisk server, as that is my most critical service I need to establish before anything else. I am unable to get my SIP and IAX peers registered. I did the normal port forwarding (5060, 10000:20000 UDP for SIP, and 4569 UDP for IAX) and enabled AON and setup a rule like so:

    The blacked out addresses correspond to different external IP's from my provider.
    No matter how I order the rules, I can not get any of my SIP or IAX peers to register. I also have a rule for the VLAN2 interface to allow all traffic to the internet, but no rules for inbound traffic, I'm assuming the port forwards take care of that?

    It's late for me.. and I've been at this quite a while and I surrender. I am most likely missing something, and I just can't place a finger on what it could be. Any help appreciated…

  • Firewall > NAT

    • Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))

    • Create NAT rule for PBX Static Port = yes

    Asterisk SIP.conf

    • externhost= (if dynamic) or externip= (if static)

    • locanet=

    No need to forward any ports if you are just doing outbound registrations. If you don't have different devices in your LAN that register to the same SIP server, this should work without further tweaking.

  • Well it turned out to be something simple, I had to reboot the cable gateway as there were ARP entries for the old box  :o

    After I power cycled the cable gateway, everything started working… should have done that in the first place... DOH!

    Thanks :)

  • @joako:

    Firewall > NAT

    • Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))

    • Create NAT rule for PBX Static Port = yes

    joako-  could you please do a favor and post a screenshot from pfsense of this static port setup for the Asterisk IP?  I have a similar issue to the OP and am having a hard time wrapping my head around the options on that screen.  I have it working now by pretty much leaving all the fields blank, e.g. :

    but I am sure that's probably overkill or worse, more permissive than need be.  I just want SIP and RTP packets coming from the asterisk PBX to be statically mapped.  In my case that's UDP 5060, and UDP 17000-18000 (for rtp).  Thanks!!

  • The default NAT rule is * *, all you are doing is telling it to use static port with certain traffic. I do this without any firewall rule for SIP registration, or forward port 5060 when they call direct (i.e. sip:extension@host:5060) in that case you would want to get the IP(s) of your provider and only allow theirs.

Log in to reply