Asterisk behind pfSense 1.01



  • Hi,

    I'm having some difficulty getting registered with my SIP provider since installing pfSense.  I've read several threads about static ports and I've followed those with no luck.

    I also saw some recent posts point to some URL's with possible later builds, but haven't figured out how to get a hold of those.  Can anyone shed some light on the subject?

    I've got port forwarding on the following ranges;

    5004-5082 UDP (sip signal)
    10000-20000 UDP (sip rtp)

    And then the static port in the advanced section of NAT outbound.

    Thanks,
    Ken



  • Do you have Firewall rules setup, on the WAN tab, that allow inbound traffic for the proto/port/IP?  You should have one for each port range.

    @kenknight:

    I also saw some recent posts point to some URL's with possible later builds, but haven't figured out how to get a hold of those.  Can anyone shed some light on the subject?

    Snapshot builds can be found here.



  • Thanks wyckedone,

    I downloaded the latest snapshot and did a new install.  I've got what I believe is all the necessary entries in the NAT and Rules section.

    In NAT I'm forwarding ports for 5004-5082udp and 10000-20000udp to the inside ip address.  I've verified these ranges also exist in the rules table.

    next I enabled advanced NAT and added a new rule based on the autocreate rule for lan.  I modified the network to be the inside ip address of my asterisk server which is 192.168.10.168/31 and then I checked "static" at the bottom and applied.

    Still my broadvoice sip shows "Request Sent" during registration.

    Any other suggestions?

    Thanks,
    Ken



  • Make sure the static port outbound nat rule is above all other outbound nat rules (first match wins). After that reset states. To verify the static ports are working check diagnostics>states. The nat lines with the 3 IPs/line should now show the same port for the public IP and the private IP.



  • I have this working.  I will dig out my settings on Asterisk and pfsense and post them here.



  • This is for Stanaphone (but, its still SIP):

    in sip.conf:

    register=99999999:XXXXXXXXX@sip.stanaphone.com/5555551212

    for my SIP inbound trunk:

    [from-pstn] 
    username=99999999
    type=peer
    secret=XXXXXXXXX
    nat=yes
    insecure=very
    host=sip.stanaphone.com
    dtmfmode=rfc2833
    canreinvite=no

    to register for outbound:

    [stanaphone]
    username=99999999
    type=peer
    secret=XXXXXXXXX
    nat=yes
    insecure=very
    host=sip.stanaphone.com

    the entry "nat=yes" is important

    below are XML entries from /cf/conf/config.xml:

    NAT for WAN:

    <rule><protocol>tcp</protocol>
    <external-port>3478</external-port>
    <target>ASTERISK_LAN_IP_ADDR</target>
    <local-port>3478</local-port>
    <interface>wan</interface></rule>
    <rule><protocol>udp</protocol>
    <external-port>3478</external-port>
    <target>ASTERISK_LAN_IP_ADDR</target>
    <local-port>3478</local-port>
    <interface>wan</interface></rule>
    <rule><protocol>udp</protocol>
    <external-port>4569</external-port>
    <target>ASTERISK_LAN_IP_ADDR</target>
    <local-port>4569</local-port>
    <interface>wan</interface></rule>
    <rule><protocol>tcp/udp</protocol>
    <external-port>5004-5082</external-port>
    <target>ASTERISK_LAN_IP_ADDR</target>
    <local-port>5004</local-port>
    <interface>wan</interface></rule>
    <rule><protocol>udp</protocol>
    <external-port>8000-20000</external-port>
    <target>ASTERISK_LAN_IP_ADDR</target>
    <local-port>8000</local-port>
    <interface>wan</interface></rule>

    Firewall Rules:

    <rule><interface>wan</interface>
    <protocol>tcp</protocol>
    <source>
    <any><destination><address>ASTERISK_LAN_IP_ADDR</address>

    <port>80</port></destination>
    <descr>NAT</descr></any></rule>
    <rule><interface>wan</interface>
    <protocol>tcp</protocol>
    <source>
    <any><destination><address>ASTERISK_LAN_IP_ADDR</address>

    <port>22</port></destination>
    <descr>NAT</descr></any></rule>
    <rule><interface>wan</interface>
    <protocol>tcp</protocol>
    <source>
    <any><destination><address>ASTERISK_LAN_IP_ADDR</address>

    <port>3478</port></destination>
    <descr>NAT</descr></any></rule>
    <rule><interface>wan</interface>
    <protocol>tcp</protocol>
    <source>
    <any><destination><address>ASTERISK_LAN_IP_ADDR</address>

    <port>3478</port></destination>
    <descr>NAT</descr></any></rule>
    <rule><interface>wan</interface>
    <protocol>tcp</protocol>
    <source>
    <any><destination><address>ASTERISK_LAN_IP_ADDR</address>

    <port>4569</port></destination>
    <descr>NAT</descr></any></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp/udp</protocol>
    <source>
    <any><destination><address>ASTERISK_LAN_IP_ADDR</address></destination>
    <descr>NAT</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><interface>wan</interface>
    <protocol>tcp</protocol>
    <source>
    <any><destination><address>ASTERISK_LAN_IP_ADDR</address>

    <port>8000-20000</port></destination>
    <descr>NAT</descr></any></rule>

    where ASTERISK_LAN_IP_ADDR is your LAN ip address of the asterisk server behind NAT.  These rules forward IAX, SIP, and one other I can't recall for the media connection.

    I have both Stanaphone as well as remote extensions which are themselves behind NAT where they are located.  I have to have them force register back to the WAN IP address (as the SIP server).

    YMMV, but this works like a champ for me!



  • Also, for my remote SIP extensions that are themselves behind NAT where they are:

    In sip.conf:

    [200]
    type=friend
    secret=XXXXXXXXX
    record_out=Adhoc
    record_in=Adhoc
    qualify=no
    port=5060
    nat=yes
    mailbox=200@device
    host=dynamic
    dtmfmode=rfc2833
    dial=SIP/200
    context=from-internal
    canreinvite=no
    callerid=Line 1 on Linksys PAP2 AT <200>
    allow=g729

    [201]
    username=201
    type=friend
    secret=XXXXXXXXX
    record_out=Adhoc
    record_in=Adhoc
    qualify=no
    port=5060
    nat=yes
    mailbox=201@device
    host=dynamic
    dtmfmode=rfc2833
    context=from-internal
    canreinvite=no
    callerid=Line 2 on Linksys PAP2 ATA <201>
    allow=g729
    allow=ulaw

    [300]
    username=300
    type=friend
    secret=XXXXXXXXX
    record_out=Adhoc
    record_in=Adhoc
    qualify=no
    port=5060
    nat=yes
    mailbox=300@device
    host=dynamic
    dtmfmode=rfc2833
    context=from-internal
    canreinvite=no
    callerid=X-Lite Softphone on Laptop <300>
    allow=g729
    allow=ulaw
    allow=alaw
    allow=gsm

    If you have dynamic WAN IP, you can try dyndns.org and reference that on your asterisk setup or consider STUN.

    Mark



  • There was one more entry in sip.conf:

    externip=aaa.bbb.ccc.ddd

    where 'aaa.bbb.ccc.ddd' is the WAN IP address on pfsense.

    If you have a static IP for the WAN interface, then it is pretty straightforward.  If you get a different IP address each time you connect to your ISP (like with PPPOE + DSL), then one fairly easy workaround is to use a dynamic DNS service like www.dyndns.org to register the current dynamic address and then in sip.conf, use:

    externip=my_current_wan_ip.dyndns.org

    The key either way is have asterisk tell the remotely registering SIP client what the "public" IP address is for the SIP ports and from there NAT will get it to your asterisk box.  Once NAT has delivered the packets to asterisk on the LAN side, asterisk will detect that the incoming connection is not "local" and will substitute the value of $externip (either 'aaa.bbb.ccc.ddd' or 'my_current_wan_ip.dyndns.org' in the registration response to the client.

    Note that your ISP may have language in the service's Acceptable User Policy ("AUP") expressly forbidding the use of services like DYNDNS if you subscription only gets you dynamic IP addresses.  So, you will have to make the call.  I have found cable internet service providers to be more concerned about the use of these services than DSL as what they want to prevent is you host web and email services, etc, at the cheap rates and also clobbering the bandwidth, and so on.



  • Hello,

    A couple of updates to the previous.

    When using something like DynDNS.org, you need to use 'externhost' instead of 'externip':

    externhost=my_current_wan_ip.dyndns.org

    And, I had to do one more thing in the end for RTP establishment:

    http://faq.pfsense.com/index.php?sid=120897&lang=en&action=artikel&cat=1&id=177&artlang=en&highlight=asterisk

    This does require activating "Advanced Outbound NAT", so, be sure you understand any ramifications for your setup.  But, once I did this, everything began to behave very nicely for both SIP and ZAPTEL bridging (in and out).  This is necessary because NAT on pf is symmetric, and, NAT on linux is "full coned".  And, best I can tell from some other digging on the web, the gist is that EXTERNAL UDP packets will not be allowed (even with NAT RDR rules to the contrary) UNLESS a state exists to that external source from the "inside out" first (on that same UDP port???).  Without the static port settings from above, the UDP port that the external SIP client will almost certainly vary, and then get blocked.  What I was getting was the RTP layer being one way, but, oddly enough, only on ZAPTEL bridging!!

    Oh well, it now works.  If someone could elaborate/clarify on the issue with the symmetric versus full cone aspects, it would be beneficial.  Would static ports on outbound NAT impede QoS handling any???

    Thanks,

    Mark



  • Also, FYI, this is where I found some detail on types of NAT (though there are certainly many more with more detail):

    http://help.yahoo.com/l/us/yahoo/messenger/messenger75/phoneout/phoneout-18.html

    Mark



  • Some additional background info.  Here is an excerpt from the Slashdot threads from the pfSense 1.0 announcement posted there back in October that got me looking at this whole symmetric NAT versus full coned NAT (sorry it is not very structured):

    http://bsd.slashdot.org/article.pl?sid=06/10/13/2325255&from=rss

    Excerpt:

    PFsense NAT is symmetric, result: no SIP (VoIP)
    (Score:0)
    by Anonymous Coward on Saturday October 14, @09:44AM (#16436535)
    I have played quite extensively with PFSense because I wanted some of the traffic-shaping features but I had to come to the conclusion that PFSense NAT does not work with SIP (VoIP).

    The symmetric NAT of PF is simply a pain - most SIP VoIP things do not work. Anyone who considers to use SIP should not use symmetric NAT and should go for fully coned NAT.

    IPCop does fully coned NAT. Traffic shaping features are also available as add-ons.

    In short: PFsense is a nice idea but unfortunately useless for SIP users.

    Cheers

    GeeJay

    *
          Re:PFsense NAT is symmetric, result: no SIP (VoIP)
          (Score:3, Interesting)
          by SiliconJesus101 (622291) Alter Relationship on Saturday October 14, @10:33AM (#16436907)
          (http://www.toodrunktodrive.com/)
          Lacking the knowledge of the internal workings of PF, I do have to say that I have never had a problem with SIP. My home phone is through Vonage behind pfsense and I routinely connect while on the road to a friends Asterisk box to make phone calls with a soft phone and bluetooth headset on my laptop. He has a pfsense router and all of his trunks are SIP. Several users are simultaneously connected using SIP from remote locations and properly routed out the SIP trunks. Not to doubt that you have had things that do not work; I am only relating my experiences. I must also state that the SIP traffic shaping appears to work beautifully there as I really don't have any call issues that are not related to the bandwidth available at my remote location(s).
          –

    "The strong will do what they want, the weak will do what they must."
          -Thucydides
          [ Parent ]
        *
          Re:PFsense NAT is symmetric, result: no SIP (VoIP)
          (Score:3, Interesting)
          by TCM (130219) Alter Relationship on Saturday October 14, @11:50PM (#16441717)
          The underlying pf seems to have more flexibility than the interface on top then.

    I suppose you mean something like the following?

    # XXX: hardwire SIP and RTP source ports
          nat on $ext_if inet proto udp from $asterisk port { 5060, 10000:20000 } to any -> ($ext_if) static-port
          nat on $ext_if inet from $int_net to any -> ($ext_if)
          rdr on $ext_if inet proto udp from any to ($ext_if) port { 5060, 10000:20000 } -> $asterisk

    Which means that traffic from an internal Asterisk that has source ports 5060 and 10000-20000 leaves NATed but with the source ports intact. Together with the ability to let Asterisk enter arbitrary IP addresses in SIP messages[1], this makes it look like it was directly connected and not behind NAT at all.

    All other traffic - even HTTP from the Asterisk server for example - gets the source port replaced as usual.

    [1] Who TF thought that entering layer 3 addresses in application layers was a good idea anyway?
          –
          Of course it runs NetBSD [netbsd.org].



  • Hi I have basicly the same problem.

    I did this:

    http://faq.pfsense.com/index.php?sid=120897&lang=en&action=artikel&cat=1&id=177&artlang=en&highlight=asterisk

    I also tried many other things… but I just dont get audio. I also have cisco phones with sccp protocol and they work fine.

    This is the problem

    PC (with SJphone SIP) to SIP Asterisk SIP to Voipuser.org SIP <---- This doesnt work no audio

    Cisco Phone SCCP to SCCP Asterisk SIP  to VOIPuser.org SIP <----- That works.

    I did some sniffing from the pfsense box please see the out.txt file attached and I dont really see anything wrong.

    The phone rings and when it supposed to connect it says trying then it says operational and no sound. I been trying to get this to work for 2-3 days now with no luck. This used to work with WRT54g and IPtables firewall.

    Please, any help is appreciated.

    out.txt



  • Also sniffing on the lan side I see this strange message right before the phone call establishment

    484 Address Incomplete

    That seems strange



  • Here is another update which is complitly got me confised.

    I just tried X-Lite from inside and from outside the lan the X-Lite from ouitside the lan works ok.

    BUt from inside it doesnt. isnt that something ?

    I dont understand why the X-Lite work and SJphone doesnt.



  • OK now both the SJphone and the X-Lite work from outside, still no luck from inside. I did find that using IAX2 for FWD and going back the sjphone works.

    SO its something with going back to the SIP softphone phone on my LAN, which is really strange cuz if it works from outside I dont understand how it doesnt work from inside. If anyone can help I would really appreciate. Oh also the audio works one way, meaning that People can hear me, but I cant hear People.



  • SIP sucks. Repeat: it SUCKS!!! This protocol was never designed to be used through NATs and everything that has been introduced to make it work (like STUN or proxies) are just attempts to fix a crappy design. Additional to this all Serviceproviders use different settings which makes calls to some destinations work whereas it might fail to other locations that run different settings.

    Guess it was done by the same people that invented ftp  ;)



  • Yeah you absolutly right I hate SIP also, I guess I can use SCCP softphones. since it works or maybe even an IAX2 softphones. I Still want to find out why it doesnt work, but I guess I never will.



  • Hello all,

    One week ago a company installed on my site an asterisk server and a pfsense based firewall. We do not have any troubles. The only thing (that I can see) is a Firewall rule WAN) to the asterisk server TCP/UDP  source * port  * <serverip>port 4569 gateway *.  On the lan site we do not have any rules yet. No NAT rules what soever.
    Free pbx is is the asterisk version on my sip server. Maybe you have some help with this comment. Good Luck  :)</serverip>



  • Then your provider either uses a proxy to fix it at their end or uses IAX which is NATfriendly.


Log in to reply