Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Asterisk behind pfSense 1.01

    Scheduled Pinned Locked Moved NAT
    19 Posts 6 Posters 29.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kenknight
      last edited by

      Hi,

      I'm having some difficulty getting registered with my SIP provider since installing pfSense.  I've read several threads about static ports and I've followed those with no luck.

      I also saw some recent posts point to some URL's with possible later builds, but haven't figured out how to get a hold of those.  Can anyone shed some light on the subject?

      I've got port forwarding on the following ranges;

      5004-5082 UDP (sip signal)
      10000-20000 UDP (sip rtp)

      And then the static port in the advanced section of NAT outbound.

      Thanks,
      Ken

      1 Reply Last reply Reply Quote 0
      • W
        wyckedone
        last edited by

        Do you have Firewall rules setup, on the WAN tab, that allow inbound traffic for the proto/port/IP?  You should have one for each port range.

        @kenknight:

        I also saw some recent posts point to some URL's with possible later builds, but haven't figured out how to get a hold of those.  Can anyone shed some light on the subject?

        Snapshot builds can be found here.

        1 Reply Last reply Reply Quote 0
        • K
          kenknight
          last edited by

          Thanks wyckedone,

          I downloaded the latest snapshot and did a new install.  I've got what I believe is all the necessary entries in the NAT and Rules section.

          In NAT I'm forwarding ports for 5004-5082udp and 10000-20000udp to the inside ip address.  I've verified these ranges also exist in the rules table.

          next I enabled advanced NAT and added a new rule based on the autocreate rule for lan.  I modified the network to be the inside ip address of my asterisk server which is 192.168.10.168/31 and then I checked "static" at the bottom and applied.

          Still my broadvoice sip shows "Request Sent" during registration.

          Any other suggestions?

          Thanks,
          Ken

          1 Reply Last reply Reply Quote 0
          • H
            hoba
            last edited by

            Make sure the static port outbound nat rule is above all other outbound nat rules (first match wins). After that reset states. To verify the static ports are working check diagnostics>states. The nat lines with the 3 IPs/line should now show the same port for the public IP and the private IP.

            1 Reply Last reply Reply Quote 0
            • J
              jobsoft
              last edited by

              I have this working.  I will dig out my settings on Asterisk and pfsense and post them here.

              1 Reply Last reply Reply Quote 0
              • J
                jobsoft
                last edited by

                This is for Stanaphone (but, its still SIP):

                in sip.conf:

                register=99999999:XXXXXXXXX@sip.stanaphone.com/5555551212

                for my SIP inbound trunk:

                [from-pstn] 
                username=99999999
                type=peer
                secret=XXXXXXXXX
                nat=yes
                insecure=very
                host=sip.stanaphone.com
                dtmfmode=rfc2833
                canreinvite=no

                to register for outbound:

                [stanaphone]
                username=99999999
                type=peer
                secret=XXXXXXXXX
                nat=yes
                insecure=very
                host=sip.stanaphone.com

                the entry "nat=yes" is important

                below are XML entries from /cf/conf/config.xml:

                NAT for WAN:

                <rule><protocol>tcp</protocol>
                <external-port>3478</external-port>
                <target>ASTERISK_LAN_IP_ADDR</target>
                <local-port>3478</local-port>
                <interface>wan</interface></rule>
                <rule><protocol>udp</protocol>
                <external-port>3478</external-port>
                <target>ASTERISK_LAN_IP_ADDR</target>
                <local-port>3478</local-port>
                <interface>wan</interface></rule>
                <rule><protocol>udp</protocol>
                <external-port>4569</external-port>
                <target>ASTERISK_LAN_IP_ADDR</target>
                <local-port>4569</local-port>
                <interface>wan</interface></rule>
                <rule><protocol>tcp/udp</protocol>
                <external-port>5004-5082</external-port>
                <target>ASTERISK_LAN_IP_ADDR</target>
                <local-port>5004</local-port>
                <interface>wan</interface></rule>
                <rule><protocol>udp</protocol>
                <external-port>8000-20000</external-port>
                <target>ASTERISK_LAN_IP_ADDR</target>
                <local-port>8000</local-port>
                <interface>wan</interface></rule>

                Firewall Rules:

                <rule><interface>wan</interface>
                <protocol>tcp</protocol>
                <source>
                <any><destination><address>ASTERISK_LAN_IP_ADDR</address>

                <port>80</port></destination>
                <descr>NAT</descr></any></rule>
                <rule><interface>wan</interface>
                <protocol>tcp</protocol>
                <source>
                <any><destination><address>ASTERISK_LAN_IP_ADDR</address>

                <port>22</port></destination>
                <descr>NAT</descr></any></rule>
                <rule><interface>wan</interface>
                <protocol>tcp</protocol>
                <source>
                <any><destination><address>ASTERISK_LAN_IP_ADDR</address>

                <port>3478</port></destination>
                <descr>NAT</descr></any></rule>
                <rule><interface>wan</interface>
                <protocol>tcp</protocol>
                <source>
                <any><destination><address>ASTERISK_LAN_IP_ADDR</address>

                <port>3478</port></destination>
                <descr>NAT</descr></any></rule>
                <rule><interface>wan</interface>
                <protocol>tcp</protocol>
                <source>
                <any><destination><address>ASTERISK_LAN_IP_ADDR</address>

                <port>4569</port></destination>
                <descr>NAT</descr></any></rule>
                <rule><type>pass</type>
                <interface>wan</interface>
                <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
                <os><protocol>tcp/udp</protocol>
                <source>
                <any><destination><address>ASTERISK_LAN_IP_ADDR</address></destination>
                <descr>NAT</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
                <rule><interface>wan</interface>
                <protocol>tcp</protocol>
                <source>
                <any><destination><address>ASTERISK_LAN_IP_ADDR</address>

                <port>8000-20000</port></destination>
                <descr>NAT</descr></any></rule>

                where ASTERISK_LAN_IP_ADDR is your LAN ip address of the asterisk server behind NAT.  These rules forward IAX, SIP, and one other I can't recall for the media connection.

                I have both Stanaphone as well as remote extensions which are themselves behind NAT where they are located.  I have to have them force register back to the WAN IP address (as the SIP server).

                YMMV, but this works like a champ for me!

                1 Reply Last reply Reply Quote 0
                • J
                  jobsoft
                  last edited by

                  Also, for my remote SIP extensions that are themselves behind NAT where they are:

                  In sip.conf:

                  [200]
                  type=friend
                  secret=XXXXXXXXX
                  record_out=Adhoc
                  record_in=Adhoc
                  qualify=no
                  port=5060
                  nat=yes
                  mailbox=200@device
                  host=dynamic
                  dtmfmode=rfc2833
                  dial=SIP/200
                  context=from-internal
                  canreinvite=no
                  callerid=Line 1 on Linksys PAP2 AT <200>
                  allow=g729

                  [201]
                  username=201
                  type=friend
                  secret=XXXXXXXXX
                  record_out=Adhoc
                  record_in=Adhoc
                  qualify=no
                  port=5060
                  nat=yes
                  mailbox=201@device
                  host=dynamic
                  dtmfmode=rfc2833
                  context=from-internal
                  canreinvite=no
                  callerid=Line 2 on Linksys PAP2 ATA <201>
                  allow=g729
                  allow=ulaw

                  [300]
                  username=300
                  type=friend
                  secret=XXXXXXXXX
                  record_out=Adhoc
                  record_in=Adhoc
                  qualify=no
                  port=5060
                  nat=yes
                  mailbox=300@device
                  host=dynamic
                  dtmfmode=rfc2833
                  context=from-internal
                  canreinvite=no
                  callerid=X-Lite Softphone on Laptop <300>
                  allow=g729
                  allow=ulaw
                  allow=alaw
                  allow=gsm

                  If you have dynamic WAN IP, you can try dyndns.org and reference that on your asterisk setup or consider STUN.

                  Mark

                  1 Reply Last reply Reply Quote 0
                  • J
                    jobsoft
                    last edited by

                    There was one more entry in sip.conf:

                    externip=aaa.bbb.ccc.ddd

                    where 'aaa.bbb.ccc.ddd' is the WAN IP address on pfsense.

                    If you have a static IP for the WAN interface, then it is pretty straightforward.  If you get a different IP address each time you connect to your ISP (like with PPPOE + DSL), then one fairly easy workaround is to use a dynamic DNS service like www.dyndns.org to register the current dynamic address and then in sip.conf, use:

                    externip=my_current_wan_ip.dyndns.org

                    The key either way is have asterisk tell the remotely registering SIP client what the "public" IP address is for the SIP ports and from there NAT will get it to your asterisk box.  Once NAT has delivered the packets to asterisk on the LAN side, asterisk will detect that the incoming connection is not "local" and will substitute the value of $externip (either 'aaa.bbb.ccc.ddd' or 'my_current_wan_ip.dyndns.org' in the registration response to the client.

                    Note that your ISP may have language in the service's Acceptable User Policy ("AUP") expressly forbidding the use of services like DYNDNS if you subscription only gets you dynamic IP addresses.  So, you will have to make the call.  I have found cable internet service providers to be more concerned about the use of these services than DSL as what they want to prevent is you host web and email services, etc, at the cheap rates and also clobbering the bandwidth, and so on.

                    1 Reply Last reply Reply Quote 0
                    • J
                      jobsoft
                      last edited by

                      Hello,

                      A couple of updates to the previous.

                      When using something like DynDNS.org, you need to use 'externhost' instead of 'externip':

                      externhost=my_current_wan_ip.dyndns.org

                      And, I had to do one more thing in the end for RTP establishment:

                      http://faq.pfsense.com/index.php?sid=120897&lang=en&action=artikel&cat=1&id=177&artlang=en&highlight=asterisk

                      This does require activating "Advanced Outbound NAT", so, be sure you understand any ramifications for your setup.  But, once I did this, everything began to behave very nicely for both SIP and ZAPTEL bridging (in and out).  This is necessary because NAT on pf is symmetric, and, NAT on linux is "full coned".  And, best I can tell from some other digging on the web, the gist is that EXTERNAL UDP packets will not be allowed (even with NAT RDR rules to the contrary) UNLESS a state exists to that external source from the "inside out" first (on that same UDP port???).  Without the static port settings from above, the UDP port that the external SIP client will almost certainly vary, and then get blocked.  What I was getting was the RTP layer being one way, but, oddly enough, only on ZAPTEL bridging!!

                      Oh well, it now works.  If someone could elaborate/clarify on the issue with the symmetric versus full cone aspects, it would be beneficial.  Would static ports on outbound NAT impede QoS handling any???

                      Thanks,

                      Mark

                      1 Reply Last reply Reply Quote 0
                      • J
                        jobsoft
                        last edited by

                        Also, FYI, this is where I found some detail on types of NAT (though there are certainly many more with more detail):

                        http://help.yahoo.com/l/us/yahoo/messenger/messenger75/phoneout/phoneout-18.html

                        Mark

                        1 Reply Last reply Reply Quote 0
                        • J
                          jobsoft
                          last edited by

                          Some additional background info.  Here is an excerpt from the Slashdot threads from the pfSense 1.0 announcement posted there back in October that got me looking at this whole symmetric NAT versus full coned NAT (sorry it is not very structured):

                          http://bsd.slashdot.org/article.pl?sid=06/10/13/2325255&from=rss

                          Excerpt:

                          PFsense NAT is symmetric, result: no SIP (VoIP)
                          (Score:0)
                          by Anonymous Coward on Saturday October 14, @09:44AM (#16436535)
                          I have played quite extensively with PFSense because I wanted some of the traffic-shaping features but I had to come to the conclusion that PFSense NAT does not work with SIP (VoIP).

                          The symmetric NAT of PF is simply a pain - most SIP VoIP things do not work. Anyone who considers to use SIP should not use symmetric NAT and should go for fully coned NAT.

                          IPCop does fully coned NAT. Traffic shaping features are also available as add-ons.

                          In short: PFsense is a nice idea but unfortunately useless for SIP users.

                          Cheers

                          GeeJay

                          *
                                Re:PFsense NAT is symmetric, result: no SIP (VoIP)
                                (Score:3, Interesting)
                                by SiliconJesus101 (622291) Alter Relationship on Saturday October 14, @10:33AM (#16436907)
                                (http://www.toodrunktodrive.com/)
                                Lacking the knowledge of the internal workings of PF, I do have to say that I have never had a problem with SIP. My home phone is through Vonage behind pfsense and I routinely connect while on the road to a friends Asterisk box to make phone calls with a soft phone and bluetooth headset on my laptop. He has a pfsense router and all of his trunks are SIP. Several users are simultaneously connected using SIP from remote locations and properly routed out the SIP trunks. Not to doubt that you have had things that do not work; I am only relating my experiences. I must also state that the SIP traffic shaping appears to work beautifully there as I really don't have any call issues that are not related to the bandwidth available at my remote location(s).
                                –

                          "The strong will do what they want, the weak will do what they must."
                                -Thucydides
                                [ Parent ]
                              *
                                Re:PFsense NAT is symmetric, result: no SIP (VoIP)
                                (Score:3, Interesting)
                                by TCM (130219) Alter Relationship on Saturday October 14, @11:50PM (#16441717)
                                The underlying pf seems to have more flexibility than the interface on top then.

                          I suppose you mean something like the following?

                          # XXX: hardwire SIP and RTP source ports
                                nat on $ext_if inet proto udp from $asterisk port { 5060, 10000:20000 } to any -> ($ext_if) static-port
                                nat on $ext_if inet from $int_net to any -> ($ext_if)
                                rdr on $ext_if inet proto udp from any to ($ext_if) port { 5060, 10000:20000 } -> $asterisk

                          Which means that traffic from an internal Asterisk that has source ports 5060 and 10000-20000 leaves NATed but with the source ports intact. Together with the ability to let Asterisk enter arbitrary IP addresses in SIP messages[1], this makes it look like it was directly connected and not behind NAT at all.

                          All other traffic - even HTTP from the Asterisk server for example - gets the source port replaced as usual.

                          [1] Who TF thought that entering layer 3 addresses in application layers was a good idea anyway?
                                –
                                Of course it runs NetBSD [netbsd.org].

                          1 Reply Last reply Reply Quote 0
                          • Y
                            yozh
                            last edited by

                            Hi I have basicly the same problem.

                            I did this:

                            http://faq.pfsense.com/index.php?sid=120897&lang=en&action=artikel&cat=1&id=177&artlang=en&highlight=asterisk

                            I also tried many other things… but I just dont get audio. I also have cisco phones with sccp protocol and they work fine.

                            This is the problem

                            PC (with SJphone SIP) to SIP Asterisk SIP to Voipuser.org SIP <---- This doesnt work no audio

                            Cisco Phone SCCP to SCCP Asterisk SIP  to VOIPuser.org SIP <----- That works.

                            I did some sniffing from the pfsense box please see the out.txt file attached and I dont really see anything wrong.

                            The phone rings and when it supposed to connect it says trying then it says operational and no sound. I been trying to get this to work for 2-3 days now with no luck. This used to work with WRT54g and IPtables firewall.

                            Please, any help is appreciated.

                            out.txt

                            1 Reply Last reply Reply Quote 0
                            • Y
                              yozh
                              last edited by

                              Also sniffing on the lan side I see this strange message right before the phone call establishment

                              484 Address Incomplete

                              That seems strange

                              1 Reply Last reply Reply Quote 0
                              • Y
                                yozh
                                last edited by

                                Here is another update which is complitly got me confised.

                                I just tried X-Lite from inside and from outside the lan the X-Lite from ouitside the lan works ok.

                                BUt from inside it doesnt. isnt that something ?

                                I dont understand why the X-Lite work and SJphone doesnt.

                                1 Reply Last reply Reply Quote 0
                                • Y
                                  yozh
                                  last edited by

                                  OK now both the SJphone and the X-Lite work from outside, still no luck from inside. I did find that using IAX2 for FWD and going back the sjphone works.

                                  SO its something with going back to the SIP softphone phone on my LAN, which is really strange cuz if it works from outside I dont understand how it doesnt work from inside. If anyone can help I would really appreciate. Oh also the audio works one way, meaning that People can hear me, but I cant hear People.

                                  1 Reply Last reply Reply Quote 0
                                  • H
                                    hoba
                                    last edited by

                                    SIP sucks. Repeat: it SUCKS!!! This protocol was never designed to be used through NATs and everything that has been introduced to make it work (like STUN or proxies) are just attempts to fix a crappy design. Additional to this all Serviceproviders use different settings which makes calls to some destinations work whereas it might fail to other locations that run different settings.

                                    Guess it was done by the same people that invented ftp  ;)

                                    1 Reply Last reply Reply Quote 0
                                    • Y
                                      yozh
                                      last edited by

                                      Yeah you absolutly right I hate SIP also, I guess I can use SCCP softphones. since it works or maybe even an IAX2 softphones. I Still want to find out why it doesnt work, but I guess I never will.

                                      1 Reply Last reply Reply Quote 0
                                      • D
                                        DignionASP
                                        last edited by

                                        Hello all,

                                        One week ago a company installed on my site an asterisk server and a pfsense based firewall. We do not have any troubles. The only thing (that I can see) is a Firewall rule WAN) to the asterisk server TCP/UDP  source * port  * <serverip>port 4569 gateway *.  On the lan site we do not have any rules yet. No NAT rules what soever.
                                        Free pbx is is the asterisk version on my sip server. Maybe you have some help with this comment. Good Luck  :)</serverip>

                                        1 Reply Last reply Reply Quote 0
                                        • H
                                          hoba
                                          last edited by

                                          Then your provider either uses a proxy to fix it at their end or uses IAX which is NATfriendly.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.