• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Disabling all SIP intelligence

Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
15 Posts 4 Posters 16.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Z
    Zuzzy
    last edited by May 7, 2011, 3:44 PM

    Hi, first apologies if this should have been in another group-I am running 2.0RC but this may be something related to older versions too

    We use pfsense as a gateway at events and have no problem with most data but we do have major issues with SIP. While most people have issues and need the ALG we have the opposite, and did in older versions too.

    Basically we use a hosted SIP gateway and it works absolutely perfectly with a cheap boring adsl router doing nat. However as soon as any intelligence is applied to it in any way it stops working in various odd ways.

    So in short can I disable the ALG and get pfsense to just nat it, or change the ports it expects SIP on?

    Thanks

    Chris

    1 Reply Last reply Reply Quote 0
    • I
      inflamer
      last edited by May 7, 2011, 6:27 PM May 7, 2011, 6:24 PM

      As far as I've understood, pfsense itself will not perform any ALG/application layer NAT on SIP traffic unless you've installed the siproxd package.

      I have several SIP devices behind my own pfsense which are registered to a Tandberg/Cisco VCS which is working without any issues (Using TCP or TLS).

      1 Reply Last reply Reply Quote 0
      • D
        danswartz
        last edited by May 7, 2011, 7:25 PM

        One nit: if you do not enable static port NAT, the RTP packets will tend to not get through (no audio inbound.)

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by May 8, 2011, 1:43 AM

          There is no ALG, nothing to disable (assuming you aren't running siproxd), and the default 2.0 settings work in almost every circumstance with every provider. The only non-default setting that's needed on occasion is #2 here.
          http://doc.pfsense.org/index.php/VoIP_Configuration

          @danswartz:

          One nit: if you do not enable static port NAT, the RTP packets will tend to not get through (no audio inbound.)

          Not true in the vast majority of cases, maybe some very rare, limited ones.

          1 Reply Last reply Reply Quote 0
          • D
            danswartz
            last edited by May 9, 2011, 2:49 AM May 9, 2011, 2:34 AM

            Maybe things have changed, but when I wasn't using static port some months back, what happened was pfsense was rewriting the RTP port numbers, so the remote media server was sending packets to the wrong port.  No inbound audio.  I freely admit to not being an expert on the different permutations of how different ITSP's do things, but this was my experience.  If you are running asterisk on top of a modern TCP stack, there is no reason I can think of to not use static port for at least the RTP range of UDP ports, is there?  I have changed providers recently (now using flowroute), so this might be worth revisiting.  I will post results…

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by May 9, 2011, 6:16 AM

              Should leave source port rewriting enabled for NAT purposes, greatly reduces the chance of a port collision.

              I use flowroute for my home phone, it definitely works fine rewriting RTP's ports. We use a different provider using Asterisk as our business phones and all of us rewrite RTP with no issue. I've never seen that be an issue with Asterisk, or actually any PBX that uses standard SIP and RTP. Some proprietary VoIP implementations have issues with that.

              1 Reply Last reply Reply Quote 0
              • D
                danswartz
                last edited by May 9, 2011, 12:07 PM

                I think it may have been freepbx.com (who I was with for a couple of years).

                1 Reply Last reply Reply Quote 0
                • D
                  danswartz
                  last edited by May 9, 2011, 1:43 PM

                  Chris, a question: when you use asterisk behind pfsense, are you using localnet/externhost or localnet/externip?  I'm pretty sure I was and needed to.  I can't find the reference now, but way back when, I saw a post where someone was explaining why this breaks sometimes and sometimes not (not the static port part, needing to rewrite the SIP headers).  Had to do with how the remote end decides who to talk to; sometimes it goes by the SIP header and sometimes by who the remote host's WAN IP/port are - in the former case, you get no audio, in the latter it works…)  I found that using externhost/localnet worked, except when the port number was rewritten, since in that case, the remote media server was sending audio to the pre-rewritten port, hence my use of static port.  It gets even more confusing, since with some providers, the call treatment works differently depending on whether the call is made outgoing or incoming.  I remember also trying siproxd and that didn't work - possibly for the same reason(s) I needed static port.

                  1 Reply Last reply Reply Quote 0
                  • Z
                    Zuzzy
                    last edited by May 14, 2011, 1:38 PM

                    Sorry for the delay in coming back, thanks to BT for breaking my broadband… :)

                    To clarify, the scenario is that I have multiple phones inside pfsense and the sip hosting on the internet.  I will test again but when I did a packet capture of the traffic passing out through pfsense I could see that the sip headers were being rewritten with the external wan ip address, replacing the originating LAN ip address

                    For us this matters as the hosted platform works strangely. Hence when I use a cable modem to nat instead it works fine, as the headers remain untouched.

                    Obviously I need the nat/pat to rewrite the ip but the sip headers need to remain untouched

                    Thanks, Chris

                    1 Reply Last reply Reply Quote 0
                    • D
                      danswartz
                      last edited by May 14, 2011, 3:32 PM

                      I don't think pfsense touches the SIP headers.  Have you tried static port?

                      1 Reply Last reply Reply Quote 0
                      • C
                        cmb
                        last edited by May 14, 2011, 6:26 PM

                        @danswartz:

                        Chris, a question: when you use asterisk behind pfsense, are you using localnet/externhost or localnet/externip?

                        If it's NATed, yes you need nat=yes and externip defined.

                        @Zuzzy:

                        To clarify, the scenario is that I have multiple phones inside pfsense and the sip hosting on the internet.  I will test again but when I did a packet capture of the traffic passing out through pfsense I could see that the sip headers were being rewritten with the external wan ip address, replacing the originating LAN ip address

                        Unless you're running siproxd, it won't do that.

                        1 Reply Last reply Reply Quote 0
                        • Z
                          Zuzzy
                          last edited by May 14, 2011, 7:54 PM

                          I was surprised that it did do it - I had been playing with siproxd but it was remove then.  One way or another though these phones don't and never have worked when behind pfsense but work flawlessly behind anything basic and featureless like linksys.
                          I'll do a packet capture on a fresh install and report on the results. It might be posted from one of the guys I work with as he has all the kit at the moment and most importantly the phones themselves.

                          Thanks

                          Chris

                          1 Reply Last reply Reply Quote 0
                          • D
                            danswartz
                            last edited by May 14, 2011, 9:16 PM May 14, 2011, 9:05 PM

                            For the 3rd (and last) time, have you tried static port?  Honestly, if you're not going to listen, it's hard to be motivated to help…

                            1 Reply Last reply Reply Quote 0
                            • Z
                              Zuzzy
                              last edited by May 14, 2011, 9:20 PM

                              Sorry if something upset you, didn't mean it. I did say in the post above I would do some tests and get back to you…to be clear  I will of course be trying that. I don't have the phones here so I can't test it immediately. I believe however I did try that but I have been working on this problem for 10-12 months and I can't remember exactly what I have done now.

                              Chris

                              1 Reply Last reply Reply Quote 0
                              • Z
                                Zuzzy
                                last edited by May 14, 2011, 9:52 PM

                                Incidentally Dan note that my original question was not about hosting asterisk and not about the NAT of IPs, it was about phones and rewriting the SIP header, which causes issues with our hosted platform.  As far as I understand from the docs, Static port is just releated to keeping the ports the same during NAT, which I made clear at the top was not an issue (as far as I can tell) - NAT has never been an issue for us and basic PAT (which is what cable/DSL modems do by default) changing source ports etc works absolutely fine.

                                I believe I understand NAT and PAT quite well on a general basis as I am CCNP and my day job is firewall based (but Cisco, Checkpoint etc and I can't get them to move to pfsense, though I try!) and I don't believe it to be a problem (unlike most SIP problems it seems!)

                                1 Reply Last reply Reply Quote 0
                                15 out of 15
                                • First post
                                  15/15
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                  This community forum collects and processes your personal information.
                                  consent.not_received