Asterisk behind pfsense
-
Asterisk 1.8.4.2, FreePBX
PFsense 2.0-RC3
Excuse me for my bad english! :)
Nat: 5061, TCP/UDP -> FreePBX ip
Asterisk SIP settings:
NAT = Yes
Static ip = my wan ip
Bind port = 5061Problem:
Everything seems to work fine but a smal problem. When I make a call out to someone and that side hangsup, my PBX dont recive "bye" message and the call keeps on going. Its only when I make the call, incomming call works.Tried som packet capture and seems that I get "BYE" message on the right port 5061 from provider but it geets blocked somwhere and dont get to my PBX.
Any idea?
-
No one???
My sip provider told me to test disabling "stateful packet filtering", is there someway I can do this on SIP protocol or on my nat rule? (5061)
-
Nobody? ???
-
Garf,
try setting System -> Advanced -> Firewall/NAT ->Firewall Optimization Options to 'Conservative', the fact that pfSense doesn't seem to forward the BYE message could indicate that a state has timed out (Although the NAT entry you have added should get the BYE forwarded regardless).
Please note that this setting will increase memory usage.
-
Garf,
try setting System -> Advanced -> Firewall/NAT ->Firewall Optimization Options to 'Conservative', the fact that pfSense doesn't seem to forward the BYE message could indicate that a state has timed out (Although the NAT entry you have added should get the BYE forwarded regardless).
Please note that this setting will increase memory usage.
This affects the complete firewall settings and as far as I know this only makes sense if you have a connection with high latency.
I think the better way is this one:
FIREWALL -> Rules -> Edit rule -> Advanced Features -> State type: There I am not really sure what you should use but try it with "none". -
From my understanding, the 'Conservative' setting will increase the state timeout value for UDP states, ref http://doc.pfsense.org/index.php/VoIP_Configuration.
- Andreas
-
No one???
My sip provider told me to test disabling "stateful packet filtering", is there someway I can do this on SIP protocol or on my nat rule? (5061)
This can only be done like I described in the post above. Further what I describe only affects the special rule and not the whole firewall rules.
Port 5061 is used for encrypted (TLS) VoIP traffic. This means that TCP is used. So changing the timeout of UDP will not help. In some cases VoIP can use DTLS (UDP) encrypted traffic. Than this could help.
Nevermind, Garf now has some possibilities he could try and perhaps he will post back if he solved the problem :)
-
Hi!
Thanks for the reply!
In panic to get the VOIP service to work correctly (Had some problems with long connection time, or no connection when calling in). I shut down my PFsense :o and change it to an old 3com router. Now everything works with a simple port forward. I will be back to you as soon as possible when Im changing back and could test your advices.
I want my PFsense back :(
-
Port 5061 is used for encrypted (TLS) VoIP traffic. This means that TCP is used. So changing the timeout of UDP will not help. In some cases VoIP can use DTLS (UDP) encrypted traffic.
Im using port 5061 for security reasoon, im using the same technic as usual port 5061, udp yes. My firwall is blockling alot of traffic on 5060 that shouldnt be there, mostly ip's from china.