Asterisk behind pfsense (no sound)



  • Well I have been playing for a few days with asterisk and I got it configured where I can make outbound calls but the problem is that I get no sound at all.
    I am using siproxd and pfsense 2.0-Release

    I forward ports 10000-20000 and 5060 to the asterisk server
    I also enabled Manual Outbound NAT and left it default.
    I white listed my own lan and the sip provider "voip.ms" in snort and still I get no sound….

    Any help will be much appreciated.

    TIA!



  • If this server is the only machine that needs sip and RTP through the firewall, you will not need sipproxy.

    Reduce RTP range and set nat options At asterisk and it will work.



  • Thanks for the advice. I never got SIP working so i switched to IAX2 and its all working ok now.

    Thanks!



  • Ok. Iax is excelent for this.

    If you experience some time in the future iax not working but all configs are ok, then reset firewall states.



  • Awesome. Thanks for the advice!



  • So the advice to get Asterisk working behind pfSense is to disable SIP and switch to IAX?  haha you can't be serious… are there even any carriers offering IAX trunking anymore??  Of the ones who do, they usually list it as an 'unsupported' feature anyway.



  • @luckman212:

    So the advice to get Asterisk working behind pfSense is to disable SIP and switch to IAX?  haha you can't be serious… are there even any carriers offering IAX trunking anymore??  Of the ones who do, they usually list it as an 'unsupported' feature anyway.

    Welcome to the year 2011.
    voip.ms has full support for IAX2. They will even help you for free get your pbx configured.
    And there is no advice in this post. My solution was to switch protocols as IAX2 has better support behind NAT.



  • I received this feedback from voip.ms (I did know about them and actually I've been using them for several years)

    http://i.imgur.com/g506A.png

    fwiw…



  • @luckman212:

    I received this feedback from voip.ms (I did know about them and actually I've been using them for several years)

    http://i.imgur.com/g506A.png

    fwiw…

    Key word "recommend"
    Not "Not Supported"

    Thank you for clarifying it. ;)



  • Both works.

    When using sip behind nat you Must configure sip server to support nat.

    Sip + RTP are realy hard to setup when you have to pass more then one nat translation.

    Iax can pass as many nats you need.



  • @marcelloc:

    Both works.

    When using sip behind nat you Must configure sip server to support nat.

    Sip + RTP are realy hard to setup when you have to pass more then one nat translation.

    Iax can pass as many nats you need.

    SIP + RTP with dual NAT was my main issue.
    Once I moved to IAX2 my problems instantly solved.

    :)



  • I have 1 asterisk server behind pfsense nat and also 2 sip phones behind the same nat.  asterisk server is at 192.168.20.248 and listens on UDP 5060 and RTP is 17000-18000.  I am having a hard time getting this setup working – lots of SIP trunk registration timeouts, or no-audio problems when answering incoming calls.  Does anyone have a similar setup that's willing to share their working pfsense configuration?  I know this can work well because all I did was change out my linux router (running Tomato K26) and that's when the problems began.  I was NOT using the SIP ALG if that's what you're thinking -- I had explicitly disabled it and was just using 2 port forwards:
    UDP 5060-->192.168.20.248
    UDP 17000-18000 --> 192.168.20.248

    these simple settings do not seem "enough" for pfsense.



  • @luckman212:

    I have 1 asterisk server behind pfsense nat and also 2 sip phones behind the same nat.   asterisk server is at 192.168.20.248 and listens on UDP 5060 and RTP is 17000-18000.   I am having a hard time getting this setup working – lots of SIP trunk registration timeouts, or no-audio problems when answering incoming calls.  Does anyone have a similar setup that's willing to share their working pfsense configuration?  I know this can work well because all I did was change out my linux router (running Tomato K26) and that's when the problems began.  I was NOT using the SIP ALG if that's what you're thinking -- I had explicitly disabled it and was just using 2 port forwards:
    UDP 5060-->192.168.20.248
    UDP 17000-18000 --> 192.168.20.248

    these simple settings do not seem "enough" for pfsense.

    luckman212,

    SIP in pfsense can be the most tedious task you will ever do in your IT life!
    Start with this few things.

    in your sip.conf the only parts that needs to be nat=yes would be your provider context

    all of your sip devices will be nat=no and canreinvite=no
    because they are in the same subnet as your asterisk server so they are not natted.
    Also make sure you have in your general context
    localnet=your.lan.range/subnet
    externip=your.isp.ip

    if your wan ip changes constantly you could also use
    externhost=dynamicip.dyndns.com

    Than move to pfsense

    Make sure you have port forward it for your RTP range and for SIP.

    Also change your outbound nat to Manual.

    Only if it applies:

    Make sure you have white listed your providers ip and your internal range in snort and in any other blocking pkg you have running like ipblock….

    at the end I was unable to get my calls to route properly so I changed to IAX2 with a static outbound port mapping and it all worked like a charm.

    Good Luck.



  • Hmm thanks but that's discouraging that after all that in the end you gave up and used IAX.  I already use externhost= and localnet= and have properly set nat=yes/no on my peers and trunks.  Been playing with this for months.   I know voip.ms supports IAX but most wholesalers don't.  (e.g. other trunks I use like flowroute, gafachi or callcentric do not support it).   So I really need to get it working.  Has anyone ever asked  WHY its so difficult to make SIP work behind a pfSense NAT, compared to other routers?



  • @luckman212:

    Hmm thanks but that's discouraging that after all that in the end you gave up and used IAX.  I already use externhost= and localnet= and have properly set nat=yes/no on my peers and trunks.  Been playing with this for months.   I know voip.ms supports IAX but most wholesalers don't.  (e.g. other trunks I use like flowroute, gafachi or callcentric do not support it).   So I really need to get it working.  Has anyone ever asked  WHY its so difficult to make SIP work behind a pfSense NAT, compared to other routers?

    To my observation it looks like pfsense nat mangles the packet on its way out improperly marking the packet out for example look at this state:

    10.30.2.102:5060 -> XX.XX.XXX.XX:33441 -> XX.XX.XXX.XX:5060

    You see how NAT changed the port on its way out and than re port it (If that's even a word lol)? Well I think that SIP application/providers do not accept that thus marking the packet mangled…
    This is just a long shot at something I did not wanted to spent more time than what  need it... to be more specific I was up for 32hrs trying to figure this out. at the end I say to hell with it. IAX is my new friend.

    Note: That behavior can be changed by setting out bound NAT to ONT but even than my system failed to register RTP out bound..

    Maybe my isp block's sip as a lot of isp do.



  • @luckman212:

    Has anyone ever asked  WHY its so difficult to make SIP work behind a pfSense NAT, compared to other routers?

    I have no problems with it.

    When using many sip devices behind any firewall, consider using sipproxy.

    RTP issue sample:
    You redirected ports from 17000 to 18000 to your sip server.
    Your second sip device received a call and remote server sent rtp to 17454. In this case you will have no audio and pfSense is not guilty.

    SIP issue sample:
    You redirected port 5060 to your sip server.
    Your second sip device registers at voip.com. When voip.com checks registration who will receive this info? Again pfSense is not guilty.

    Try to set different sip ports/rtp range to each sip server/device behind your firewall.

    :) Just remember that computers do what we tell them to do, not what we want to do. :)



  • @marcelloc:

    @luckman212:

    Has anyone ever asked  WHY its so difficult to make SIP work behind a pfSense NAT, compared to other routers?

    I have no problems with it.

    When using many sip devices behind any firewall, consider using sipproxy.

    RTP issue sample:
    You redirected ports from 17000 to 18000 to your sip server.
    Your second sip device received a call and remote server sent rtp to 17454. In this case you will have no audio and pfSense is not guilty.

    SIP issue sample:
    You redirected port 5060 to your sip server.
    Your second sip device registers at voip.com. When voip.com checks registration who will receive this info? Again pfSense is not guilty.

    Try to set different sip ports/rtp range to each sip server/device behind your firewall.

    :) Just remember that computers do what we tell them to do, not what we want to do. :)

    I am going to make one more test over sip tonight and see how far I can get again. In my case its was only one device and I was still unable to get outgoing RTP to function properly.
    My sip devices talk to asterisk and than asterisk talks to my provider.

    I will reply back and see what are the results again.



  • @marcelloc:

    @luckman212:

    Has anyone ever asked  WHY its so difficult to make SIP work behind a pfSense NAT, compared to other routers?

    I have no problems with it.

    When using many sip devices behind any firewall, consider using sipproxy.

    RTP issue sample:
    You redirected ports from 17000 to 18000 to your sip server.
    Your second sip device received a call and remote server sent rtp to 17454. In this case you will have no audio and pfSense is not guilty.

    SIP issue sample:
    You redirected port 5060 to your sip server.
    Your second sip device registers at voip.com. When voip.com checks registration who will receive this info? Again pfSense is not guilty.

    Try to set different sip ports/rtp range to each sip server/device behind your firewall.

    :) Just remember that computers do what we tell them to do, not what we want to do. :)

    I am sorry but in pfsense sip is plain impossible. I just tried everything I can think of and nothing works!
    If you have your sip working behind your pfsense by all means please post your pfsense config and prove me wrong. but for now I stand by this. SIP is not possible behind pfsense.



  • Do you need inbound calls?

    If don't you do not need any nat rule, just outbound.



  • @marcelloc:

    Do you need inbound calls?

    If don't you do not need any nat rule, just outbound.

    Somebody under general gave me some hints that made the registration possible. the issue has been that outbound is not possible.
    And I do need inbound and outbound.



  • @marcelloc:

    Do you need inbound calls?

    If don't you do not need any nat rule, just outbound.

    Look here and see if you can chime in:

    http://forum.pfsense.org/index.php/topic,41286.0.html

    Thanks!



  • can you bridge your router to have real ip at wan?

    my setup is very simple:

    provider–>real ip-->pfsense->--192.168.3.x ip->asterisk server.

    nothing different from nat inbound ports and sip_nat.conf.



  • Well I am back…. Here is what I can say... For an unknown reason I am not able to get SIP working over port 5060. As soon as I switch to 5080 everything started to work as it should. and no I have no other sip device except for my asterisk pbx.
    odd.....



  • Great news!!!  :)

    Some dsl routers has a 'sip Alg' option that break out sip comunication. I have no idea why.
    Maybe you have something like that on you network.



  • @marcelloc:

    Great news!!!  :)

    Some dsl routers has a 'sip Alg' option that break out sip comunication. I have no idea why.
    Maybe you have something like that on you network.

    Nope not here… I have cable... :) but its all resolved now.


Log in to reply