Asterisk running ON pfSense2.
-
Disclaimer: Yes, a firewall is meant to ..firewall and nothing more. Agreed. Now pfSense is - also - about having fun and the IT security eng. in me is not that much shocked (IF configuration is done properly) about what we'll discuss here. Don't get mad.
The idea is to use Alix 2D13 board, with latest 4GB nanobsd i386.
Interfaces distribution is:vr0: LAN (PCs) [not relevant here] vr1: WAN (modem) [192.168.42.251] vr2: VOIP (3 VoIPhones ST2030) [10.0.0.251]
I am trying (actually succeeded..) installing/running Asterisk on pfSense. :o
(You can leave now if you can't stand the nausea)a.) ~$#pkg_add -vr asterisk
-> did the whole trick (and even the dependencies, sweet full freeBSD)
b.) Make it start @boot by adding 'asterisk_enable="YES"' to the the /etc/rc.conf.local and renaming /usr/local/etc/rc.d/asterisk to /etc/rc.d/asterisk.sh
c.) Editing /usr/local/etc/asterisk/*.conf (actually, it's all about sip.conf and extensions.conf, right?)
-> Asterisk SIP binds to VOIP interface [10.0.0.251:5060]
d.) Start it: /etc/rc.d/asterisk.sh start
e.) Connect to it: asterisk -vvvvrFirewall (web) for WAN:
[not relevant here]
Firewall (web) for WAN:
TCP/UDP * * * 10000 - 20000 * none Port forwad for RTP traffic. TCP/UDP * * * 5060 (SIP) * none Port forwad for SIP traffic.
Firewall (web) for VOIP:
TCP/UDP * * * 10000 - 20000 * none Port forwad for RTP traffic. TCP/UDP * * * 5060 (SIP) * none Port forwad for SIP traffic. TCP/UDP * * 10.0.0.251 123 (NTP) * none Port forwad for NTP traffic.
Firewall (web) NAT (AON):
WAN 10.0.0.0/24 udp/* * udp/* * * YES Port forwad for SIP traffic on WAN VOIP 10.0.0.0/24 udp/* * udp/* * * YES Port forwad for SIP traffic on VOI
And then of course:
- I can dial phones between them. :D
- I can call from outside to inside (and transfer call between Hard/Soft-VoIPhones) :D
But I CAN NOT call outside :-
(yeah, you are allowed to laugh now…) ;D
nasty 'could not INVITE phone...etc...' message: still have to figure out if it is my Asterisk config (altough a very similar config do work on a single interface Linux box), NAT/FW issue(s), do I have to install 'siproxd', etc..I did read about the static/random src. NAT issue, the UDP timout, the scrub, etc.. :'(
But in the meantime, I also noticed I could actually 'pkg_add -vr asterisk18' instead of the default asterisk (1.4, d'oh)...
So reflashing, re-pkg_adding, reconfiguring and so on..
I'BRB... :P
...please leave a note if you already think about something that could help here ! ;) -
I think your static port nat option needs to be checked. Unless you are hosting phones outside the firewall I don't think you need to port forward 10000-20000. You do not want sipxroxd installed or running.
-
grazman> :-* Thanx!!
Your inputs are of HUGE value to me!-
Concerning the static NAT, I think it is already checked (see the 'YES' in the last column of my NAT table here above), or is it something else you are refering to?
-
I am glad to read about siproxd, though I would love to understand why (in my case?) it is not necessary ?
And/or are you being sarcastic about this package ? crappy? ;) -
Well, you are probably right about the 10000-20000, but it is RTPoUDP, so if I don't wide-open it, how the flow can come from my VoIPISP to the Asterisk (behind FW) ?
-
-
I don't know what you are reading when you say crappy, I made no reference to anything on this post regarding any package except to say what I think is not needed. Here's why: sipxroxd is used when you have phones (plural) inside and the host outside, at least that is my understanding.
Please keep your WAG about what that means to yourself since you obviously have a different agenda here. I don't mind being called down on for something I say or do, but I would have an issue when you just make stuff up. Stop it and grow up please. Good luck.
-
No no no, it probably (definitely..) came out wrong: I was precisely double-checking what you meant by 'you do not want siproxd installed or running'.
You know, while reading that I was really wondering if you just meant it was not required here, or if you had a larger feeling about that package (obviously not).
But you right, my poor 'crappy' guess was inappropriately holding you for saying/thinking that.
Sorry about that… :-
Let's forget about it and not go down this way, shall we?
OK, and now back to the game:
Installing asterisk 1.8 did indeed solve the 'INVITE' issue...simply because I was twiddling between 'defaultuser' and its deprecated version 'username'...grrr...anyway.
Now I have latest binaries and it works almost : calling outside does ring now..... but I can't hear anything (in both ways), nor DTMF punching (in both ways). Codecs issue? still firewalling too much?To be continued...
-
Use ezjail and create a jail for this asterisk.
You can use ports and 1.8.
EJail-admin will Tell you more.
-
marcelloc> very interesting, I'll dig into that!
Now everything is ok, calls in all directions…fine tuning on: voicemail,codecs order, redirection,call transfert, pickup call...