Problem with Freeswitch package

kartweel · Dec 31, 2011, 2:48 PM

I've got freeswitch running on pfsense 2.0.1. My network setup is a simple WAN (pppoe with static IP) and LAN (192.168.2.x). Freeswitch binds to the WAN address. I can register SIP devices on it from the LAN using the WAN address and from the WAN. Calls work fine from the WAN, but on the LAN the SIP client receives no sound.

So what I have tried to debug so far:

I've set the firewall to log EVERYTHING on the LAN and WAN Interface. LAN -> WAN interface address doesn't show up?? but I can't figure out why.. LAN -> LAN interface address shows up and LAN -> External Address show up. And anything originating from the WAN interface address doesn't seem to show up.

So that didn't really end up helping me as I couldn't even log the SIP traffic or see if the RTP traffic was being blocked.

The only other thing I've noticed is that from the LAN I can ping the WAN interface IP address, but if from within pfsense I ping a LAN address using the WAN interface (diagnostics -> ping), it times out. So I am thinking because freeswitch is bound to the WAN interface IP (Which is what I want so I can access it externally), the RTP traffic when sending can't get to the clients on the LAN.

I've checked firewalls on clients and I'm pretty sure they aren't the issue.

Any help would be appreciated. It would be great if freeswitch could bind to all interfaces, but I haven't see that yet!

marcelloc · Dec 31, 2011, 3:06 PM

change freeswitch to listen on lan and create a nat to manage it from wan

kartweel · Dec 31, 2011, 3:28 PM

Yes that is an option, but I wanted to be able to access it from the same IP whether inside or outside the network. Also I was having some trouble running it behind a NAT, but I may be able iron out those issues.

I've done some further packet captures on pfsense and a local client.

These are captures from the LAN interface on pfsense.

This is the SIP traffic, which correctly responds on the LAN interface back to the SIP client.

23:14:21.568533 IP 192.168.2.123.5060 > 120.146.228.51.5060: UDP, length 1430
23:14:21.569010 IP 120.146.228.51.5060 > 192.168.2.123.5060: UDP, length 371

This is the RTP traffic from the client to pfsense/freeswitch.

23:14:21.576339 IP 192.168.2.123.5054 > 120.146.228.51.18488: UDP, length 62
23:14:21.615120 IP 192.168.2.123.5054 > 120.146.228.51.18488: UDP, length 62
23:14:21.636939 IP 192.168.2.123.5054 > 120.146.228.51.18488: UDP, length 62

There is no RTP data going from the server to the client. Running a packet capture on the WAN interface picks up the outgoing RTP traffic from freeswitch, but alas it never makes it to the client.

It is odd, the internal profile for freeswitch has this written on it… (I am using fusionpbx frontend)

"By default the Internal profile binds to the WAN IP which is accessible to the internal network. A rule can be set from PFSense -> Firewall -> Rules -> WAN to the the WAN IP for port 5060 which enables phones register from outside the network."

This would make me think that my setup should work!...

marcelloc · Dec 31, 2011, 3:34 PM

Can't you setup freeswitch to listen on all interfaces?

sip does not like nat very much.

On asterisk there are specific options to set nat but I don't know how it works on freeswitch

kartweel · Dec 31, 2011, 3:44 PM

Yes I am trying to avoid NAT :). Freeswitch has some NAT options, but I am a bit of a noob at it.

You can't set a single profile to bind to multiple interfaces, but I can set up multiple profiles, 1 on each interface. So I could have an internal one and an external one. But it would still mean I couldn't use the same IP inside and outside the network, which I don't see why I shouldn't be able to?

marcelloc · Dec 31, 2011, 4:01 PM

Check rules on lan and maybe disabling Block bogon networks could help

kartweel · Dec 31, 2011, 4:11 PM

Tried that, no joy :(. Also tried blocking and unblock private networks etc from WAN.

Any other ideas? I might try putting another interface on, bind it to that and then see if it works. At least then I'll know if it is a problem with the WAN interface specifically, or something else…

kartweel · Jan 1, 2012, 8:19 AM

So I made another interface, LAN2 with IP 192.168.3.1. I bound freeswitch to that IP and it works correctly from the LAN, I can register and get audio etc. So it must just be an issue with using it with WAN. Maybe coz WAN is pppoe ? or maybe coz WAN-LAN is NAT'd ?

In any case, I think it still should work, so any more ideas on what to try?
I guess I should try it on a second WAN interface. and see if it is all WAN interfaces or just the 1 that is causing the issue.

marcelloc · Jan 1, 2012, 3:02 PM

Change your outbound to manual.

kartweel · Jan 2, 2012, 1:22 AM

Ok, I've narrowed it down a little further.

Changing NAT Outbound to manual didn't work. Either did deleting all the NAT rules after chaning to manual (And successfully disabling any internet access, btw changing to auto again didn't fix it, I had to manually create some rules)

I created another WAN interface and set it up, and it exhibits the same behaviour… so I conclude that the issue only happens on WAN interfaces. So on this WAN interface I changed the gateway to "none" (I guess that means it isn't really a WAN interface anymore) and it works perfectly! So this is where the issue is happening.

Likewise from pfsense diagnostics -> ping, I can ping LAN addresses from this "WAN" interface without a gateway...

kartweel · Jan 3, 2012, 1:41 AM

Any ideas anyone?

I'm just wondering if I should persist with this or what I am trying to do is unsupported or not supposed to work…

Thanks!

marcelloc · Jan 3, 2012, 1:50 AM

I will work, just take a look on docs.pfsense.org or this forum for manual outbound nat.

Change to manual and only create outbound nat rules for traffic leaving wan interface.

kartweel · Jan 3, 2012, 2:13 AM

I've got it set to manual and this is the only rule I have in there… Even If I delete all rules it still doesn't work...

Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description

WAN 192.168.2.0/24 * * * * *
NO

The only things I can do to get it to work are:

Remove the gateway on the WAN interface
Disable all packet filtering

Either of which are no good for my setup :(

marcelloc · Jan 3, 2012, 2:20 AM

if LAN is 192.168.2.0/24, outbound nat is fine, check lan rules now.

You must permit traffic fom LAN net to any on LAN interface.

kartweel · Jan 3, 2012, 2:32 AM

I got frustrated and just allowed everything to everywhere on the firewall.

Both LAN and WAN interface are * * * * * * * as the first rule

Still no go…

It still seems to mimic the behaviour of pfSense diagnostics -> ping

I wonder if I should try installing pfSense 1.2.3 and see if it works on that.

cmb · Jan 3, 2012, 2:36 AM

I really doubt that issue has anything to do with your NAT or firewall rules, it's somewhere in your freeswitch or phone config. No idea where, I don't know a whole lot about freeswitch, but that's in general not the kind of symptoms you'd have with any NAT or firewall rule issues in that type of deployment.

1.2.3 and 2.0 will be the same in that regard.

cmb · Jan 3, 2012, 2:37 AM

updated subject and moved into the packages board, not sure if that will help it get better attention, but it's a freeswitch package issue.

kartweel · Jan 4, 2012, 6:02 AM

I've set up pfSense 1.2.3 and installed the freeswitch-dev package and it seems to be working how I want it. Likewise pinging a LAN address from the WAN interface also works. I might try setting up a fresh pfSense 2.0.1 install and seeing if it works. Maybe I just messed up my networking config somehow.

kartweel · Jan 4, 2012, 2:09 PM

Ok. Set up pfSense 2.0.1 again from scratch. Freeswitch package doesn't work on 2.0.1, so I installed fusionPBX again. Same issue as originally.

So to summarise my findings.

pfSense 1.2.3 with freeswitch-dev package worked.
pfSense 2.0.1 with FusionPBX didn't work (meaning cannot hear audio on the internal network, apart from that works fine).

I still think the issue is with pfSense. In 1.2.3 you can ping internal hosts from the WAN interface, in 2.0.1 you cannot. Also in 2.0.1 it works fine if you disable packet filtering, or take the gateway off the WAN interface.

Anyway, I guess I will multi-home freeswitch and then access it internally from the internal IP and externally from the external IP. bah. I like pfSense too much to replace it for something else I can run freeswitch on how I want.

sdudley · Jan 19, 2012, 7:26 PM

Thought I would chime in and mention that on a fresh PFSense (x86) 2.01 install, I was able to follow the steps on Mark's PBXFusion Wiki site and other than the svn issue that marcelloc helped me with to synch PBXFusion updates, the FreeSwitch manual install per the directions works for all intents and purposes on PFSense 2.01…the 32 bit variant. I'm using DynDNS on the PFSense 2.01 and phones on the LAN and WAN work. Not sure if this has any bearing on what you were doing or maybe it's enough of an incentive to keep trying. I'm using Aastra SIP phones, slightly older models and the Linux Twinkle SIP client as a softphone, no VLANs or anything beyond an out of the box setup on the network side of things.
All the best.
Shaun