How do you pass VoIP traffic from behind the firewall?

  • Hello, everyone;

    I've been floating around these forums looking for this answer and all I see is conflicting information.  Some people say one needs to add a firewall rule to allow ports into their internal network while others state it is an AON NAT rule one needs to add that keeps port numbers static if they are communicating with the VoIP equipment.  I think the differences are due to people's assumptions on how the VoIP equipment is connected to the network (e.g. DMZ, second public IP, etc.).  Therefore, I've decided to state my environment as well as how I would like to connect the VoIP equipment in hopes that someone can help me figure out why my VoIP will not work when I move it behind my firewall.

    This is for my home, first of all, so I don't need commercial-level availabiliity.  As such, I'm only using one public IP address.  My VoIP service is provided by Ooma and requires the following ports outbound (from the device) to be opened:

    UDP 53, UDP 123, UDP 514, UDP 1194,UDP 3386, UDP 3480, UDP 10000-20000, TCP 53 and TCP 443.

    There is no talk of inbound ports.  I think this is because Ooma works via an OpenVPN tunnel so once that is established, all communications are running through that one connection.  I know this isn't an issue with connecting to an OpenVPN server from behind my firewall because I can do this successfully from other machines in my network to servers outside of my network.  I also know that if I put the Ooma device in front of my firewall that it connects fine, so the equipment works and is capable of connecting.

    I am not trying to run a DMZ here.  My goal is to have my VoIP system behind my firewall and enjoy the protection that such a configuration provides.  In short, the Ooma device is just another piece of equipment on my network.

    My network is wired, from cable modem to Ooma as follows:

    modem -> pfSense router -> switch -> Ooma

    I have one WAN and one LAN port on my pfSense router.  Also, in my router's firewall, I have WAN and LAN rules that allow all LAN traffic to go anywhere unrestricted, but only SSH to come in via the WAN (for remote administration).  My internal network is and my Ooma's WAN port is at  This IP is assigned via my DHCP server and I've verified that this address is consistently assigned to my Ooma device.

    As I understand my setup, and since my Ooma device is the one that initiates the connection back to Ooma's central PBX, not the other way around, the fact that my LAN is wide open should allow it to sucessfully connect and establish the OpenVPN tunnel.  So, no WAN rules should be needed since there will not be new connections from Ooma's servers back to my device.  So, I've been focusing on my NAT tables and how to setup the AON correctly.  Currently, here is the rule that I think is doing that:

    Interface         Source            Source Port    Destination    Destination Port        NAT Address       NAT Port    Static Port
       WAN            *              *                *           *           YES

    I'm not entirely sure if I setup this AON entry up correctly.  I've also tried going to the generic LAN rule and setting it to Static Port = YES, thus forcing all traffic to static ports, but that didn't help.

    I should also mention that I have gone into the traffic shaper and run the wizard to provide a queue for VoIP traffic.  I am also providing an appropriate amount of bandwidth to my VoIP system (215kbps, the same as the Ooma device likes to reserve for itself)

    Can anyone provide some guidance on what I need to do to get VoIP running in my environment?  Is my AON entry correct or do I still need to do some setup steps that I've missed?

    Thank you for any assitance provided.

  • As your provider establishes connections via vpn, tha automatic nat could do the job.

  • Yeah, but Auto NAT does not, from what I can see.  As I stated, I can get Internet, but the tunnel will not connect from behind my firewall.  That is why I'm wondering exactly what one has to do to get VoIP working behind the firewall.

  • If I understood your provider connection mode, vpn is established before voip works.

    Firewall will not see or nat any voip package, just vpn packages.

    Check what is going on with your providers vpn and it will work.

    Tcpdump is a good choice for package debug.

    Open two consoles(one for lan other for wan) and start monitoring packages from voip device to provider ip.

  • Okay, I see the misunderstanding now.  VPN is not something that my ISP is providing on my connection.  It is something that my Ooma router establishes with the Ooma VoIP servers.  In other words, the VPN tunnel connection is initiated from within my own network.  Also, the only thing going over a VPN connection is my VoIP communications.  That is why I'm confused, given I have my LAN traffic open to go anywhere it pleases, why I should have to do any other configuration to get the VPN tunnel established?  I know that it isn't my ISP restricting connections to VPN tunnels since my Ooma router will connect successfully when it is in front of my pfSense router.  Also, I can connect to other remote VPN networks (as in, beyond my LAN).

    In truth, I shouldn't have to setup any NAT rules or additional firewall rules to make this thing work, so I'm not sure what is wrong.

Log in to reply