Help with SIP

ZenMasta · Apr 30, 2012, 5:15 PM

Hi everyone. Has anyone successfully configured PFSense 2.0 with a pbx that allows external sip connections?

I have configured nat to the best of my ability but so far I have not been successful. I feel like I'm really close but the best I can achieve is the remote extensions registering, but only 1 way audio.

I have attached a screen grab of my nat and rules. Any help is much appreciated.

Thanks!

ZenMasta · May 3, 2012, 6:43 PM

I ran an online tool http://www.t1shopper.com/tools/port-scan/

As you can see in my screen grab, nat is set for all those ports and the rules are enabled.
ports are 5000 5060 5090 9000-9049

However this online scan only indicates 5000 and 5060 are responding

Please help, this is killing me.

k6usy · May 4, 2012, 9:58 PM

I have an allworx PBX and have off site phones working with SIP through a pfSense firewall so it is possible. Some of the ports you need to forward vary by manufacturer so check the documentation.

This is from my PBX:

The Public IP Address is used by Allworx VoIP services to encode the proper IP Addresses when communicating with remote SIP services or devices (such as IP Phones) when a third party NAT Firewall is between the Allworx and the Internet.

Most third party NAT Firewalls require specific access rules to enable this functionality. Refer to your firewall documentation to map the ports listed below from the Public IP Address to the Allworx LAN IP Address.

Ports:
2088 (UDP)
5060 (UDP)
8081 (TCP)
15000-15511 (UDP)

Also if you have multiple IPs on your WAN you might need to setup advanced NAT. This is to make sure out bound packets from the PBX always go out on the same IP that you are using for incoming packets. If your WAN only has 1 IP you can ignore this. Example: my PBX uses XXX.XXX.195.40 (vIP) for incoming and outgoing but the interface IP is XXX.XXX.205.197.

cmb · May 4, 2012, 10:06 PM

VoIP is UDP, port scanners can only definitively determine TCP port status, and the one you're trying only tests TCP. Most PBXes won't answer on any of those ports with TCP, though some do.

One way audio is usually from not having the correct NAT settings and public IP to use defined on the PBX itself, it has to put its public IP in the SIP for external usage.

k6usy · May 4, 2012, 10:58 PM

@cmb:

One way audio is usually from not having the correct NAT settings and public IP to use defined on the PBX itself, it has to put its public IP in the SIP for external usage.

+1

I have the external IP saved on my PBX as well.

ZenMasta · May 10, 2012, 9:39 PM

Hey guys, thanks a lot for replying. I'm getting down to the wire as we're moving on the 1st which means that is also my deadline.
I hate to say this but I dropped in a cisco rv042 and have no problems.

I have been testing 2 scenarios
offsite pbx - all remote extensions
onsite pbx - some remote extension

in both scenarios unfortunately pfsense hates me.

Right now I want to focus on just one scenario to keep troubleshooting to a minimum
offsite pbx - all remote extensions

I feel once I can nail this, then bringing it in house will just work.

So with this said
offsite pbx - static ip

**remote office - pfsense **
cannot receive inbound calls (meaning extensions don't ring)
outbound call seems fine
remote office - cisco rv042
inbound outbound no problem
home office - linksys with DDWRT
inbound outbound no problem

At first I was willing to give myself all the blame, poorly config'd pfsense (which is likely) or phones, but once I confirmed it was working form home, and then again at the office with the cisco router. It's obvious something is up with pfsense but definitely not the phones.

Now I will add that when you have multiple phones onsite, each phones will have to be configured with a different port so I increment 5060-5070

cmb · May 11, 2012, 2:24 AM

The RV042 may rewrite IPs within SIP which eliminates the need to properly configure NAT on your PBX. We don't, as that frequently just breaks things (VoIP providers' troubleshooting usually starts with "disable SIP ALGs" because they break things so frequently). That would more likely be with the scenario with the PBX inside the network though.

With the phones inside the network with the PBX outside, the probable area where we differ is rewriting the source port on all traffic that's NATed. Disabling that may fix things in your scenario, though usually it's preferable to leave that alone.
http://doc.pfsense.org/index.php/Static_Port