Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Help with SIP please

    Firewalling
    5
    16
    6400
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      berrick last edited by

      Hi,

      I am trying to setup a SIP trunk from BT using Asterisk behind pfsense but I'm struggling.

      The router is bridging and the basic setup is this.

      Everything from WAN port is forwarded to the ethernet port on the router this port is the outside port of the F/W the addressing is as follows

      WAN–------------F/W_O/S-------------F/W_I/S------------PBX
      public              192.168.16.50          192.168.0.254      192.168.0.240

      None of the SIP devices need to leave the local LAN so I only need to worry about the SIP trunk. What I don't understand is this, I have a NAT rule to forward all UDP traffic hitting the outside interface of the firewall on port 5060 to the inside IP address of 192.168.0.240 port 5060.

      When I look at the firewall logs I can see traffic from the SIP trunk provider hitting the outside interface port 5060 but the traffic hitting Asterisk (using wireshark) is not 192.168.0.240 5060 as I expected but 192.168.16.50 random port

      I dont understand and was thinking this might be why the SIP trunk isn't working?

      1 Reply Last reply Reply Quote 0
      • P
        podilarius last edited by

        It is hard to say exactly what is going on without seeing the firewall and NAT rules (and advanced out bound NAT as well). It should travel like:

        Soure: public IP | SPORT: some high port >1024 | destination: router WAN public | DPORT: 5060

        Transforms at the WAN to :
        Soure: public IP | SPORT: some high port >1024 | destination: 192.168.16.50 | DPORT: 5060

        At pfSense transforms to:
        Soure: public IP | SPORT: some high port >1024 | destination: 192.168.0.240 | DPORT: 5060

        There will be an answer and the above source/port and destination/port would be switched. If you are having trouble, then make sure that the traffic to the PBX is returned to pfSense as part of the default gateway's duties. Be careful of state time outs with SIP.

        1 Reply Last reply Reply Quote 0
        • B
          berrick last edited by

          Thanks for the reply

          I dont currently have advanced NAT'ing set didn't think I needed to?

          IS the output shown below enough information for people to help me. If not what cli can I issue to provide it?
          I have tried various NAT rules for port 5060 the output shows how it is currently configured.

          make sure that the traffic to the PBX is returned to pfSense as part of the default gateway's duties

          How would I do this?

          Thanks for the reminder about Pfsense SIP timing I did read Pfsense was a bit harsh with regards to SIP

          no nat proto carp all
          nat-anchor "natearly/" all
          nat-anchor "natrules/
          " all
          nat on re0 inet from 192.168.0.0/24 port = isakmp to any port = isakmp -> 192.168.1.50 port 500
          nat on re0 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 192.168.1.50 port 500
          nat on re0 inet from 192.168.0.0/24 to any -> 192.168.1.50 port 1024:65535
          nat on re0 inet from 127.0.0.0/8 to any -> 192.168.1.50 port 1024:65535
          no rdr proto carp all
          rdr-anchor "relayd/" all
          rdr-anchor "tftp-proxy/
          " all
          rdr on re0 inet proto tcp from any to 192.168.1.50 port = https -> 192.168.0.248
          rdr on re0 inet proto tcp from any to 192.168.1.50 port = smtp -> 192.168.0.248
          rdr on re0 inet proto tcp from any to 192.168.1.50 port = http -> 192.168.0.251
          rdr on re0 inet proto tcp from any to 192.168.1.50 port = garcon -> 192.168.0.251 port 3389
          rdr on re0 inet proto tcp from any to 192.168.1.50 port = ftp -> 192.168.0.1
          rdr on re0 inet proto tcp from any to any port = 5060 -> 192.168.0.240
          rdr on re0 inet proto udp from any to any port = 5060 -> 192.168.0.240
          rdr on re1 inet proto tcp from any to ! (re1) port = http -> 127.0.0.1 port 3128

          1 Reply Last reply Reply Quote 0
          • P
            podilarius last edited by

            @berrick:

            make sure that the traffic to the PBX is returned to pfSense as part of the default gateway's duties

            How would I do this?

            That would be to set the default gateway to the pfSense firewall so that traffic can be returned properly.
            It looks like a double NAT. This is also going to work against you in a SIP setup. You might benefit from the SIP proxy package. I have not used it, but it might be worth a shot.

            1 Reply Last reply Reply Quote 0
            • B
              berrick last edited by

              Thanks for the reply.

              make sure that the traffic to the PBX is returned to pfSense as part of the default gateway's duties

              The way I read the above made me wonder if there was something I had missed. All local clients have their DG pointing to the F/W 192.168.0.254.

              I too was thinking it may be a double NAT issue such as 5060 being forwarded to another IP address in the router but I accessed the commandline of the router and saw nothing to do with 5060?

              kind regards

              1 Reply Last reply Reply Quote 0
              • P
                podilarius last edited by

                With the double NAT, you are going to have to worry about state timeouts at 2 places. Depending on the router, it might be okay or might be the cause of your problem. Most phones have SIP timeout/rekey/or something that keeps the state alive. I would cut that in half each time a test failed until you find a value that does work.

                1 Reply Last reply Reply Quote 0
                • B
                  berrick last edited by

                  Hi podilarius,

                  As I have the router forwarding ALL ports to the outside interface of the firewall NAT'ing should only be happening in the firewall itself? I take on board your points in the last reply though.
                  For now is it the consensus that the issue I have with pfsense not forwarding UDP/TCP to the PBX on port 5060 but some random port as in my first post is probably due to something already forwarding UDP/TCP to 5060 ?

                  kind regards

                  1 Reply Last reply Reply Quote 0
                  • P
                    podilarius last edited by

                    It does not matter if it is forwarding one port or all, if it is NATting, then unless you have turned it off, the router/modem is going to keep states. If you turned off keep states at the modem, I think a lot of things are going to fail to work.
                    The issue you might have is the media port. My phones use 16384-32766. These are used when a call is in progress and is negotiated at the time of the call. My phones are setup to be NAT aware so it sends packets every so often to keep the states alive.
                    I would watch traffic dumps at each NIC on the firewall to see how traffic is being transformed and to make sure that it is doing that correctly.

                    1 Reply Last reply Reply Quote 0
                    • B
                      berrick last edited by

                      *** Update ***

                      For now I have removed Pfsense from the equation to ensure I have SIP working correctly. So far everything VoIP is working as expected using port 5060 for SIP and ports 16384-32767 for RTP.

                      1 Reply Last reply Reply Quote 0
                      • C
                        cristianonix last edited by

                        podilarius, help-me with protocol sip and iax, I have problems. use pfsense version 2.0.1 , asterisk not work with nat.

                        1 Reply Last reply Reply Quote 0
                        • P
                          podilarius last edited by

                          You are going to have to provide a bit more details? Type of phones and what you have currently setup for rules/NAT. Are you using SIP proxy?

                          1 Reply Last reply Reply Quote 0
                          • C
                            cristianonix last edited by

                            Podilarius,

                            Sorry, my english is bad yet  :D

                            My network below.

                            company A                                                                                        company B

                            (SIP)                                                (Bridge)            IAX            (Bridge)                                                    (SIP)   
                            LAN –->  Elastix --->  PFSENSE (FW)  ---> Modem ---> Internet  --->  Modem  ---> PFSENSE (FW) ---> Elastix ---> LAN
                                                                                                                                    |
                            Class C    Class C                                                                                |--------- SIP------------------ MODEM (BRIDGE) ---> PFSENSE-->  LAN

                            I have many problems with connections udp (IAX,SIP,RTP ), always show NO_TRAFFIC;
                            In linux debian (iptables), never had this problem.

                            1 Reply Last reply Reply Quote 0
                            • D
                              dhatz last edited by

                              Which version of Elastix are you using?

                              When both Asterisk servers are behind symmetric NAT (default pf / pfsense behavior) you're going to have troubles, at least with non-NAT-aware protocol like SIP.

                              You could make it work with special config of asterisk and pfsense, but the easiest solution would be to use IAX.

                              1 Reply Last reply Reply Quote 0
                              • C
                                cristianonix last edited by

                                elastix-2.3.0

                                1 Reply Last reply Reply Quote 0
                                • J
                                  joako last edited by

                                  Two things:

                                  1. If you use SIP registration you absolutely do not need any port forwarding
                                  2. Create NAT rule with static port = yes. If you read in the pfSense wiki you will see explained why this is needed for SIP.
                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    cristianonix last edited by

                                    thanks …

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post