Help with SIP please



  • Hi,

    I am trying to setup a SIP trunk from BT using Asterisk behind pfsense but I'm struggling.

    The router is bridging and the basic setup is this.

    Everything from WAN port is forwarded to the ethernet port on the router this port is the outside port of the F/W the addressing is as follows

    WAN–------------F/W_O/S-------------F/W_I/S------------PBX
    public              192.168.16.50          192.168.0.254      192.168.0.240

    None of the SIP devices need to leave the local LAN so I only need to worry about the SIP trunk. What I don't understand is this, I have a NAT rule to forward all UDP traffic hitting the outside interface of the firewall on port 5060 to the inside IP address of 192.168.0.240 port 5060.

    When I look at the firewall logs I can see traffic from the SIP trunk provider hitting the outside interface port 5060 but the traffic hitting Asterisk (using wireshark) is not 192.168.0.240 5060 as I expected but 192.168.16.50 random port

    I dont understand and was thinking this might be why the SIP trunk isn't working?



  • It is hard to say exactly what is going on without seeing the firewall and NAT rules (and advanced out bound NAT as well). It should travel like:

    Soure: public IP | SPORT: some high port >1024 | destination: router WAN public | DPORT: 5060

    Transforms at the WAN to :
    Soure: public IP | SPORT: some high port >1024 | destination: 192.168.16.50 | DPORT: 5060

    At pfSense transforms to:
    Soure: public IP | SPORT: some high port >1024 | destination: 192.168.0.240 | DPORT: 5060

    There will be an answer and the above source/port and destination/port would be switched. If you are having trouble, then make sure that the traffic to the PBX is returned to pfSense as part of the default gateway's duties. Be careful of state time outs with SIP.



  • Thanks for the reply

    I dont currently have advanced NAT'ing set didn't think I needed to?

    IS the output shown below enough information for people to help me. If not what cli can I issue to provide it?
    I have tried various NAT rules for port 5060 the output shows how it is currently configured.

    make sure that the traffic to the PBX is returned to pfSense as part of the default gateway's duties

    How would I do this?

    Thanks for the reminder about Pfsense SIP timing I did read Pfsense was a bit harsh with regards to SIP

    no nat proto carp all
    nat-anchor "natearly/" all
    nat-anchor "natrules/
    " all
    nat on re0 inet from 192.168.0.0/24 port = isakmp to any port = isakmp -> 192.168.1.50 port 500
    nat on re0 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 192.168.1.50 port 500
    nat on re0 inet from 192.168.0.0/24 to any -> 192.168.1.50 port 1024:65535
    nat on re0 inet from 127.0.0.0/8 to any -> 192.168.1.50 port 1024:65535
    no rdr proto carp all
    rdr-anchor "relayd/" all
    rdr-anchor "tftp-proxy/
    " all
    rdr on re0 inet proto tcp from any to 192.168.1.50 port = https -> 192.168.0.248
    rdr on re0 inet proto tcp from any to 192.168.1.50 port = smtp -> 192.168.0.248
    rdr on re0 inet proto tcp from any to 192.168.1.50 port = http -> 192.168.0.251
    rdr on re0 inet proto tcp from any to 192.168.1.50 port = garcon -> 192.168.0.251 port 3389
    rdr on re0 inet proto tcp from any to 192.168.1.50 port = ftp -> 192.168.0.1
    rdr on re0 inet proto tcp from any to any port = 5060 -> 192.168.0.240
    rdr on re0 inet proto udp from any to any port = 5060 -> 192.168.0.240
    rdr on re1 inet proto tcp from any to ! (re1) port = http -> 127.0.0.1 port 3128



  • @berrick:

    make sure that the traffic to the PBX is returned to pfSense as part of the default gateway's duties

    How would I do this?

    That would be to set the default gateway to the pfSense firewall so that traffic can be returned properly.
    It looks like a double NAT. This is also going to work against you in a SIP setup. You might benefit from the SIP proxy package. I have not used it, but it might be worth a shot.



  • Thanks for the reply.

    make sure that the traffic to the PBX is returned to pfSense as part of the default gateway's duties

    The way I read the above made me wonder if there was something I had missed. All local clients have their DG pointing to the F/W 192.168.0.254.

    I too was thinking it may be a double NAT issue such as 5060 being forwarded to another IP address in the router but I accessed the commandline of the router and saw nothing to do with 5060?

    kind regards



  • With the double NAT, you are going to have to worry about state timeouts at 2 places. Depending on the router, it might be okay or might be the cause of your problem. Most phones have SIP timeout/rekey/or something that keeps the state alive. I would cut that in half each time a test failed until you find a value that does work.



  • Hi podilarius,

    As I have the router forwarding ALL ports to the outside interface of the firewall NAT'ing should only be happening in the firewall itself? I take on board your points in the last reply though.
    For now is it the consensus that the issue I have with pfsense not forwarding UDP/TCP to the PBX on port 5060 but some random port as in my first post is probably due to something already forwarding UDP/TCP to 5060 ?

    kind regards



  • It does not matter if it is forwarding one port or all, if it is NATting, then unless you have turned it off, the router/modem is going to keep states. If you turned off keep states at the modem, I think a lot of things are going to fail to work.
    The issue you might have is the media port. My phones use 16384-32766. These are used when a call is in progress and is negotiated at the time of the call. My phones are setup to be NAT aware so it sends packets every so often to keep the states alive.
    I would watch traffic dumps at each NIC on the firewall to see how traffic is being transformed and to make sure that it is doing that correctly.



  • *** Update ***

    For now I have removed Pfsense from the equation to ensure I have SIP working correctly. So far everything VoIP is working as expected using port 5060 for SIP and ports 16384-32767 for RTP.



  • podilarius, help-me with protocol sip and iax, I have problems. use pfsense version 2.0.1 , asterisk not work with nat.



  • You are going to have to provide a bit more details? Type of phones and what you have currently setup for rules/NAT. Are you using SIP proxy?



  • Podilarius,

    Sorry, my english is bad yet  :D

    My network below.

    company A                                                                                        company B

    (SIP)                                                (Bridge)            IAX            (Bridge)                                                    (SIP)   
    LAN –->  Elastix --->  PFSENSE (FW)  ---> Modem ---> Internet  --->  Modem  ---> PFSENSE (FW) ---> Elastix ---> LAN
                                                                                                            |
    Class C    Class C                                                                                |--------- SIP------------------ MODEM (BRIDGE) ---> PFSENSE-->  LAN

    I have many problems with connections udp (IAX,SIP,RTP ), always show NO_TRAFFIC;
    In linux debian (iptables), never had this problem.



  • Which version of Elastix are you using?

    When both Asterisk servers are behind symmetric NAT (default pf / pfsense behavior) you're going to have troubles, at least with non-NAT-aware protocol like SIP.

    You could make it work with special config of asterisk and pfsense, but the easiest solution would be to use IAX.



  • elastix-2.3.0



  • Two things:

    1. If you use SIP registration you absolutely do not need any port forwarding
    2. Create NAT rule with static port = yes. If you read in the pfSense wiki you will see explained why this is needed for SIP.


  • thanks …


Log in to reply