Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SIP and pfsense

    NAT
    4
    10
    6.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Horak
      last edited by

      Hey guys, not sure this is for this forum but here goes:

      I have a pfsense with multiple VLANs, one of them is my voice VLAN and two of them connect to internal WANs to branch offices. So their IP range comes across a MetroE circuit and is routed back down that circuit. Now I have two people in one location and I want to put 2 phones hanging off my main PBX here but the phones won't get connected. I have rules right now that allow ALL traffic from their subnet to my voice subnet and I can see the packets being allowed but the phones aren't registering.

      I can get them to register for a few minutes if I set the NAT on the phone to one of the FW interfaces but the phone stops working after a while.

      Please help!

      1 Reply Last reply Reply Quote 0
      • H
        Horak
        last edited by

        Forgot to say I am using PFSense 2.0.1 and Asterix 2.0.

        1 Reply Last reply Reply Quote 0
        • D
          dhatz
          last edited by

          @Horak:

          Asterix 2.0.

          This doesn't seem right…

          Anyway, the issues that arise with SIP typically depend upon the capabilities (i.e. firmware) of your phones and Asterisk PBX config. Have you tried with some soft-phone like X-Lite4 ?

          1 Reply Last reply Reply Quote 0
          • H
            Horak
            last edited by

            I am going to try with a softphone today and do a dump from the remote location but doing a log rule on the FW I am not seeing the SIP packets going back to the subnet on the other side of the MetroE. A tcpdump on the FW is showing the packets coming back from the PBX but there is no deny or allow in the pfsense logs at all from PBX to phone.

            Sorry, it is Elastix 2.0.

            1 Reply Last reply Reply Quote 0
            • H
              Horak
              last edited by

              Some more info:

              PFsense Voice Vlan IP: 10.0.0.254
              PFsense MetroE Interface: 10.12.1.254
              Remote Subnet: 10.11.122.0/24
              Phone: 10.11.122.50

              The dump we did from a softphone at 10.11.122.x shows that the replies from the pbx are originating from 10.12.1.254 instead of 10.0.0.254. Also the connection will drop after 30s because no RTP traffic ever reaches the softphone from the pbx.

              We are stumped please help!!

              1 Reply Last reply Reply Quote 0
              • H
                Horak
                last edited by

                Some more info:

                Did a tcpdump on the pbx and the SIP sets up the call and the rtp is sent out the correct interface to the correct IP but the FW doesn't pass the traffic and there is no DENY in the logs. I can see the rtp coming in on the FW interface but it never leaves and isn't logged at all. I have a rule to log all denied packets.

                If I set the phone to use the FW interface in the SIP/SDP packet, the phone works correctly.

                1 Reply Last reply Reply Quote 0
                • D
                  dhatz
                  last edited by

                  If the 10.* IP addresses you posted in your previous message are the ones actually used, my first step would be to check if you really need to NAT the RFC1918 traffic between sites of your internal corporate network.

                  If not, you can configure pfsense's NAT manually (enable Manual Outbound NAT) and have pass all traffic without NAT.

                  1 Reply Last reply Reply Quote 0
                  • A
                    awnz
                    last edited by

                    My first post - hi all.

                    I wonder if you're affected by the same issue as this?

                    http://forum.pfsense.org/index.php?topic=45255.0 "Re: NAT Port Forwarding to Internal host UDP port 5060 not working as expected"

                    If this is it, you may notice that SIP and/or RTP data is not being returned on the correct ports. pfSense randomises the source port, which in my case upset my VoIP provider who sent SIP UDP replies to my UDP port 5060, even if the origin port was different. Even with a forwarding rule on port 5060, traffic didn't exit on the LAN side of my firewall despite the firewall rule set to log accepts, and it was logging accepts.
                    Following the advice in the linked thread, I had to switch outbound NAT to manual, and set an outbound NAT rule for my Asterisk host to switch Static Ports on. Remember to also set up your default NAT rule while you're there, and ensure the static port rule for your PABX is ranked above it (a mistake I made). Follow this with a state clear or a reboot and it should all come right.

                    1 Reply Last reply Reply Quote 0
                    • D
                      dhatz
                      last edited by

                      Practically all queries about SIP and pfSense in these forums are related to the fact that by default pfSense's NAT rewrites the source port of both SIP and RTP packets.

                      Typically port rewriting doesn't cause problems to relatively recent SIP software & firmware, however there are cases where it does, and one has to use manual outbound NAT and static port.

                      1 Reply Last reply Reply Quote 0
                      • U
                        Ulich05
                        last edited by

                        I use pf 2.0.1 release w/ sip and rtp w/o a problem. i am also not using sipproxy

                        my nat config is set to Manual Outbound Nat Generation with only 1 mapping for outbound which is :
                        Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
                        WAN   192.168.0.20/32 * * * * * YES
                        .20 above is the PBX

                        port forwarding tab is set like this:
                        If Proto Src. addr Src. ports Dest. addr Dest. ports NAT IP NAT Ports Description
                        WAN UDP *         * WAN address 10000 - 20000 192.168.0.20 10000 - 20000  
                        WAN UDP *        * WAN address 5004 - 5037 192.168.0.20 5004 - 5037  
                        WAN UDP *        * WAN address 4569                192.168.0.20 4569  
                        WAN UDP *        * WAN address 5039 - 5082 192.168.0.20 5039 - 5082

                        hopefully this formats properly for you. ports 10000-20000 are the RTP ports 5004-5082 will grab all the sip and if I remember 4569 was something used by my voip provider

                        It took me a while to initially get the pbx and in/outbound calls to work. The best way to debug the issue is not w/ logs but use a cple tcpdumps at the same time from multiple terminals

                        from pf box:
                        tcpdump -v -i [WAN] src [voip provider] or dst [voip provider]
                        tcpdump -v -i [LAN] src [voip provider] or dst [voip provider]

                        from pbx:
                        tcpdump -v -i [LAN] src [voip provider] or dst [voip provider]

                        try to register the phone and make some calls/call in and watch the traffic flow, pay attn to port #s

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.