SIP and pfsense



  • Hey guys, not sure this is for this forum but here goes:

    I have a pfsense with multiple VLANs, one of them is my voice VLAN and two of them connect to internal WANs to branch offices. So their IP range comes across a MetroE circuit and is routed back down that circuit. Now I have two people in one location and I want to put 2 phones hanging off my main PBX here but the phones won't get connected. I have rules right now that allow ALL traffic from their subnet to my voice subnet and I can see the packets being allowed but the phones aren't registering.

    I can get them to register for a few minutes if I set the NAT on the phone to one of the FW interfaces but the phone stops working after a while.

    Please help!



  • Forgot to say I am using PFSense 2.0.1 and Asterix 2.0.



  • @Horak:

    Asterix 2.0.

    This doesn't seem right…

    Anyway, the issues that arise with SIP typically depend upon the capabilities (i.e. firmware) of your phones and Asterisk PBX config. Have you tried with some soft-phone like X-Lite4 ?



  • I am going to try with a softphone today and do a dump from the remote location but doing a log rule on the FW I am not seeing the SIP packets going back to the subnet on the other side of the MetroE. A tcpdump on the FW is showing the packets coming back from the PBX but there is no deny or allow in the pfsense logs at all from PBX to phone.

    Sorry, it is Elastix 2.0.



  • Some more info:

    PFsense Voice Vlan IP: 10.0.0.254
    PFsense MetroE Interface: 10.12.1.254
    Remote Subnet: 10.11.122.0/24
    Phone: 10.11.122.50

    The dump we did from a softphone at 10.11.122.x shows that the replies from the pbx are originating from 10.12.1.254 instead of 10.0.0.254. Also the connection will drop after 30s because no RTP traffic ever reaches the softphone from the pbx.

    We are stumped please help!!



  • Some more info:

    Did a tcpdump on the pbx and the SIP sets up the call and the rtp is sent out the correct interface to the correct IP but the FW doesn't pass the traffic and there is no DENY in the logs. I can see the rtp coming in on the FW interface but it never leaves and isn't logged at all. I have a rule to log all denied packets.

    If I set the phone to use the FW interface in the SIP/SDP packet, the phone works correctly.



  • If the 10.* IP addresses you posted in your previous message are the ones actually used, my first step would be to check if you really need to NAT the RFC1918 traffic between sites of your internal corporate network.

    If not, you can configure pfsense's NAT manually (enable Manual Outbound NAT) and have pass all traffic without NAT.



  • My first post - hi all.

    I wonder if you're affected by the same issue as this?

    http://forum.pfsense.org/index.php?topic=45255.0 "Re: NAT Port Forwarding to Internal host UDP port 5060 not working as expected"

    If this is it, you may notice that SIP and/or RTP data is not being returned on the correct ports. pfSense randomises the source port, which in my case upset my VoIP provider who sent SIP UDP replies to my UDP port 5060, even if the origin port was different. Even with a forwarding rule on port 5060, traffic didn't exit on the LAN side of my firewall despite the firewall rule set to log accepts, and it was logging accepts.
    Following the advice in the linked thread, I had to switch outbound NAT to manual, and set an outbound NAT rule for my Asterisk host to switch Static Ports on. Remember to also set up your default NAT rule while you're there, and ensure the static port rule for your PABX is ranked above it (a mistake I made). Follow this with a state clear or a reboot and it should all come right.



  • Practically all queries about SIP and pfSense in these forums are related to the fact that by default pfSense's NAT rewrites the source port of both SIP and RTP packets.

    Typically port rewriting doesn't cause problems to relatively recent SIP software & firmware, however there are cases where it does, and one has to use manual outbound NAT and static port.



  • I use pf 2.0.1 release w/ sip and rtp w/o a problem. i am also not using sipproxy

    my nat config is set to Manual Outbound Nat Generation with only 1 mapping for outbound which is :
    Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
    WAN   192.168.0.20/32 * * * * * YES
    .20 above is the PBX

    port forwarding tab is set like this:
    If Proto Src. addr Src. ports Dest. addr Dest. ports NAT IP NAT Ports Description
    WAN UDP *         * WAN address 10000 - 20000 192.168.0.20 10000 - 20000  
    WAN UDP *        * WAN address 5004 - 5037 192.168.0.20 5004 - 5037  
    WAN UDP *        * WAN address 4569                192.168.0.20 4569  
    WAN UDP *        * WAN address 5039 - 5082 192.168.0.20 5039 - 5082

    hopefully this formats properly for you. ports 10000-20000 are the RTP ports 5004-5082 will grab all the sip and if I remember 4569 was something used by my voip provider

    It took me a while to initially get the pbx and in/outbound calls to work. The best way to debug the issue is not w/ logs but use a cple tcpdumps at the same time from multiple terminals

    from pf box:
    tcpdump -v -i [WAN] src [voip provider] or dst [voip provider]
    tcpdump -v -i [LAN] src [voip provider] or dst [voip provider]

    from pbx:
    tcpdump -v -i [LAN] src [voip provider] or dst [voip provider]

    try to register the phone and make some calls/call in and watch the traffic flow, pay attn to port #s


Locked