Setting up pfSense for VoIP - asked to disable firewall?



  • Hi,

    We're currently setting up a small office network with multiple VoIP phones, behind a firewall device running pfSense 2.1 (Beta).

    We were having call quality issues and dropouts with the phone, and we've been requested by our VoIP provider to:

    • Assign a static IP to each VoIP phone

    • Set a unique port for each VoIP phone (e.g. 5061), and port forward UDP connections to the firewall on that port to the phone.

    • Disable SIP Application Layer Gateway functionality

    • Disable Firewall functionality and any Stateful Packet Inspection features

    • Disable Denial of Service protection (DoS)

    • Allow inbound and outbound UDP traffic between ports 10000 and 20000

    I get the first two, and that should be a fairly easy change.

    With the third item, I don't believe pfSense has an ALG built in, so we should be fine.

    With the fourth item - is this a good idea?

    With the DoS protection - this is part of the Advanced features section for editing firewall rules, right? I'll need to read more about how to achieve this, but there isn't an DoS-specific protection in place by default anyhow, right?

    Finally, with the last - is this also a good idea? I just open up 10000 to 20000 through the firewall? What about NAT-ing here?

    Cheers,
    Victor



  • What device are you running?

    Is the pfsense box also going to act as a firewall for other network devices? IE Laptops and Desktops?



  • heya,

    The device is a Hacom Mars II 1U server.

    Yes, the Pfsense box is for the entire LAN - all of the traffic is routed through it.

    It will also be setup as a caching web proxy server.

    Cheers,
    Victor



  • ok in that case. I would either setup a DMZ and assign the phones to that or even a VLAN so you can still be protected with other nodes on the network, if that what the VOIP provider says. But i have a voip running through my network and it works fine.

    Nothing special has been done accept for all lan traffic external allowed. and NAT port forward using ports given by the phone system to work.

    port 5060 UDP/TCP
    port 5090 UDP/TCP (Tunnel connection)
    port 9000 to 9049 UDP (phones making multiple connections)

    What provider do you use. All the stuff they are you to do is really not needed. I would advice not to turn off features because you wont be as protected.


Locked