Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setting up pfSense for VoIP - asked to disable firewall?

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      victorhooi
      last edited by

      Hi,

      We're currently setting up a small office network with multiple VoIP phones, behind a firewall device running pfSense 2.1 (Beta).

      We were having call quality issues and dropouts with the phone, and we've been requested by our VoIP provider to:

      • Assign a static IP to each VoIP phone

      • Set a unique port for each VoIP phone (e.g. 5061), and port forward UDP connections to the firewall on that port to the phone.

      • Disable SIP Application Layer Gateway functionality

      • Disable Firewall functionality and any Stateful Packet Inspection features

      • Disable Denial of Service protection (DoS)

      • Allow inbound and outbound UDP traffic between ports 10000 and 20000

      I get the first two, and that should be a fairly easy change.

      With the third item, I don't believe pfSense has an ALG built in, so we should be fine.

      With the fourth item - is this a good idea?

      With the DoS protection - this is part of the Advanced features section for editing firewall rules, right? I'll need to read more about how to achieve this, but there isn't an DoS-specific protection in place by default anyhow, right?

      Finally, with the last - is this also a good idea? I just open up 10000 to 20000 through the firewall? What about NAT-ing here?

      Cheers,
      Victor

      1 Reply Last reply Reply Quote 0
      • C
        craigduff
        last edited by

        What device are you running?

        Is the pfsense box also going to act as a firewall for other network devices? IE Laptops and Desktops?

        Kind Regards,
        Craig

        1 Reply Last reply Reply Quote 0
        • V
          victorhooi
          last edited by

          heya,

          The device is a Hacom Mars II 1U server.

          Yes, the Pfsense box is for the entire LAN - all of the traffic is routed through it.

          It will also be setup as a caching web proxy server.

          Cheers,
          Victor

          1 Reply Last reply Reply Quote 0
          • C
            craigduff
            last edited by

            ok in that case. I would either setup a DMZ and assign the phones to that or even a VLAN so you can still be protected with other nodes on the network, if that what the VOIP provider says. But i have a voip running through my network and it works fine.

            Nothing special has been done accept for all lan traffic external allowed. and NAT port forward using ports given by the phone system to work.

            port 5060 UDP/TCP
            port 5090 UDP/TCP (Tunnel connection)
            port 9000 to 9049 UDP (phones making multiple connections)

            What provider do you use. All the stuff they are you to do is really not needed. I would advice not to turn off features because you wont be as protected.

            Kind Regards,
            Craig

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.