H.323 Video Conference Codec behind PFSense *Guide / Explanation*
-
pfSense 2.01 Release and H.323 Video Conference Setup (Cisco C90)
In order to resolve my issue it took several hours of tinkering and too many Google searches, and still I found no satisfactory explanation. I created this article to help others use this powerful Open Source Product, pfSense, for yet another application/device. I thank the developers for all their hard work and dedication to a great project. Also thanks go out to Mark for helping me test this.
Disclaimer: I am no expert on pfSense, H.323, Cisco Equipment or even networking, but these steps worked for me and will hopefully be helpful to others. This article is written in a rather detailed manner so that you don't need a large pfSense/Networking/H.323 knowledge-base to use the steps in this post, but if you need more familiarity with something, start with a search through the many informative posts on this forum.
Working with a Factory Default Cisco C90 Codec and a pfSense with WAN, LAN, OPT1 setup from default.
1 WAN IP: ...
LAN IP: 192.168.1.0/24 Normal user subnet
OPT1 IP: 192.168.2.0/24 Subnet dedicated to the codecCodec:
1) Make sure to first setup the codec with the appropriate IP Address (192.168.2.*), the correct subnet mask (255.255.255.0), Gateway (192.168.2.1 - My pfSense OPT1 Interface IP) and DNS Server (192.168.2.1 - pfSense by default uses DNS forwarder). On the C90 this is found under Admin Setting -> IP setting
2) Make sure to enable NATing for H.323 on the Codec. For the C90 it is found under Admin Setting -> Advanced -> H.323 -> NAT. Set: Mode = On
3) Make sure the NAT address = WAN address. You do this so that your codec can send the correct packets to your outbound connection.
4) Next you have to tell the codec that it should not to try to connect through a gatekeeper (unless you are using one, then disregard). Under Admin Setting -> Advanced -> H.323 -> Profile 1 -> CallSetup. Set: Mode = Direct
5) Lastly with H.323 you need to tell it to use static ports for its connections. Admin Setting -> Advanced -> H.323 -> Profile 1. Set: Port Allocation = Static
6) Recheck IP setting. Make sure under Admin Setting -> Advanced -> Network 1. All of the IP setting match your entries form step 1.
7) Next we need to check the RTP ports we will be using. The RTP stream transmits and receives audio and video. Under Admin Setting -> Advanced -> RTP -> Ports -> Range. Take note of the Start and Stop values because you will need to add these to your port forward/firewall rules. The default for me was 2326 through 2486.
8) Restart the codec to make sure the settings take effect.
pfSense:
1) As stated above I'm assuming a default setup/settings with your interfaces and IP's already properly assigned.
2) First make an Alias for your codec. This makes it easier to keep your firewall rules if the device IP changes at some point. This is found under Firewall -> Aliases. Add the Name of your device (i.e. C90) and the IP that you gave the codec (192.168.2.*)
3) Next go to Firewall -> NAT so we can add the port forward rules. Make sure you are on the port forward tab, and add a new rule. I only needed 3 ranges of ports forwarded, but the number of port ranges and the specific port numbers may be different for you.
a) Q.931 Call setup, Set: Interface = WAN, Protocol = TCP, Destination = WAN Address, Destination port range = 1720, Redirect IP = Codec IP (192.168.2.*), Redirect target port = 1720, NAT reflection = enable, Filter rule association = none (By default pfSense creates associated rules on the firewall for you I was having issues with that, so I manually created them.)
b) With the next rules, to save time I used the "add new nat based on this one" button and changed the things that were different, basically the ports. H.323 call data, Set: Destination port range = 5555 - 5595, Redirect target port = 5555.
c) RTP call data, Set: Destination port range = 2326 - 2486, Redirect target port = 2326.
4) Now, make sure you are still in Firewall -> NAT and on the outbound tab. Change the Mode to Manual Outbound NAT instead of automatic, then pfSense should generate some rules for you. We need manual mode so we can set the rules to use static ports. Find the rule with the codec's subnet as source (192.168.2.*/24) and Destination port = * . Edit the rule and make one change. Under translation, make sure to check the box that says "Static-port". This ensures that while NATing, pfSense does not randomly change the outbound port of your device.
5) Lastly we have to make the firewall rules. Go to Firewall -> Rules and start on the WAN tab. Here we have to create rules to match the ports we used for forwarding, so the data packets can get through the firewall to our device.
a) I will just go through the first one and you can use the same tactic as we did for on port forwarded entries. On the WAN tab create a new rule for Q.931 Call setup, Set: Action = Pass, Interface = WAN, Protocol = TCP, Destination = "Single host or alias" and Address = Alias name that we made earlier, Destination port range = 1720. Save, then use "add new rule based on this one" to create the other two.
b) You only need to make one rule on the OPT1 tab, which is to allow any traffic to the WAN. On the OPT1 tab, create a new rule. Set: Protocol = TCP/UDP, Destination (for security) check "not" and set type = "LAN subnet", Destination port range = any. This allows any traffic from OPT1 to the WAN but not to your LAN.
After adding all of these rules I could make and receive H.323 calls from the codec. You may need to reboot pfSense or your codec again for the new settings to take effect. Also if your calls are not going through, remember to watch you firewall logs and see if particular ports are getting asked for but aren't open. You may need to tweak both your port forward setting and your firewall rules until things are configured correctly.
I hope this helps and once again thank you!
-
Nick,
Thanks so much for making this post! I've been battling this for over a year. Had to switch my Polycom to UPnP to get it to have any chance of working. The part that I didn't have set was the Manual Outbound NAT. It makes sense that it needs to have static ports. But I'd never come across that in all my research. (Or it's possible that I just didn't understand it.)
I'm writing to see if this can be included in the pfSense Wiki HowTo page.
Thanks again for a well written and extremely helpful post!
Brad -
Long story short, to use H.323 behind a pfsense firewall, one needs to enable static-port NAT.
Unfortunately neither H.323 nor SIP were designed with NAT in mind, in which case one needs either an ALG (which btw is part of Linux's netfilter since many years, but apparently missing from baseline pf/FreeBSD) or a NAT device that won't rewrite ports (a solution that will work if you only have one such device).
Edit: Note that SIP software has been improved in recent years, and most recent implementations can work through NAT without a need for ALG or static ports, but it's still something one has to keep in mind when troubleshooting SIP issues.