VoIP work not stable (firewall state table)

mod3m

Hi all.
There is a gateway to the pfsense 2.0.1-RELEASE with a dedicated static ip address on WAN interface. There is local network on LAN interface.
On the local network set VoIP gateway Dlink dvg 5004, connected to the out SIP server provider.
The problem is this. For about six months, periodically lost connection to voip gateway ("Current Status" is "Proceeding"). Can work a few hours and lose connection. And can work for months without problems. I found, out that the problem in firewall and specifically State Table. Today see,  that in "State Table" connect status:```
udp 195.10.2.33:5060 <- 192.168.1.101:5060 NO_TRAFFIC:SINGLE

Ports is open all for ip address voip gateway. For LAN interface out:

UDP 192.168.1.101 * * * * none   Allow from VoIP

UDP out - all allowed.
Else set Firewall Optimization Options in mode conservative - did not help (was "normal").
The plans try in "System: Advanced: Firewall and NAT" set "Disable Firewall Scrub". In rule firewall, add "Advanced Options" -> "State Timeout in seconds" set 1600\. enough yet?
As an option, "System: Advanced: Miscellaneous" enable Schedule States and States.
Now in operation state "state table":

udp 195.10.2.33:5060 <- 192.168.1.101:5060 MULTIPLE:MULTIPLE
udp 192.168.1.101:5060 -> 92.93.14.74:36355 -> 195.10.2.33:5060 MULTIPLE:MULTIPLE

Who can help?)
sorry for my english))

mod3m

Who are interested problem. Solved so:

kill_voip.sh

#!/bin/sh
local_voip_ip=''
provider_voip_ip=''
# Write phone states to file
/sbin/pfctl -s state | grep $local_voip_ip > /tmp/statetmp.status
# Kill VOIP phone states if in wrong state
awkrepley3=`awk '/'$local_voip_ip'/ && /'$provider_voip_ip'/ && /SINGLE/ {print "down"}' /tmp/statetmp.status`
  if [ "${awkrepley3}" = "down" ] ; then
    /sbin/pfctl -k $local_voip_ip -k $provider_voip_ip
    echo "states frozen kill them" | logger  
  fi

In a cron every 5 minutes.

I hope the new version fix

dhatz

Can work a few hours and lose connection. And can work for months without problems

There seem to be many posts in this forum about issues with stale SIP states …

I haven't had any problems when testing various SIP setups, but it would be interesting to try to understand the dynamics of the issue(s).

pf's UDP timeouts are pretty short 30-60sec

dhatz

Apparently there is a problem and according to Ermal's latest post in ticked 1629 its solution has been postponed to pfsense v2.2 :-(

"invalid state table entries after WAN IP change"
http://redmine.pfsense.org/issues/1629

Updated by Ermal Luçi about 5 hours ago
Target version changed from 2.1 to 2.2

The only real solution to this is to switch to if-bound states for many reasons.
That is a bit more involved changed for 2.1

dhatz

Ermal just pushed some fixes into 2.1-BETA1 snapshot a couple of days ago, see https://github.com/bsdperimeter/pfsense/commit/8f563bb423ab8a1c06a191b5fc772a260b042360

It'd be most helpful if those who have had VoIP issues due to stale states could install it and report back.

Tillebeck

I am working on installing 2.1 and place it as router/firewall with users behind that currently have problems with the VOIP and dropped states. Gateway is remote. It is only the clients that will be behind the box. Currently I cannot upgrade the 2.0.1 to the new 2.1.
http://forum.pfsense.org/index.php/topic,58805.0.html

As soon as that is solved I will set upgrade production router to 2.1 beta1.

BR. Anders

dhatz

The issue isn't yet fixed in the latest 2.1 snaps, according to user feedback (see redmine ticket)

numer

I'm running latest "pfSense-2.1-RC0-1g-i386-nanobsd-20130718" and facing the same problem.

After reset of states VoIP registrations and peers do work well again untill WAN IP gets changed again.

Any chance this issue is going to be fixed?

fizadmin

This issue still persists in the latest 2.1.4-RELEASE (i386) - is there any chance at this being fixed prior to 2.2, i.e. in a reasonable amount of time?

Without this, pfSense is rather useless (from a reliability point of view) in any scenario with a VOIP server behind it.

mikeisfly

I have a VoIP server behind PfSense 2.1.4 and I'm not having any issues. The fix for me was after I got everything setup I changed my outbound nat to static nat that way the VoIP packets ports would not be changed.

uk26

I suspect most of the problems to be due to not having static port forwarding enabled. also if you are trying to use a router with built In voip and have this on the lan then you are going to have double nating issues.

we use a phone system called 3cx (3cx.com) my tests so far are all good.

just put pfsense live this weekend at our office which has around 200 voip calls per day and tomorrow will be a good test. I don't expect to be any issues as static port forwarding is working and the pbx firewall test tool all passes without issue.

VoIP is our core business and once we have fully tested pfsense at our office, we will be putting it at our data centre of which will be pushing around 800 mbps internet traffic via pfsense. some of this will be voip.

gahase

i had similar issues.  the fix is under System > Advanced > Firewall/NAT

CHECK "Disable The PF Scrubbing Option which can sometimes interfere with the NFS and PPTP traffice"

issue was with FREEPBX\asterisk VOIP