Asterisk behind PFSense 2.0.3 works for clients outside but not in different LAN



  • We have 1 PFSense firewall with 3 ports- WAN, LAN and OPT. Following are some additional details:
    • The WAN is connected to a Comcast business router with 4 physical ports. We have a 16 public IPs and one of these is assigned to the WAN port.
    • The LAN port is connected to a switch and we have 4 VLANs. The LAN hosts some servers that have public IPs (via NAT, port forwarding).
    • The OPT is dedicated for Asterisk and is connected directly to it. The Asterisk box has a public IP assigned to it.
    • VOIP clients are on the LAN (x-lite, snom phones) and also some are on the outside (of WAN).
    • We use Manual Outbound Rules.
    We have tried the following two configurations with problems we are facing:

    1. Bridged mode between OPT and WAN. In this mode,
    2. In 1:1 NAT mode using VIPs.
      In both configurations SIP clients (all softphones) outside WAN can connect and use the Asterisk server w/o issues. But the problem occurs for SIP clients who are inside the LAN (connecting using the local IP of the Asterisk box, cannot connect using public IP). These clients are facing these problems:
    3. In 1:1 NAT mode –
      a. Outgoing calls – audio comes in but does not go out. Audio drops at 20 secs and then call disconnects at 30 secs.
      b. Inbound calls – there is no audio transfer either way and the call disconnects in 30 secs.
    4. In bridged mode
      a. Outgoing calls – no audio transfer either way.
      b. Inbound call - audio comes in but does not go out.
      Any help is appreciated.


  • Some ideas / suggestions:

    1 - I would not have OPT link with PUBLIC IP Address directly to Asterisk / SIP Server; minimize security implications - clean and simple design
    2 - Use 1:1 on WAN to direct SIP Traffic to internally assign ip Asterisk / SIP Server; you can even change add SOURCE IP of incoming SIP/RTP traffic from home/other offices/etc
    3 - Use DNS externally and internally to point clients to Asterisk / SIP Server; pbx.mydomain.com (use split DNS) to apply both internally / externally
    4 - With proper routing between internal subnets and proper use of DNS, any client will find its Asterisk / SIP Server



  • 1st.  I think most of your problems might be solved if you use the asterisk package directly on pfsense rather than a seperate server.  This solves a whole bunch of NAT issues.

    Second, I have found, for me on my systems that NAT reflection is required to get things that are sometimes inside and sometimes outside the LAN to work, for example a IP phone.  However, NAT reflection with UDP on SIP has proven unreliable for me behind pfsense.  No problems with TCP though.

    My solution has been to configure IP phones in the LAN to connect directly to the IP of my SIP server and the ones outside the network to use my public IP.
    Even with this, with two layers of NAT in the way (assuming that whatever network your external phones are on puts them behind NAT) one-way audio issues will persist.

    In all cases, you will need something like this in the MANUAL outbound NAT and static port checked (most likely)

    Interface      source            port        dest    destport    NATadr  NATport    static port

    WAN  10.15.45.68/32 udp/* * udp/* *   *           YES            Static Port NATS (no rewrites on sip server)

    Where 10.15.45.68/32 is the address of your sip server on the LAN

    P.S.  I also use VPN to get around all these problems and that works flawlessly.
    Other than the above, or having SIP server directly on a public facing IP, Your problems will persist I think.



  • One more thing to look at is Asterisk SIP Settings. In FreePBX go to Settings-> Asterisk SIP Settings

    Make sure you have your sub-nets/networks in Local Networks. As far as having Asterisk in your PfSense box, I kind of liken it to Cisco Call Manager Express in there Cisco Router. If you have a small number of phones and your hardware can take it then that is fine. If you have a large phone base a separate server is preferred. One a side note Isn't Freeswitch a package of PfSense instead of Asterisk?

    Hope this helps



  • I have been trying since June 9th to get something similar to work with mixed to no success. In my environment, my Trixbox (Asterisk) server is currently sitting outside of the pfSense firewall and I desperately have to move it inside the firewall. Here, all IP phones are inside the firewall - there are no external phones that have to connect to the internal Trixbox server and all IP phones register with the internal Trixbox server. My pfSense box has WAN, LAN, DMZ (wireless) & VoIP interfaces. VoIP is a dedicated interface & gateway configured with the public IP address of my SIP provider and is connected to a separate 6 Mbps data circuit. Using port forwarding rules for SIP & RTP UDP ports, incoming calls work perfectly but no outgoing calls can be made. All I want to do is to route outgoing traffic from the Trixbox through the VoIP interface and thereby to my SIP provider. I have tried just about everything: siproxy, 1:1 NAT, Manual Outbound NAT, etc. with no success. Following posts by kejianshi in a another topic area, I suspect that this cannot be done in a multi-WAN setup (which is what I have here). Oh well.



  • Have you tried setting manual outbound NAT on ports 5060 and maybe ports 5061 with the "static" option checked?  Wait.  I'm confused on one thing.

    All phones are inside the LAN?  And you are registered to a trunk line that doesn't have weird NAT?

    That should work.  Mine does.

    For you I would set up 2 WANs with MANUAL outbound NAT.

    WAN1 would be for all the computers on the LAN

    WAN2 would be just for your SIP server.

    I would setup Manual outbound NAT for the subnet the tribox is on and select WAN2  for the interface and check "static".
    I would set up the Manual outbound NAT for the subnet your computers are on and select WAN1 for the interface.

    Mine works.  I only have any issue at all with phones connecting from outside the LAN that are behind some other network's NAT.

    One caveat.  I use Asterisknow.  But still its Asterisk.  Should work for you.



  • Its possible I may be not clear on your "Data Line" for SIP.
    The WAN that my SIP Server uses is plain old regular ISP to Fiber > MOCA > Ethernet. Basically FIOS there.



  • What you are trying to do should not be a problem, I have this running right now. The only thing different that I have then you is I configured my Cisco Router to be a VoIP gateway and I have a MagicJack line coming into my router for connection to the PSTN. I also use Cisco Call Manager to register my phones but I use asterisk for Voicemail. I also use Asterisk (freepbx) for remote phone connections through my android phone using Bria softphone. I have a SIP trunk from my Cisco Call Manager to Freepbx.

    I have made a network diagram of a setup that should work for you if you have the gear to set it up. http://www.gliffy.com/go/publish/image/4738285/L.png in this setup you should set your LANs (vlan 10) default gateway to wan 1 and then set your LAN 2 (vlan 11) default gateway to wan 2. Like I mentioned before if your phones are on another vlan make sure you have that LAN included in your local networks. Obviously if the phones are off site make sure you have nat configurations setup on tribox as well as the correct ports forwarded on Pfsense. I have played around with Tribox it looked similar to Freepbx. I just liked Freepbx gui better and it's been working great for me.

    Hope this helps.



  • Yeah - Freepbx works very well in this config.  But at its core, its all just asterisk so same same.  Should work unless there is some NAT between his machine and the trunk provider that we are unaware of.



  • @kejianshi:

    Have you tried setting manual outbound NAT on ports 5060 and maybe ports 5061 with the "static" option checked?

    Yes to both although Fonality says nothing about needing to forward port 5061. I have pored over numerous articles detailing how to setup Asterisk behind NAT router/firewalls. I have made the changes to the sip.conf files. And, of course, I have tried a bunch of things on pfSense.

    All phones are inside the LAN?  And you are registered to a trunk line that doesn't have weird NAT?

    Yes and yes.

    That should work.  Mine does.

    I agree. I read your earlier posts.

    For you I would set up 2 WANs with MANUAL outbound NAT.

    WAN1 would be for all the computers on the LAN

    WAN2 would be just for your SIP server.

    I would setup Manual outbound NAT for the subnet the tribox is on and select WAN2  for the interface and check "static".
    I would set up the Manual outbound NAT for the subnet your computers are on and select WAN1 for the interface.

    Mine works.  I only have any issue at all with phones connecting from outside the LAN that are behind some other network's NAT.

    In my environment, both the Trixbox and user computers/softphones/IP phones reside on the same subnet because we are using softphones that take on the IP+MAC addresses of the workstation. If I was able to segregate out VoIP from Data via subnets, then your solution would work. My problem is that I cannot figure out a way to tag all outbound traffic from a single server (Trixbox) and direct it out the the VoIP interface. The SIP phones register with this server and all it's doing is establishing the SIP connections to the VoIP provider. Running asterisk -r on the Trixbox verifies this but when I move the Trixbox inside pfSense, outbound calls cannot call the SIP provider. This is more of a routing issue than anything.

    Up until now, I have never had a need to interfere with Outbound NAT so my system is setup for Automatic Outbound NAT. When I tried moving my Trixbox behind pfSense, I have been selecting Manual Outbound NAT and creating one rule for the VoIP interface:

    Interface Source               Source Port   Destination Destination Port NAT Address NAT Port Static Port
    VOIP  192.168.x.0/24       *                       *             *                   Trixbox                                    NO

    Now this doesn't work because I cannot set the source to a single server. The problem is that everything here was setup for a flat network. I also tried doing this by setting up filtering rules on the LAN interface to send incoming traffic to the VoIP interface based on the UDP ports for SIP & RTP. Up to now, I haven't really found much on how to use pfSense as a router.

    One caveat.  I use Asterisknow.  But still its Asterisk.  Should work for you.

    I feel I'm close but don't know how to proceed. One final point: I turn off the firewall on the Trixbox when I move it inside pfSense since it's no longer needed. I then set the Trixbox to detect brute force attacks from bogus SIP requests.



  • @kejianshi:

    Its possible I may be not clear on your "Data Line" for SIP.
    The WAN that my SIP Server uses is plain old regular ISP to Fiber > MOCA > Ethernet. Basically FIOS there.

    Same thing - straight ethernet through TW Telecom.



  • "The SIP phones register with this server and all it's doing is establishing the SIP connections to the VoIP provider."

    Thats where its broken, especially with 2 WANs.  The packets don't know how to get out that SIP WAN and even if they did, they would probably run smack into NAT.  My Asterisks is always the middle man.  Its a bit more CPU intensive because the Asterisks server is coding the audio for both ends on the fly so you get a conversation and not just "hello? hello? hello?  you there?"

    P.S.  My network is also SO NOT FLAT.  Headache but less expensive than buying a public IP for every whim I get.

    I'd also keep that "static" block checked on outbound always until you get this working, then after its up and working fine you can test with and without static port.

    When SIP initiates the call, the INVITE message contains the information on where to send the media streams. Asterisk uses itself as the end-points of media streams when setting up the call. Once the call has been accepted, Asterisk sends another (re)INVITE message to the clients with the information necessary to have the two clients send the media streams directly to each other.

    For this reason, I set reinvite to "no" to unbreak what NAT will naturally break.
    This should also enable you to put your phones and computers pretty much anywhere you want inside your network including VPN clients on whatever subnets you chose.  Make sure your Asterisk box isn't a whimp and you will be fine.  Mine gets 4 core pentium Extreme but its never taxed at all.  I've done the same thing with a single core of a pentium i7 in a VM with no ill effects.

    I'm sure you are following, but to make it clear if the Asterisk server ISN'T reinviting and its keeping its self as the middle man, you are free to put the Asterisks box on a separate subnet with all its outbound traffic sent to a separate WAN (your voip data line).
    Just make sure that the subnet the phones are on and the subnet the asterisk server is on can pass traffic to each other (firewall rules).

    And how many simultaneous conversations are we talking about here? 10s? hundreds? Thousands?

    You will get about 10 simultaneous calls per 300MHZ this way, so 1 core at 1GHZ will get you 30.  At 3GHZ 1 core, 90 and if you have 4 cores, nearly 400 simultaneous calls depending on chip architecture, maybe alot more..  I have no idea of your environment but I'm assuming transcoding required, just in case. Mine also handles video calls well with Bria clients, but thats bandwidth hungry.



  • Well, I have tried just about everything and it doesn't work for me. I can conclusively state that I have followed all of the great suggestions offered here with no success. Using tcpdump, I monitored the VoIP interface after moving the Trixbox behind pfSense and setting up Manual NAT to point to Broadvox. On incoming calls, you can see the voip connections but no traffic on outgoing calls pass through the VoIP interface. On the Trixbox, I can see the SIP connection attempt to Broadvox, but no answer from the other side. There's no sound (ringing, etc.) plus, my phones start logging registration errors. Once I reconfigure the Trixbox to sit outside of pfSense, everything works fine. I honestly believe that Asterisk works behind pfSense but only in certain situations. It's time to start looking at Cisco (ugh!).



  • Its not pfsense thats not working for you.

    Its either:

    1.  Your settings.  Some small thing you are overlooking.
    2.  You VOIP provider has its own issues.

    It is better and easier to have 1 ip > pfsense > all the computers in your setup than trying to 1:1 NAT Asterisk in 1 place using 1 WAN exclusively serving VOIP to a bunch of computers using a totally different WAN exclusively.  Still, it could work.  Some setting isn't quite right.  You will hit the same thing on CISCO.



  • @kejianshi:

    Its not pfsense thats not working for you.

    Its either:

    1.  Your settings.  Some small thing you are overlooking.
    2.  You VOIP provider has its own issues.

    It is better and easier to have 1 ip > pfsense > all the computers in your setup than trying to 1:1 NAT Asterisk in 1 place using 1 WAN exclusively serving VOIP to a bunch of computers using a totally different WAN exclusively.  Still, it could work.  Some setting isn't quite right.  You will hit the same thing on CISCO.

    I just got off the phone with Fonality Support. I had them look at my Trixbox configurations, firewall, etc. They say that it's setup properly and should work behind the pfSense firewall and it actually does work one way. I've done this sort of thing many times with Cisco equipment which makes it easy to direct specific traffic out multiple serial interfaces but pfSense routing eludes me. I cannot see why I can't use a firewall for the LAN interface specifying that any traffic inbound from the LAN from the Trixbox alias that match my UDP rules for SIP & RTP cannot be sent out the VoIP interface instead of the WAN interface. In fact, this is how I first tried to do this as it worked perfectly for VoIP traffic inbound through the 2nd WAN interface.

    I'd like to have 1 ip > pfsense > internal network but here I am running a call center with 60+ agents (and growing) so having them use a dedicated WAN interface for VoIP makes sense especially with our using a number of cloud based applications. I believe that it's definitely a routing issue because incoming calls work fine - you can see them register in tcpdump on the pfSense box and connect on the Trixbox.



  • I feel your pain. 
    An obstacle I faced that maybe you don't is the destination of the SIP packets.
    For me, there is no way of knowing the IP of the endpoints of the SIP connection unless I tell asterisk to never re-invite and direct all incoming calls from everyone to initially be > to my 5060 port, allow SIP guests and limit 5060 incoming to only the IP of my trunk.  Makes it harder than your setup.
    But for you, is the far end ALWAYS only that 1 trunk such that you could set up policy that any traffic who's destination is the IP of you SIP trunk provider must use the WAN you intend for SIP and not the other WAN?



  • @kejianshi:

    I feel your pain. 
    An obstacle I faced that maybe you don't is the destination of the SIP packets.
    For me, there is no way of knowing the IP of the endpoints of the SIP connection unless I tell asterisk to never re-invite and direct all incoming calls from everyone to initially be > to my 5060 port, allow SIP guests and limit 5060 incoming to only the IP of my trunk.  Makes it harder than your setup.
    But for you, is the far end ALWAYS only that 1 trunk such that you could set up policy that any traffic who's destination is the IP of you SIP trunk provider must use the WAN you intend for SIP and not the other WAN?

    And that's exactly what I initially thought as well. My VoIP provider will always be the destination for outgoing SIP calls. Initially, I believed that all I needed was two sets of rules - as such, I should only need to add the following rules to the LAN interface:

    ID Proto   Source Port               Destination    Port           Gateway   Queue Schedule Description
            UDP   Trixbox    5060 (SIP)       Broadvox 5060 (SIP)         *     none           SIP Outbound to Broadvox

    UDP   Trixbox    10000 - 20000  Broadvox 10000 - 20000    *     none           RTP Outbound to Broadvox

    But this doesn't work because the Gateway is wrong - it is using the default WAN Gateway and not the VoIP Gateway and I completely missed how to alter the Gateway parameter in the LAN firewall rules.

    If I am sitting inside the pfSense box, incoming VoIP calls use the VoIP interface and are forwarded with firewall rules directly to the Trixbox. This is working perfectly. Outbound calls from the Trixbox enter the LAN interface and have to be forwarded out the VoIP interface. Since Broadvox & the Trixbox are setup to recognize SIP traffic flowing through the VoIP IP address, that should complete the loop so to speak and provide two-way traffic between the Trixbox & Broadvox. That's why I always considered this to be a routing and not a NAT issue because Trixbox 12.6 is NAT compatible and I wasn't experiencing NAT issues. What I've been trying to do is what pfSense calls policy-based routing only I couldn't get this to work because as I stated earlier, I was over thinking and went off into 1:1 NAT and Manual NAT land. Now, if my reasoning above is sound, then the solution appears to be simple: Under the LAN firewall rules, use the Advanced Features and set Gateway to the VoIPGateway for the LAN firewall rules above. Because I'm in a production environment, I cannot test this out until Friday evening but I will post my results.



  • Just do it…  If it goes down the millions of dollars per hour the company looses to the outage will be justified if it satisfies your curiosity :D  I'll be looking forward to the results.



  • Well sad to report, this did not work at all for outbound calls. I was unable to even pull up the Trixbox Control Panel (https://cp3.trixbox.com) while tcpdump showed no outbound traffic outbound on the VoIP interface. It was as if the Trixbox lost all Internet connectivity while retaining LAN connectivity even though it's IP settings pointed to the pfSense box as the LAN gateway. I could connect to it via SSH but asterisk -r showed no outbound calls or traffic going through the VoIP interface from the LAN - they were still going out the WAN interface and consequently were being rejected by Broadvox. The two rules on the LAN interface should have done the trick but it's as if pfSense totally ignored them. And yes, I moved them to the very top on the LAN rules page. The last thing I suppose I can try will be to upgrade pfSense to 2.1RC0 to see if this somehow works (I've read about issues with 2.0 & multi-WAN setups like mine) but I am totally out of options here and this has been going on for a month with no resolution.



  • I saw one of the HERO guys here saying that if gateway address isn't stipulated in the WAN interface setups using multiwan that your rules may get ignored or have no effect. (something to that effect anyway).

    Do you have gateway address stipulated in the WAN interface setup?



  • @kejianshi:

    I saw one of the HERO guys here saying that if gateway address isn't stipulated in the WAN interface setups using multiwan that your rules may get ignored or have no effect. (something to that effect anyway).

    Do you have gateway address stipulated in the WAN interface setup?

    Most definitely. See attached.