Firewall HELP, VOIP wont work!



  • I get the following in the log (raw)
    and our Cisco 7940G wont work…. Our provider brought us a cheap d-link for them to work but seems wont work with anything else. I made rules even and didnt help. We dont have any other problems. I am on latest build of 1.2 dated today, have tried traffic shape and all and it wont work. They did work on skinny but we just got changed to Sip and now they wont work on pf.

    Sep 21 16:16:43 pf: 582619 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 49, id 32373, offset 0, flags [DF], proto: UDP (17), length: 58) 208.67.249.67.33673 > 67.79.181.215.56408: UDP, length 30
    Sep 21 16:16:43 pf: 000317 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 50, id 24665, offset 0, flags [DF], proto: UDP (17), length: 136) 208.67.249.67.33674 > 67.79.181.215.58860: UDP, length 108
    Sep 21 16:16:43 pf: 019943 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 50, id 56327, offset 0, flags [DF], proto: UDP (17), length: 136) 208.67.249.67.33682 > 67.79.181.215.58860: UDP, length 108
    Sep 21 16:16:43 pf: 000362 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 50, id 40472, offset 0, flags [DF], proto: UDP (17), length: 58) 208.67.249.67.33683 > 67.79.181.215.56408: UDP, length 30
    Sep 21 16:16:43 pf: 391922 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 50, id 25617, offset 0, flags [DF], proto: UDP (17), length: 544) 208.67.249.67.33669 > 67.79.181.215.56821: UDP, length 516
    Sep 21 16:16:44 pf: 612534 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 50, id 43813, offset 0, flags [DF], proto: UDP (17), length: 58) 208.67.249.67.33675 > 67.79.181.215.56408: UDP, length 30
    Sep 21 16:16:44 pf: 000257 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 49, id 47194, offset 0, flags [DF], proto: UDP (17), length: 136) 208.67.249.67.33681 > 67.79.181.215.58860: UDP, length 108
    Sep 21 16:16:47 pf: 2. 989800 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 50, id 14102, offset 0, flags [DF], proto: UDP (17), length: 58) 208.67.249.67.33684 > 67.79.181.215.56408: UDP, length 30
    Sep 21 16:16:47 pf: 002443 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 50, id 60687, offset 0, flags [DF], proto: UDP (17), length: 136) 208.67.249.67.33685 > 67.79.181.215.58860: UDP, length 108
    Sep 21 16:16:47 pf: 397542 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 50, id 65352, offset 0, flags [DF], proto: UDP (17), length: 544) 208.67.249.67.33672 > 67.79.181.215.56821: UDP, length 516

    Thx



  • How is your network setup? What rules do you have?
    This logoutput says only that some traffic is being blocked and nothing else.



  • That is the traffic being blocked is what I need. I have everything wide open right now, allow all in and allow all out, and I have even tried direct individual to and from’s.

    What is being logged is below, nothing else as all else is passing and whats being logged is what makes it stop. From my VOIP provider, its just these Cisco 7940 phones and sip dont work well with firewalls but I would hope that with how flexable pf is we could determin what needs to be done.

    What can I do to make the box not block the below?

    Thx



  • Could it be that your allow rule only allows TCP traffic and no UDP?
    If you say you have a rule that allows anything then i assume that the rule 191 is the default invisible block everything rule that is below every other rule.



  • I have it set to ANY, but have also tried TCP/UDP, and also just UDP.

    It seems that these phones do something that make the box still block it.

    I have even tried just for kicks to forward an entire public IP to one phone with everything allowed in and out and still same problem.

    The system the phones trys to talk to uses only UDP and I have the server IP and all the ports and no matter what it wont work. Its a Trixbox VOIP server that our provider is using right now. Any other phones work and the software based ones do which all use the same ports, but these Cisco 7940g’s wont. Yet they work on a cheap d-link. They told us they cant get the cisco phones to work with anything but this one d-link and they even hope I can find a way around this.

    Anyone else have any idea? Got to be something that can be changed to make it happy. I did a few google searches and find a few people with same issue and no one answering how to correct for them also.

    Thx



  • try change … Clear DF bit instead of dropping on system advanced menu …

    the voip packets can be fragmented …

    to see what the rule blocking

    use the command pfctl -sr on shell



  • Still no luck…

    I heard from a friend who said they talked to scott and it was said to be a known issue that pfsense is doing something to the packets. It only affects certain phones and I guess our Cisco phones are one of them.

    Can anyone confirm this and any idea if it will get fixed? It is said this was not an issue with 1.01 but with all the version changes in the code for 1.2 it was broke with something new…



  • i have a dual wan set up with  a trixbox set up behind the lan. i was able to get a remote extension ported though the firewall to my home. i have ports
    10000-20000 udp open
    5004-5090 tcp/udp
    4569 udp open

    also make sure you have the NAT pointing correctly

    i did have this set up working on a cisco 7940\60.
    the 7912 was giving me a little attitude but it worked… sorta



  • Well we have multiple phones but I cant even get it to work with one… I even set all ports udp/tcp open and to forward to the one phone and no go.

    What firmware did your 7940/7960 have? Ours worked with pfsense also until our provider switched over to sip, than it stopped… It seems that these phones do something on sip that the firewall dont like or is not doing right itself.

    It all worked fine when the phone was aeg but the sip just did it in… They are on latest firmware and the firewall is on 1.2RC3…



  • @cybercare:

    I heard from a friend who said they talked to scott and it was said to be a known issue that pfsense is doing something to the packets. It only affects certain phones and I guess our Cisco phones are one of them.

    Can anyone confirm this and any idea if it will get fixed? It is said this was not an issue with 1.01 but with all the version changes in the code for 1.2 it was broke with something new…

    This is absolutely not true, don’t spread FUD.

    It’s actually much less likely that VoIP gets broken in the 1.2 snapshots because normal SIP port 5060 traffic isn’t source port rewritten by default. Yours doesn’t use 5060 though. You probably need static port, which is what everybody needed in 1.0 but now only systems that use atypical ports require it.
    http://doc.pfsense.org/index.php/Static_Port



  • Anyone have any update on this?

    I still have no luck… I have a trixbox server setup at a colo working, all remote phones can connect to it except ones that are behind pfsense… They cant download the configuration and do not register… They connect just enough to get the time/date…

    I have opened all ports, the firewall log shows nothing blocked so I am just lost… Our softphones work fine though pfsense, just these darn Cisco 7940 phones wont…

    The phone if I go to status just says W250 TFTP Error: Timeout

    If I put it behind a cheap dlink router it will work though… ( I know the dlink dont filter crap which is why it works I am sure)

    And I still have it setup to do static ports even as suggested… That does not seem to matter either way it wont work, lol



  • Ssh in pfSense
    open for editing /etc/inc/filter.inc

    find this in that file:
    #–-------------------------------------------------------------------------

    default rules (just to be sure)

    #---------------------------------------------------------------------------
    comment out these 2 lines
    block in $log quick all label "Default block all just to be sure."
    block out $log quick all label “Default block all just to be sure.”

    Save and see if it blocks packets!

    Try even to see if your provider has some kind of SIP gateway/proxy so you can configure on phones.

    Even though what cmb suggest is true, use static port.



  • Well, tried it and no diffrence…

    But right now I dont get any blocks that show… I did originally as seen in first post a few months ago, but now it does not show blocks anymore (I have had rules in place forever.)

    Other than this any other suggestions?

    It seems it wont register or download its configs via TFTP, but it can get the time and date, lol

    Thx in advance



  • You need a TFTP-PROXY. AFAIK this is a feature in HEAD and it will be available on 1.2 or 1.3 if you push it with a bounty.



  • That just doesn’t seem right… pfsense supports tftp, it has it listed even as rules?

    But okay, that explains the tftp part, but what about the phones?

    I can get the configuratio to the phone but it still wont talk to the server… Does it need a sip proxy too?

    I know pfsense has a package for one, just not sure if thats right for my setup, and it does not seem to work…

    The cheap dlink that works has ALG with SIP which is why it works…

    As for doing a bounty, its pointless for me than because they wont put any new features in 1.2 from my understanding, and 1.3 is so buggy and not even public to mess with… I just would think this wonderful flexable firewall could do simple things… I know other people have sip working through it fine, but whatever these cisco’s are doing that it does not like just sucks… Our softphones work fine through PfSense. ARg…



  • Ask cisco to fix their crap  ;D Actually SIP is not that trivial and it has the same design problems like ftp for example. I sometimes just can’t understand why they build such a crappy protocol knowing that things like firewalls or nat are involved everywhere nowadays. Your softphones probably are using stun-servers and are working therefor. Does the cisco gear support assigning a stun server too? If yes you can give this a try.



  • Softphone not doing stun as the server does not support it…

    I have control of the phone server. 🙂

    I understand that this is most likly because cisco did something probably non-standard but just would think if the cheap no for good routers have the options to turn on that fix it, that could have on in pfsense… I understand security may go down a little but I rather have the pfbox with less security because of it than this $40 dlink… lol



  • Cyber–

    hey i have the same problems you are having also. i did try this and it works great except you need a 2nd PFSENSE box running Ovpn.

    i set up a vpn tunnel between client and obviously the server and the cisco 7940/60 works great! the down side is you need a box to do the vpn shit and then the other is, it is a piggy on the bandwidth somewhere around 139kbs up/down i thnk it is 70kb for the voice and the rest is all encapsulation of the VPN.

    but i did have this working well and thought i could do a alix on the remote side and hook a linksys router in bypass mode just for the extra physical ports and the wifi ability. but that thing doesnt like to do a live install where you can use packages.



  • I was kind of wondering about the VPN part… We have a IPSec tunnel between us and a data center and I was thinking of trying the phone server at that location and see if it would work through the VPN. But I agree, I dont like extra overhead and that does not help me with other remote clients, it only would help for the main office.

    Ugg… I just wish things would work, lol. We are going to end up ditching pfsense because of this and I did not want to do this but my options are gone. It works with routers that have ALG and SIP as an option, just hope someone can maybe make a package or something.



  • Hey from what i can tell
    the Pfsense starter m0n0 is running Voip like there is no tomorrow.  what is the difference that pfsense is stuck?
    i would really like to keep the asterisk server behind the Firewall for obvious reasons. so si there something that sould be done is a differnt part of pfsense?



  • My problem is only with the Cisco phones, and I do NOT have a problem if the Trixbox is behind pfsenes. I only have the problem if the phone is behind one… I have the trixbox on public wan. The problem is not the server end, its the client end. The softphones work fine also but the Cisco phones just wont play nice…

    I am going to try what one of the other members said as far as changing the time from 60 to 30 but I am a little doubtfull still…



  • Is this a remote office that will have several phones? Or a couple mobile users that want to pickup up their phone and use it at any location?

    If it is a remote office setup an Asterisk/Trixbox Server and run a TFTP server on it. Set your remote Asterisk server to use the SIP as a trunk to the main PBX and then have your phones talk to the local phone system.

    Honestly the Cisco phones are not the right choice for mobile use. The configuration coming to the phone over TFTP is a huge security risk. Since these phones get their config from TFTP I believe they were designed for use on a LAN where the VOIP server also resides. Ring tones have to be downloaded from the TFTP server. You could get around this by setting up a local TFTP server on the remote location so that the configs and ringtones come locally. As far as SIP working over the PFSense WAN that does work. I’ve done it with multiple soft phones, Linksys PAP2Ts, SPA3102, and the SPA942. However I have not yet tried it with my Cisco 7940 if I get time soon I will give it a try and report what happens.

    The Linksys devices such as the PAP2T and the SPA942 are a much better choice for picking up the phone and using it at any location, it stores its config, doesn’t require TFTP, the web interface is simple, and the SIP support is very good.



  • alright people–

    i have a Linksys WIP300. wifi ip phone. (kinda a cheep phone but ti works good)
    i have forwarded the ports of
    5004-5082
    10000-10050 (i edited the rtp ports on the trixbox)
    and i think thats all i need ( this is all from the top of my head now)

    what am i doing wrong that i cant get the phones to register/ hook up to the server via the internet… iu must be the only IT10 Error here on this forum.



  • Did you setup static port?  This fixes all of my sip problems.  Below is a link of the settings I used for my asterisk box.

    http://forum.pfsense.org/index.php/topic,7151.msg40557.html#msg40557



  • I have static ports on.

    The best I can get the phones to work is I CAN get it to TFTP through pfsense and it the phone box things its registered and the phone gets the time, but it just does not register itself because it cant call out or in and has the X on the extention.



  • Did you try the siproxd package?



  • last time i tryed to use the sip proxy it didnt work.

    also what about setting the Clear DF bit instead of dropping in the advace tab???



  • I had no luck with any of it… I have tried everything I could find and/or think of… 😞



  • Any other ideas guys? I know been a while but been busy.

    Here is what I have setup right now.

    PF Sense 1.2 final

    Trixbox 2.6.0.0.7 with a 1:1 nat… The phones inside our office work fine so the TB can talk to our provider fine, but any phones outside our office cant talk to our TB… I even put a phone on a public static IP and set our firewall to allow ALL traffic from that IP and it still would not work… The phone hangs getting the TFTP file for a while than just gives up… Its odd because the phone shows the file its trying to get but just does not get it. I have tried everything on this board I can find, even tried diffrent TB installs and our firewall has been upgraded/reinstalled evne to make sure.

    Is it just lost hope with these darn cisco phones and pfsense? This would not be a problem but we have 3 phones outside our office that need to connect and I really dont want to have to put the phone on the direct wan…



  • I have succeeded in getting the Linksys PAP2T and SPA942 phones working with Trixbox and Freeswitch from in and out of the office. I also have a Cisco 7940 and have used it successfully in the office. However I don’t count any phone that requires a TFTP server to pickup its config as a really good choice for an out of office phone. Its probably possible but more complex because of the TFTP server. If I were to attempt this with the 7940 one method would be to setup a TFTP server and install that inside the external network. Then copy TFTP files to the TFTP server. Next choice is to setup a remote firewall that establishes a VPN and use the main TFTP server. Another choice is to use a phone that doesn’t require TFTP Server like the Linksys SPA942. Perhaps the final choice is to put a bounty for SIPProxyD, OpenSer, or a step by step tutorial specifically for external Cisco TFTP Phone.

    Some people have mentioned in this thread that SIP was designed poorly. I thought the same thing for a period of time. However the design allows for a SIP session to be setup and maintained at one location (useful for billing purposes). While the RTP (audio) can be moved to an another provider or in other words you can initiate the call and skip the man in the middle. That can mean better audio.


Locked
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy