Iax behind nat (dynamic ip address)

  • Hi all.

    We try to use an asterisk box with IAX2 behind pfsense NAT.
    Our WAN interface (PPPOE) becomes everyday a new ip address.
    After getting the new addresses asterisk does not work anymore (= can no longer register at the other asterisk box in the net).
    We think this is related to the state not being updated.
    We tried everything, even use static port, but nothing helps.

    Any idea?


  • This is a problem of yor asterisk box. It has to reregister the connection frequently to the other end. If the IP changes it has to do a complete reregistration so the other end drops the old connection for the old IP it had before.

  • hi,
    i have the same issue with our sip and iax connections. if i reset states on pfsense than the connections come up again (does asterisk do a complete re-registration? How does asterisk become to know to do so?). re-registering could be done manually by script, but seems not necessary for asterix greater 1.2xx (sip.conf has entries for extern-ip with dyndns). is it still a firewall-configuration issue?


    additional: i restarted asterisk-box (without resetting states) does not solve this issue. sip and iax providers still unreachable. i reloaded sip on asterisk box. still the same unreachable ports-issue. only resetting states solves this loosing of sip and iax connections after 12 hours (when ip changed, i guess). seems more a firewall-problem. or a problem of the update-interval of the dyndns-client or the dns-server on pfsense? or a problem of pfsene, recognising IP-change on PPPOE Interface (here)?why is is working again simply after resetting states? any hints?

    additional: sip and iax connection on asterisk lost after change of IP (i logged this). the dyndns entry is valid with the new ip, the asterisk box has the new dns-resolved-ip for the dyndns-entry. maybe a problem that the sip and iax provider do not recognise the changed ip? some hints from sip-experts maybe? turned on sip-debug on asterisk-box. shows somehow that asterisk (or sip-provider?) will still connect to old ip. im am not expert enough to read the sip-debug right. and i have no clue how to intervene the sip-registering process. reload of sip an asterisk brings new ip into sip-debug and ongoing sip-registration, but does not resolve problem of lost sip and iax connection, also restart of asterisk does not resolve this problem. asterisk is ver 1.2.13. maybe asterisk-experts have a clue?

    but still seems firewall-problem to me, because resetting states on pfsense alwas solve this problem.
    i looked in the states-table and long after the change of the dynamic-ip i found an entry with the old one. looks like:

    udp -> ->  MULTIPLE:MULTIPLE
                                              still old-IP, why this?

    i removed this entry by hand by pressing the x-tab on the states-table and, whow!, problem solved manually. the connection has re-established again. remember, i reloaded sip on the asterisk command line bevorhand. sip client is now correctly registerd again.

    question arises: must the state-type in the firewall-rule for this sip port-entry be set to a certain value? or should there be a state-timeout set under advanced options for this sip-port udp-rule. no obvious clue for this to me.

    pfsense is 1.2-RC3 (built on Wed Nov 14 10:46:07 EST 2007), the state-type of the firewall-rule for the sip-port 5060 was and is still set to "none" (is this the right value?), and the firewall-optimisation-option under /system/advanced is set to conservative (right?).

    anybody with some hints for troubleshooting? slowly geting desperate for direction to go into pfsense now …

  • this whole thing seems to be 3 problems (one on pfsense and two on asterisk side)

    1. state-table on pfsense stays with old ip - even after change of ip on pppoe-interface
        possible solution: certain state-configuration for natted sip-port ?

    2. bug in sip-implementation of asterisk (hints here, here, only for certain asterisk-versions?)
        possible solution: on asterisk-command-line (cli) reload of sip ("sip reload") after change of ip.

    3. bug in iax-implementaton of asterisk (hint here, here).
        possible solution: on asterisk-command-line (cli) reload of iax2-channel after change of ip.

    still looking for some hints to find working automatic-unattendend-solution for this probably 3-in-1-problem…..

  • ???

    there remains one open question:

    is it a bug, that pfsense forgets to update the states-table after change of IP on a PPPOE-Wan interface?

    How to come over it? Script it to trigger states-table-reset for sip and iax natted ports after pppoe-restart in /etc/rc.newwanip ? (similar problem here) or still a Bug-Report for pfsense.

    i would strongly appreciate help, If someone could confirm this as a bug - or has a hint to a workaround. i love pfsense and would strongly stay with it…


  • :o
    tryed to help myself. poor solution, sure, but hopefully something better comes up…

    updated to 1.2RC4 does not have helped, so edited /etc/rc.newanip and added hardcorded states-reset for sip and iax2 provider. (as i mentioned: poor, but working):

    /* if everything normal is done, reset SIP states (until bug-fix comes up) */
    if($old_ip <> $curwanip) {
            log_error("bug-fix for sip and iax: ip changed $old_ip ->  $curwanip ... killing states to sipgate and dusnet.");
            /* statereset: asterisk internal to sip sipgate external */
            exec("/sbin/pfctl -k -k 2>/dev/null");
            /* statereset: asterisk internal to iax2 dusnet external */
            exec("/sbin/pfctl -k -k 2>/dev/null");

    hopefully something more high-level desinged as pfsense is as a whole comes from a brighter pfsense-lover…

    asterisk is doing fine whithout any intervention. only pfsense-states must be resettet after change of wan-ip (pppoe) which i have every 24 hrs...


  • hi,
    as it seems that some threads in this forum will never show up at the end with a solution, the described problem seemed to be solved after updating firmware to version 1.2 Release (final).

    pfsense was running 2 days without problems. now it appeared again.

    after change of ip on the wan interface (pppoe, german-DSL) a "state" tableentry remained with the old IP (another one correctly changed).
    pfsense is running now the actual firmware 1.2 (final, no RCs).

    why is this - and is this still a bug on this "MULTIPLE:MULTIPLE" states?
    What does state mean, why is another one somehow correct as MULTIPLE:SINGLE
    and what is the difference of MULTIPLE:SINGLE vs MULTIPLE:MULTIPLE ?

    (as i am editing this, the state multiple:single changed to multiple:multiple, so this does not seem to be the bug itself…)


    udp -> ->  MULTIPLE:SINGLE 
                                            new wan-ip
                                            still old-wan-ip

    do i have to dirty-hack the change-wan-ip-script again?

    best regards,

    ps.: after all pfsense seems best firewall ever and highly qualified work is constantly done on it. many, many, thanx to all makers and contributors!

  • http://www.ssfnet.org/Exchange/tcp/tcpTutorialNotes.html has some info about the state-mechanism.

  • hi,
    im testing Current version: 1.2.1-TESTING-SNAPSHOT.
    problem still persists. i will stay tuned ….


Log in to reply