VoIP with Auerswald 5020 and 1&1 + Sipgate behind pfSense

  • I have an issue with setting up VoIP correctly. PfSense replaced an AVM FritzBox 7170.
    Old working config: Port forwarding from FritzBox: SIP UDP 5063 + 5067 –> Auerswald 5020 (TK)

    Now incoming calls do not work properly.
    (With the same Sipgate account calling is possible in both directions with a SIP-phone from the same LAN)

    1&1 = number not reachable
    Sipgate = phone ringing but no voice connection, rings further after hanging up for a few seconds

    Port status COMpact 5020 VoIP:

    Port overview:

    Network structure:
    adsl-modem <–-WAN (PPPoE, dynamic IP)---> pfSense <–-LAN(> internal network

    System Information: v2.1-RELEASE (amd64)
    Installed Packages:  arping 2.09.1 |  Lightsquid 1.8.2 pkg v.2.33 | OpenVPN Client Export Utility 1.2.4 | Sarg 2.3.6_2 pkg v.0.6.3 | squid 2.7.9 pkg v.4.3.3

    At the internal network there is the VoIP-Server Auerswald 5020 ( Alias TK).

    DNS-Servers list on Dashboard: (assigned from ISP) (assigned from ISP) (ISP DNS, Use gateway: WAN_PPPOE)

    System: Advanced:
    checked = Allow DNS server list to be overridden by DHCP/PPP on WAN
    unchecked = Do not use the DNS Forwarder as a DNS server for the firewall
    checked = Disable DNS Rebinding Checks
    Firewall Optimization Options = conservative
    checked = Disable Firewall Scrub
    NAT Reflection mode for port forwards = Enable (NAT + Proxy)

    NAT: Port Forward


    Firewall-Rules WAN:

    Firewall-Rules LAN:




    What does that arrow before LAN mean? (Direction = out). Why is that traffic from the proxy server blocked to LAN?










    I hope provide enougth information so far.


  • Good luck, until yesterday when I upgraded to 2.1 my VoIP immediately stop registering with the services provider…  I created a new thread at the same time as yours!

  • From now my COMfortel 3500 also have an issue to register Sipgate-Account. Hit deactivate/activate several times an it is online at the moment. Problem with dynamic IP???

    Any idea?

  • 2 tyhings come to my mind:

    A package (or many) are blocking or redirecting packets from/tp the SIP server , if its the case, you have to do some testing, deactivate certain firewall rules and packages, and see when things comes back to normal.

    Otherwise, do you have Snort installed?  Snort works fairly well, but can also be a major PITA.  Look in Snort's alerts at the moment someone tries to use the VoIP system.

    For me, it was mainly Snort.  The problem was crystal clear:  Someone would call, the phone would ring once or twice, then stop.  At first I thought they hung up on me before I had a chance to pick up the phone, then I realized Snort was blocking the communication packets.  Same was true when I made a call.

    I see you use squid.  I personally got rid of this package.  I am still not sure if I have a hardware limitation on my current pfsense box, or is it squid that has MAJOR issues, but the package kills everything.  It worked back around 2010 but after that, it became a nightmare.

  • ok, no Snort. Try that to untick the LAN interface in Squid config screen.
    Please look at my firewall screenshot nr. 2, port 10000 is blocked but I do not know why? Neccessary for STUN?

  • So far I'm not familiar with pfSense. If it don't work as expected and there is no solution I have to to go back to my old Fritzbox.

    Please help!!

    Best regards

  • Not even ONE answer in 7 days???

    Why? Pleas help, I have no idea…

    This is open source and I probably know anybody here has the answer. I'm very disappointed.

  • Any idea?

  • Is this still open? I cannot see the pictures in your original post. Can you post these again here in the forum?

  • Yes, problem is still there.

    Sorry, I can't edit my post. Here is a link where you can see the pictures:


  • Ok, got it. I would recommend to change your second Outbound NAT rules: make this valid for ports from 5060 through 5067 and disable STUN.

    Also I second lpallard. Get rid of squid / snort at least until your phones work.

  • Thank you for your message. I will test that when I have enough time and give feedback.

Log in to reply