PfSense is blocking my VoIP calls.



  • Hi, I installed pfSense 2.1 and configured port fowards the same as on my old router.
    VoIP calls won't connect since installing pfSense.

    What settings apart from the port fowards do I need to do?



  • You may need to configure Static Port outbound NAT for your VOIP server/ devices.



  • Do you mean I need to configure my new pfSense router,
    or I need to configure my VoIP server?


  • Netgate Administrator

    He means in the pfSense box:
    https://doc.pfsense.org/index.php/Static_Port

    Also look through this if the above change doesn't solve the problem.

    https://doc.pfsense.org/index.php/VoIP_Configuration

    Steve



  • Okay, I setup the Static Port.
    I setup the VoIP Configuration > Disable source port writing (same as Static Port).
    I set Conservative State Table Optimization.
    I didn't use the siproxd package as this seems to be for multiple phones. I am using one VoIP phone.
    I didn't disable scrubbing, as I don't think it's necessary.

    VoIP phone has dial tone, but won't connect to outgoing calls and won't receive incoming calls. Works fine without pfSense.



  • I'm on PF version 2.1 and have a mix of Polycom and Siemens SIP phones and a Linksys PAP2T ATA. My SIP provider is voip.ms. I have not changed any of the default PF settings and I'm not using port forwarding for VOIP. Here's a few things you could try on your phone or ATA:

    Use port 5080 instead of 5060

    Set register expires to 180 seconds

    Set NAT keep alive interval to 15 seconds



  • My bet is that your RTP streams come from a different source IP than your sip server.

    You need to find out what the address(s) that your RTP streams come from and create rules to let them through.

    Otherwise to the firewall they are unsolicited connections and therefore blocked.



  • Thanks for the suggestions.
    I think the VoIP phone isn't working because the pfSense port forwards aren't correct.
    Port 5060 is forwarded.
    Maybe the network isn't right.
    Should only port 5060 be forwarded?
    It seems my old router didn't need port 5060 forwarded for the VoIP phone to work.


  • Netgate Administrator

    What was your old router? What settings did you have on it to have VoIP work? Were you using upnp?

    The big difference between pfSense and other routers is that pfSense re-writes the source port of outgoing NAT'd traffic by default. Once you have disabled that the other thing is that (the evil that is) UPNP is disabled by default. If your VoIP phone relies on that you'll have to either forward the ports manually or turn on UPNP, though if you do I recommend you restrict it as much as possible.

    Steve



  • I always hate to hear when a voip carrier tells its people to forward ports to a device…

    Like I mentioned. Your RTP is most likely coming from a different server than your SIP registration.  You need to watch your firewall logs and see what gets blocked as you try and make a call. The most likely reason your old device worked is it didn't have a firewall.

    You might want to attempt the siproxd package. Your going to need to know which RTP ports your device is set to use. Linksys devices generally come set with 16384-16482 and Grandstream uses 5004-5059. Im not familiar with others but its not too hard to figure out.

    Or you could simply try creating firewall rules for your SIP and  RTP servers to let them reach the device.

    WAN  udp  (SIP Server IP)  (SIP server SIP port)    (LAN ip of your device)  (ATA SIP Port)
    WAN  udp  (RTP Server IP)  *                                  (LAN ip of your device)  (its RTP port range)

    SIP was not originally designed to be NAT'd and designers have gone through hoops to make it work.



  • It's working now.
    Port forward and default gateway needed to be resaved to point to the new pfSense gateway.

    Thanks for the suggestions  :)