Help! Apparently Fallen Victim to the Dreaded SIP / Reset Tables VOIP Problem…



  • I have a pfsense box with three interfaces - 1 fibre broadband WAN, 1 LAN and 1 LAN to wifi access point with a captive portal.

    I set up an Elastix PBX box with 2 SIP extensions and two SIP trunks - one inbound and one outbound.

    From what I can gather, pfsense doesn't like more than two interfaces when SIP is used and problems can occur with dropout etc.
    What I am seeing is loss of trunks resulting in lost calls and inability to call out, usually fixed by resetting pfsense.

    I set the Firewall Optimization Options to "conservative" which has helped somewhat but it still isn't working as it should.

    I have forwarded the SIP ports (5060-5061) etc to the elastix box and have tried NAT rules also. The standard NAT rules are disabled at the moment, and I have made a Manual Outbound Rule as follows:

    Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port
    WAN  any udp/5060 * udp/* WAN address * YES

    None of this has made a difference.
    I have two other pfsense boxes in operation, one with two interfaces and the other with 3 interfaces, though the lan and wifi are bridged.
    These work perfectly with elastix and other asterisk pbx's.
    This one has identical hardware to one of the others.

    It occurs to me that I haven't checked the configuration of the Linksys managed switch in this setup which appears to have a static address on a different network - I will do that at some point today.

    Here is a sample of the asterisk logs showing the disconnections:

    
    Feb 15 00:00:01
    
    VERBOSE
    
    [2708] asterisk.c:
    
    -- Remote UNIX connection
    Feb 15 00:00:01
    
    VERBOSE
    
    [7114] asterisk.c:
    
    -- Remote UNIX connection disconnected
    Feb 15 00:00:21
    
    NOTICE
    
    [2894] chan_sip.c:
    
    -- Registration for 'user@sip.voipcheap.com' timed out, trying again (Attempt #7)
    Feb 15 00:00:41
    
    NOTICE
    
    [2894] chan_sip.c:
    
    -- Registration for 'user@sipgate.co.uk' timed out, trying again (Attempt #9)
    Feb 15 00:01:01
    
    NOTICE
    
    [2894] chan_sip.c:
    
    -- Registration for 'user@sip.voipcheap.com' timed out, trying again (Attempt #8)
    Feb 15 00:01:21
    
    NOTICE
    
    [2894] chan_sip.c:
    
    -- Registration for 'user@sipgate.co.uk' timed out, trying again (Attempt #10)
    Feb 15 00:01:41
    
    NOTICE
    
    [2894] chan_sip.c:
    
    -- Registration for 'user@sip.voipcheap.com' timed out, trying again (Attempt #9)
    Feb 15 00:01:41
    
    NOTICE
    
    [2894] chan_sip.c:
    
    -- Registration for 'user@sipgate.co.uk' timed out, trying again (Attempt #11)
    Feb 15 00:01:41
    
    NOTICE
    
    [2894] chan_sip.c:
    
    Peer 'voipcheapout' is now Reachable. (37ms / 2000ms)
    Feb 15 00:01:51
    
    NOTICE
    
    [2894] chan_sip.c:
    
    Peer '101' is now Reachable. (22ms / 2000ms)
    Feb 15 00:01:51
    
    NOTICE
    
    [2894] chan_sip.c:
    
    Peer '102' is now Reachable. (55ms / 2000ms)
    Feb 15 00:04:16
    
    NOTICE
    
    [2894] chan_sip.c:
    
    -- Registration for 'user@sipgate.co.uk' timed out, trying again (Attempt #2)
    Feb 15 00:04:36
    
    NOTICE
    
    [2894] chan_sip.c:
    
    Peer 'voipcheapout' is now UNREACHABLE!  Last qualify: 40
    Feb 15 00:04:56
    
    NOTICE
    
    [2894] chan_sip.c:
    
    -- Registration for 'user@sip.voipcheap.com' timed out, trying again (Attempt #3)
    Feb 15 00:05:01
    
    VERBOSE
    
    [2708] asterisk.c:
    
    -- Remote UNIX connection
    Feb 15 00:05:01
    
    VERBOSE
    
    [7128] asterisk.c:
    
    -- Remote UNIX connection disconnected
    Feb 15 00:05:16
    
    NOTICE
    
    [2894] chan_sip.c:
    
    -- Registration for 'user@sipgate.co.uk' timed out, trying again (Attempt #3)
    Feb 15 00:05:16
    
    NOTICE
    
    [2894] chan_sip.c:
    
    Peer '102' is now UNREACHABLE!  Last qualify: 54
    Feb 15 00:05:36
    
    NOTICE
    
    [2894] chan_sip.c:
    
    -- Registration for 'user@sip.voipcheap.com' timed out, trying again (Attempt #4)
    Feb 15 00:05:36
    
    NOTICE
    
    [2894] chan_sip.c:
    
    Peer '101' is now UNREACHABLE!  Last qualify: 26
    Feb 15 00:05:56
    
    NOTICE
    
    [2894] chan_sip.c:
    
    -- Registration for 'user@sipgate.co.uk' timed out, trying again (Attempt #4)
    Feb 15 00:06:16
    
    NOTICE
    
    [2894] chan_sip.c:
    
    -- Registration for 'user@sip.voipcheap.com' timed out, trying again (Attempt #5)
    Feb 15 00:06:36
    
    NOTICE
    
    [2894] chan_sip.c:
    
    -- Registration for 'user@sipgate.co.uk' timed out, trying again (Attempt #5)
    Feb 15 00:06:56
    
    NOTICE
    
    [2894] chan_sip.c:
    
    -- Registration for 'user@sip.voipcheap.com' timed out, trying again (Attempt #6)
    Feb 15 00:07:06
    
    NOTICE
    
    [2894] chan_sip.c:
    
    -- Registration for 'user@sipgate.co.uk' timed out, trying again (Attempt #6)
    Feb 15 00:07:06
    
    NOTICE
    
    [2894] chan_sip.c:
    
    Peer '101' is now Reachable. (47ms / 2000ms)
    Feb 15 00:07:06
    
    NOTICE
    
    [2894] chan_sip.c:
    
    Peer 'voipcheapout' is now Reachable. (49ms / 2000ms)
    Feb 15 00:07:16
    
    NOTICE
    
    [2894] chan_sip.c:
    
    Peer '102' is now Reachable. (51ms / 2000ms)
    Feb 15 00:09:51
    
    NOTICE
    
    [2894] chan_sip.c:
    
    -- Registration for 'user@sip.voipcheap.com' timed out, trying again (Attempt #2)
    
    

    Here are two links that seem to be relevant to this problem:

    https://forum.pfsense.org/index.php/topic,45255.0.html

    http://comments.gmane.org/gmane.comp.security.firewalls.pfsense.general/2660

    Assuming that the problem is with pfsense and not the switch, is there some way to fix it that I haven't tried?
    If not, would adding another pfsense box in-line with this one to limit the number of interfaces make sense?
    Would it be a better idea to add something like an Untangle box in-line instead?

    I realy like the captive portal in pfsense but notice that Untangle has one too.

    Thanks for reading.


  • Netgate Administrator

    Your manual outbound NAT rule doesn't look right.

    The rule would have to be above the auto generated rule on LAN to catch outbound traffic first.
    The source would usually be defined as the LAN subnet, or maybe more specifically just your VoIP server IP here.
    I think you have the source and destination ports mixed up. The destination port should by 5060 while the source port could be anything.

    The rule you have right now probably isn't catching anything.

    Steve



  • Thanks, I've now corrected the rule and moved it up but the problem is still there.



  • Has anyone else suffered from this problem and perhaps found a solution?

    I've lived with it for a few months. Flushing the state tables seems to help but it isn't perfect and calls are missed.

    I'll try setting up another pfsense box, just for the wifi / captive portal, so that I can remove the extra interface on pfsense.



  • Not sure if this will help but here goes.  I am not familiar with elastix but I had registration issues on my asterisk box until I made some changes in sip_custom.conf (sip.conf)  the file may be named different on your system (I use piaf)
    here is what mine looks like

    externip=put the ip of your wan interface here
    localnet=192.168.150.0/255.255.255.0
    localnet=10.0.5.0/255.255.255.0
    localnet=10.0.8.0/255.255.255.0
    nat=yes
    promiscredir=yes
    

    all the local net entries are for the different internal (local) networks I have that contain phones.  Some of the are vpn

    I only have the default outbound rule in pfsense and my wan nat/fw rules look like the attachment below (192.168.150.201) is my local asterisk box

    My gut feeling is that this is probably an issue with the config on the asterisk box and not necessarily the fw.  Once I got everything on my piaf box configured it has worked smooth for a very long time.  (knock wood)