Only inbound RTP being dropped

  • Hi,

    I have searched throughout the pfsense forum and I am unable to find a solution for my problem.
    I have an internal Asterisk PBX with some internal SIP phones and some public (NAT) sip phones.

    I don't have siproxd installed and I have created all needed NAT rules for my external sip phones to be able to register and to send RTP data.

    All inbound and outbound phonecalls to/from my internal sip phones are working perfectly.
    All outbound phonecalls from my internal sip phones to my public sip phones are working perfectly.

    The only thing that is causing some problems are the internal and external phone calls initiated from the public sip phones to both the internal sip phones as well as external phone numbers.
    When I try to initiate these calls, I can see RTP packets coming in the Pfsense firewall on the WAN interface, but never leaving the LAN interface.

    I have tried setting the same thing up using the siproxd, but this also doesn't seem to be working.

    This link shows the setup I am talking about:

    Has anyone experienced this problem before and were you able to resolve this (and how)?

    I am useing Pfsense 2.1, and except for this problem, I am very happy with it.

    Many thanks,

    Kind regards,

    Francis Claessens.

  • Hi Francis,

    Did you ever sort this out?

    I'm experiencing a similar issue. Trying to get pfsense to play nice with asterisk. I'm not using the sip proxy, but am seeing lost rtp packets.

    What I found was what seems to be a bug with how pfsense handles port ranges, at least for port forwarding. It seems like you wouldn't experience the port forward range issue since the proxy should take care of that for you. But maybe siproxd uses something similar with the ranges – I haven't looked at what the proxy does.

    That said, I do actually remember installing the siproxd package. But then removed it, thinking I could get around it. I wonder if that uninstall left something behind? hmm.

  • Hi,

    I have indeed been able to resolve this issue.
    After doing some sniffing with wireshark both on the inside as on the outside interface of both the pfsense firewall and the end stations, I've seen that Pfsense was doing PAT (Port address translation) on the outgoing RTP traffic (which is actually normal for a NAT firewall to do). So Pfsense was changing souce and destination ports on outgoing RTP traffic being sent from the internal PBX to the end point (receiving call device).

    After some searching I found an option in Pfsense that enables you to use static outbound ports for specific devices.

    If you go to the NAT configuration of your pfsense (Firewall >> NAT). There you can go to the "Outbound" tab and enable "Manual Outbound NAT rule generation".

    If you did that, you can add a specific rule for your "internal PBX IP" as source with source port "udp/" to "*** (any)*" destination with destination port "udp/1024:65535" and your "WAN Address" as NAT address. The trick is to enable "Static Port" on this rule, forcing your pfsense to use the same source port your PBX is using to forward to the end point. (See attachment)

    I believe this problem occurs because the end point (receiving the call) receives packages containing a different source port than those stated in the package payload (content of the packages). If the end point returns RTP packages, it will use the source ports that it can find in the package payload and ignores the source ports from the package itself. When the end point returns RTP packages to pfsense, they will be sent to  another destination port than the active socket is using, causing the firewall to block/drop the packages.

    I hope this info is correct and can help you troubleshoot your problem.

    Kind regards,

    Francis Claessens.

Log in to reply