Problem with asterisk/elastix server behind pfsense firewall

drvirus

hi all,
i have an internal pbx asteriks on elastix with sip trunk timeout issues.
my topology is as below :

pbx–----pfsense--------------internet

forsometime i find pbx is okay with my sip trunk , but after sometime , trunk get down and i see that there is timeout log  messages on my elastix server like :

[Jul 23 22:52:38] NOTICE[2603] chan_sip.c:    – Registration for 'xxxxxx@sipgate.co.uk' timed out, trying again

(Attempt #5018)

================================

i will say what i didn on elastix and wt i didn on pfsenese :
1- on elastix

i added  to sip_nat.conf file
nat=yes
externip=(MY PUBLIC IP ADRESS)
localhost=192.168.1.0/255.255.255.

also i added qualify=no  on  sip trunk settings.

2-on pfsense

i disabled  src port  rewrite
i allowed ports 5060 & range 10000-20000 udp ports

i made portforward to those ports to my local pbx
on advanced settings of pfsense i Set Conservative state table optimization
on advanced settings of pfsense scrubbing needs disabled

now , i can register okay from outside the pfsense and its fine
but i have an issue with my trunk , after sometine it get down

now if i reboot pfsense , it work for sometime ... but after sometinme the trunk get down !

can  you help ?

is sipproxd mandatory in my case here ?????

plz advice me

regards

indecided

This is a known issue with PFSense and its handling of state tables. Assuming you have a dynamic IP - when your IP changes, PFSense has a habit of retaining the previous state tied to your previous dynamic IP.

You can manually fix this each time this happens by removing the stale state, or run a script to wipe all states/specific states each time your external IP changes.

https://forum.pfsense.org/index.php?topic=18053.0

drvirus

hi ,
thank you for reply ,

but i have a fixed ip from the ISP !

drvirus

also , want to tell u something .

if i go to pfsense ==>states==> then clear the current sessions of firewall

then asterisk works fine ??!!

does that make sense ?

indecided

Hmm. Since you're behind a NAT, you should probably set qualify=yes for the trunk on your Elastix box. qualify really needs to be yes almost anytime you're behind a NAT to keep the UDP session open. Give that a try and see if that fixes your problem.

BTW, what's your qualifyfreq set to?

georgeman

This could also be generated by the firewall dropping the states due to inactivity. You can try setting the "firewall optimization options" to "conservative" on System, Advanced, Firewall/NAT

drvirus

hi ,
thanks alot for reply .

want to mention :
1- qualify was = yes , but due to the problem still exist , i put it =no
so , whatever yes or no the problem exist.

2-i have  already "conservative" option set in firewall

3""what's your qualifyfreq set to?"""" ===> i dont know this and not sure if i set it in my config , will this help me ?

agian , if i removed the current connecitons of firewall or reboot the pfsense  , it work for sometime , then it get back agian !!

i have fixed ip also , !!

any luck if

georgeman

You will probably need to run a packet capture to see what is going on. You might be hit by the "SIP packets are randomly not being NAT'ed anymore" issue which has been mentioned several times on the forum, and I am not really sure someone ever found the root cause or solved it…

drvirus

@georgeman:

You will probably need to run a packet capture to see what is going on. You might be hit by the "SIP packets are randomly not being NAT'ed anymore" issue which has been mentioned several times on the forum, and I am not really sure someone ever found the root cause or solved it…

thank you , but van u  guid me to similar problems to my problem ? :P :P