Asterisk behind Pfsense SIP Dropping calls after 38-40 Seconds.

  • Works OK behind a basic netgear router with 5060 UDP, 10001-20000 for RTP.

    However behind the pfsense whatever I configure, Manual Outbound, 1:1 NAT or just normal port forwarding I get 38-40 seconds of a call and then its dropped. Reading around there seems to be some talk of this UK provider ( handing off calls to another server perhaps after 40 odd seconds?

    Here's my config Firewall:

    Manual Outbound NAT:

    1:1 Nat:

    If i don't configure any port forwarding the call does't disconnect, however it has one way audio as you would expect.

  • Try using manual outbound NAT. It should create all your existing rules for you. Then setup static ports for your VoIP server. Shouldn't your ports be 10000-20000? Did you change the defaults?

  • Tried manual outbound with a any rule for UDP from the VOIP server. Still disconnects after 30-40 seconds. Yeah I changed the default for the RTP ports.

  • Try adding nat=yes to sip.conf, and canreinvite=no (or directmedia=no) to the peer which is accessed through the internet.

  • I have tested with manual outbound nat no change.

    I have also tested with nat/on and off and invite settings and such in asterisk.

    Using IAX2 instead of SIP would probably the best workaround but not ideal!

  • you have to add nat=yes to the extension too. Again you also in PfSense when you setup manual outbound nat make sure that you create a specific rule so that your asterisk server has a static port(s).

    Also on the remote end if your end users are behind a nat router which they probably are, make sure that they are not using SIP ALG which can cause the issue that you are having. I can tell you that it does work because I'm doing it and it works great. What version of  Asterisk are you using? I'm using Freepbx 5.211.65-15 which is based on Asterisk 11.11.0

  • You could you go into a little more detail about how you have the inbound and outbound rules set up in your functioning Asterisk/pfSense configuration?

    I am on version 11.12 of Asterisk, FreePBX 12, pfSense 2.1.4.

    NAT is set up on both Asterisk SIP and the extension I am using for testing.

    I have two port forwarding rules set up in NAT to point UDP 5060 and ports 10000-20000 to my PBX from the trunk IP server.

    I have an outbound rule set up to translate all requests to the trunk IP server and masquerade as the IP I set up as the external IP in FreePBX/Asterisk.

    Inbound calls will terminate with whatever RTP timeout I have set in FreePBX, and the log will read "chan_sip.c: Disconnecting call 'xxxxx0000080' for lack of RTP activity in 11 seconds"

    Thanks for any input you might have. I think I'm close to a great trunk solution for my needs if I can just get pfSense to play nice with it.

  • Philander I could't get it to play nice. I figure it needs to be internet facing due to some strange config at the voice providers side.

    If you want to try with 1:1 Nat you will need an extra IP from your ISP.

  • I finally got this working with my provider and wanted to post up my config in case anyone else finds this thread as a result of a search. I may have come across the solution earlier than I had realized, and did not have some other aspects of the environment set up properly, as I was doing a lot of testing from a remote node.

    I am using FreePBX 12 with Asterisk 11 on Ubuntu 14.04. PhonePower( is the trunk provider. I have pfSense 2.1.4 on a small Atom box with two commodity WAN connections, only one of which I am using with Asterisk.

    I defined all of my local networks in FreePBX in settings/Asterisk SIP settings and set the RTP ports to use 12000-20000, then edited 'chan SIP' to enable NAT as static and plugged in the external IP. I set up my trunks as specified by PhonePower, and directed inbound calls to an existing extension.

    I set up a number of NAT rules in pfSense, some of which may be redundant. There are four port forwarding routes, all from the server defined in the trunk setup to the internal Asterisk server. All apply to the WAN interface I specified as static, and all are UDP. The first is for SIP alone on 5060, the second does RTP 12000-20000, the third 8700-8766, and the fourth 5000-5084. I may only need the first two rules, I'm not really sure.

    I have manual outbound NAT set up on my pfSense installation, and only one outbound NAT rule set up for Asterisk. All traffic from the internal Asterisk host to the PhonePower IP set up in the trunk to use the correct WAN port specified in the static IP setup in Asterisk. I used static port translation in this outbound NAT rule. It is one of the settings I changed when testing from an unreliable spot, and thought it made no difference when calls still dropped after the RTP limit I defined in Asterisk. Upon testing this setting from the same LAN segment as the Asterisk box, however, calls started flowing in both directions immediately.

  • Philander, glad you have it working. I doubt the 8700-8766 & 5000-5084 rules are doing anything.

    I ended up using a different brand firewall which works with my setup, not ideal but my old firewall was failing.

Log in to reply