SIP trouble



  • hello guys,
    unfortunately having lot of trouble here to get my phones (Snom 320 and various softphones) in my LAN behind pfsense working. They register without problem on sip server (public IP / WAN side). Incoming calls don't get through at all and outbound calls can be established but no audio at all. How to solve this problem?



  • I have never had any issues with SIP phones behind pfsense.  Only sip servers. 
    Do you have strange firewall rules or several layers of NAT?



  • No not at all. My setup looks like this:  cablemodem –> pfSense --> LAN
    The IP phones register on the SIP server (public IP) without problem but then calling is not possible. Maybe need to set some firewall / nat rules? But I have no clue which.



  • Well - Is it possible that there is some less than amazing NAT at the server side?

    The only other thing I can advise is to go to firewall > NAT > outbound NAT and put a rule there at the top to make SIP static port on port 5060 and 5061.

    You can use "hybrid outbound NAT" so that its mostly automatic except the rule you add.

    (BTW - I'm running strictly manual outbound NAT.  I tried hybrid outbound NAT but saw that it was adding alot of entries for my HEIPV6 interface that I didn't want, need or like)



  • I have set up a rule according to it:
    Inteface: WAN
    Source: any / 5060
    Destination: any / 5060
    Translation: Interface address + static-port

    still no luck



  • Their SIP service may be the issue.  Try it with a different free sip service and see if you have same issue.  I have tons of phones running behind pfsense.



  • Do you get a routeable IPv4 from your cable modem?



  • Try and make a call and watch your firewall logs.  You may be getting RTP from a different server than your SIP registration and in that case it is usually blocked by the firewall.

    Building firewall rules to allow RTP may be needed.  (I don't believe you want static port with multiple VOIP clients all using 5060-5061.)

    With multiple VOIP instances on your LAN Id recommend the SIProxd package.  Then you build the firewall rules to point at your WAN address.

    And as ofloo asked, you really do want your WAN to have your public IP address if you use SIProxd.



  • Well let me give you some late preface about what I am trying to do. My cablemodem ist actually this router that hosts many services. It is provisioned by my ISP with a configuration (that I cannot change) to act as a cable modem / eRouter with a software pbx (registrar) and base station for cordless phones (that's how I do my calls atm). My phone numbers are already registered in it. NAT, firewall etc. is disabled on this device so it basically acts as a cable modem with a fixed public IP and requires me to run my own router behind it with a static IP on it's WAN side which is a pfsense box. Here is some info about it: http://www.unitymediabusiness.de/produkte-internet-telefon-hardware.html#tab-3
    All phones on my LAN suposed to use the "cablemodem" as registrar. I managed to extract some info from it's configuration file that might help:

    voip_forwardrules = "udp 0.0.0.0:5060 0.0.0.0:5060",
                                "tcp 0.0.0.0:5060 0.0.0.0:5060",
                                "udp 0.0.0.0:7078+32 0.0.0.0:7078";
            tr069_forwardrules = "tcp 0.0.0.0:8089 0.0.0.0:8089";
            voip_ip6_forwardrules = "udp 5060,7078-7110", "tcp 5060";
            tr069_ip6_forwardrules = "tcp 8089";

    This cannot be changed tho.
    I have set up siproxd according to this document and used the ports mentioned above (SIP 5060, RTP 7078-7110). The phones show up in siproxd correctly under "registered devices". They are registered on "my provider's device" also without error. But still trouble with calling: outbound calls get through but not audio. Inbound calls not get through at all. Unfortunately I am not that skilled to do the firewall troubleshooting :(



  • Netgate

    SMH



  • ssh into your pfsense and run

    tcpdump -nN -i <wan></wan>
    

    See if the traffic arrives, .. then check the firewall logs, .. If that's all ok check if it leaves the lan with tcpdump

    tcpdump -nN -i <lan></lan>
    

    then check the pbx or sip client, ..