Asterisk behind Pfsense (No audio)

  • Hi there, I'm using pfsense 1.2release in a configuration that looks pretty much like this:

    Yet another Asterisk box ( behind pfSense ( from outside), almost everything works: Inphonex trunk (, IAX clients from outside the LAN and IAX/SIP clients on the LAN, the only thing that doesn't work is SIP clients outside the LAN ( I'm making tests with a Linksys SPA2012 ATA and a Zoiper VoIP softphone, both seem to register and also ring but I get no audio when making calls.

    These are my firewall settings:

    After searching for quite a while here the most similar situation I found was this one

    So I noobly tried to understand how to use static ports:

    And things looked promising after looking at the states (I think):

    But still no audio, I'm not sure what else I should try now.


  • in 1.2 release we have static ports already behind the scenes even with the automatic outbound nat for ports like 5060 so you don't need it for that port. However you should probably add static ports for the RTP-Range of the asterisk server too. That's actually where the audio is transmitted. Port 5060 is only for registering, alerting and so on. Another option is to setup or use a STUN server (simple traversal of UDP over NAT). That should fix any private IPs that the clients or the servers possibly are sending in their SIP packets and the portscrambling as well.

  • I have tried setting up static ports (1.2 release) but I'm still getting one way audio. My setup on the Firewall/Nat/Outbound tab looks like this:

    manual Outbound Rule generation

    WAN  *  *  *  *  *  YES Static NAT   
    WAN  *  *  *  *  *  YES Static NAT   
    WAN  *  *  *  *  *  NO Auto created rule for LAN

    Any ideas?

    Also I would be ahppy with SIPROXD being a transparent proxy but I am unsure how to do this (and the other message about transparent proxy said wait till Beta 2).



  • It may help to explain to asterisk some details about your network.

    To do this edit your sip.conf file at:

    There is a general section near the top where you will make your need to edit. These changes will help asterisk to know your real world static ip address or dynamic dns domain name, whether you are using nat, and also tell it what your local subnet is. Use externip if you have a static ip or externhost and you are using a dynamic dns provider such as

    Note: The semi colon is a comment in this file. You can edit the file with vi, nano or if trixbox with web gui trixbox menu asterisk->config edit.

    port = 5060          ; Port to bind to (SIP is 5060)

    For me sound worked only one direction until I made these edits. Hope it works for you. If it does you can thank the technician at for providing me this info which I'm now passing on to you.

  • One more thing… unless your equipment is specifically setup with the RTP ports you have defined. You might want to try standard RTP ports.

    16384 - 32767

    On Trixbox I've had it working with 10001 - 20000.

    If you take a look at your phones you should be able to get more specific with the range they use. For example Linksys phones such as the SPA942 use 16384 - 16482.

  • I have the exact same configuration with the sip.conf modification mentioned mcrane and it's working. I'm even able to receive anonymous SIP call, this is almost the hardest part to make work since Asterisk have to open UDP port in listen mode and in the SIP signalling it send the audio port to the remote side to connect to.

    If you have problems, follow the first post carefully,but normally the RTP ports for asterisk are 10000 to 20000 though. Then make the modifications to you sip.conf be careful different distributions will override the sip.conf, especially if there's a GUI like FreePBX, so use the right file to put your configuration in. For my system (Elastix) I had to put it in /etc/asterisk/sip_nat.conf and here you see an example of two localnetwork, my WiFi is on a different network and I want to eventually use a WiFi SIP phone and laptop to use X-Lite or ZoIPer soft phone. The example below is if you have a Dynamic IP address if you have a static use externip= instead of externalhost= and you can forget to set the externrefresh=

    [root@elastix ~]# cat /etc/asterisk/sip_nat.conf

    Don't worry I have Inbound routes that doesn't allow any CID in :-) I can benefit from ENUM database, I will put my numbers into the database so every ENUM enabled system will be able to dial in directly in SIP … This is the future of telephony, direct dial between SIP enabled systems, maybe in the future SIP will be replaced, but it's effective since it's pure peer-2-peer, when you don't use a outbound proxy from the client side of course...

    SIP have a hard time to get through NAT routers, but we see more and more router aware of SIP signaling and doing sip connection tracking so it's becoming easier to put a sip phone behind a nat router. When IPv6 will be required, I hope soon, we won't need nat anymore we'll be good to communicate using SIP like we do now with email... Imagine calling your buddies dialling

    I'm using Elastix as my Asterisk distribution, unlike Trixbox they are not sold and unlike PIAF (PBX in a Flash) everything works out of the box, I had problems transcoding with PIAF.


  • Here is what ports I open for asterisk and mine works flawlessly.

    UDP -> 5060-5082 -> SIP
    UDP -> 10000-20000-> RTP
    UDP -> 4569 -> IAX2

Log in to reply