H323 FreeBSD PFsense 2.2.2 its WORK!

flagman

NAT H323 (video&audio VoIP) in FreeBSD 10.1
Good afternoon!
I do not know much English, I translated an article by google translator, for this I apologize in advance for possible translation is not correct. This article is the most understandable for beginners, so I myself am. I publish my actions, you can find other solutions for yourself
This article concerned OS of FreeBSD 10.1, in particular, PFsense 2.2.2 i386 х32 (at the moment of writing).
Overall objective: To provide reception of enter calls on the h323 device. or to several h323 devices
All of us known that in PFsense there are a problem forward protocol H323 for incoming calls

Tale:
In my local area network device appeared Polycom HDX6000,
I plug it in, set up the network for the first experience prokinul it all ports - NAT 1: 1. Made a an outgoing call to the remote subscriber in another city, it works! I think, well, that everything works, says the source:

• "Call me now you!"
• "Yes, of course, now!"
  I see - call, click on Polycom "take the challenge", and he continues to call it … the communication does not constitute! The only way out, according to the instruction, disable support for h323 Polycom ... check, yes indeed - without h323 session there, but it requires NAT (1024-65000), ie :
• Goodbye all other services, looking out, using these ports
• And besides, any package (such as a port scanner), who came to port 1720 from Polycom brings dormant once call it .... And this is very annoying guide!
• If you are still at least one device H323, -  is generally not possible
  Do not our way!

After a long search for suitable solutions for communication, focused on GNU Gatekeeper! http://www.gnugk.org/
Brief description (see. The manufacturer's website):

• Can run on Linux, Windows, MacOS X, Solaris, FreeBSD, OpenBSD and NetBSD
• Support for NAT traversal (H.460.17, H.460.18, H.460.19, H.460.23 and H.460.24)
  - Full H.323 proxy
  Here's what you need!

How does this work:

After starting GNUGK, Your device must be configured to work with the gatekeeper, look you settings of your device, and specify the local IP address of the gateway: in 1719, on which the GNUGK, there find where prescribed cart. Number H.323 (E.164). Under this number, your device will register with the gatekeeper, port of registry in 1719.

• In addition to GNUGK, NAT in PFsense do not need to customize!
• It is necessary to open incoming ports on the WAN that you can define yourself (see. Function ranges) should empirically …
• It is necessary to open incoming ports on the LAN c your device H323, preferably all, follow empirically ...
• Now someone phoned from an external device to your device, dialing must be: youIP ## ext. number, such as 8.8.8.8 ## 5693.
• If the external caller does not know your ext. the number of his call will be discarded GNUGK. Thus, the "crazy packages: 1720" will not disturb our device. A kind of protection.
  -If You need to call someone outside your network, simply type the IP address of the user (unless of course he does not use ext. Number, if used, similarly, - IP ## ext. Room)
• If your network will be another device, it will be registered under another extension, so no communication problems
  - And many other operating configurations GNUGK you expect. See the original guide/
  Instructions for action relates to PFsense 2.2.2 i386 x32:
  1) Installation:
  Here we will have a problem in ports FreeBSD 10.1 no Gatekeeper! For FreeBSD 10.1 need package format .TXZ.
  After a polite reference to the manufacturer Jan Willamowius, He make a complete package for installation on FreeBSD 10.1 i386 х32! gnugk-3.8-freebsd-10.1-32.txz
  It can also put together a package for x64, these services cost 20 euros for each package …
  Thus, the package we have at our the admin PC later in PFsense allows connections to SSH (System-Advanced-Enable Secure Shell). We need software: «PuTTY» and «WinSCP»
• Are connected via «PuTTY» via SSH to PFsense, using the username "root" password to it the same as the "admin".
• Visible built-in menu PFsense, select item 8, enter the Shell.
• Install package manager PKGNG, - the command prompt, type pkg
  (pfsense ask to install or not, agree.)
• Then check
  pkg info
  (see the version of the package manager)
• Update the repository
  pkg update -f
  (see how to download and update)
• Are connected via «WinSCP» via SSH to PFsense, copy the package gnugk-3.8-freebsd-10.1-32.txz in a convenient directory, for example, let it be in / root
• Using «PuTTY» go to the directory / root
  cd / root
• Browse the directory, making sure that our package is there:
  ls
• The package is installed -
  pkg install gnugk-3.8-freebsd-10.1-32.txz
  (Requesting the installation of additional packages, agree)
  Additional packages:
  libedit-3.1.20150325_1
  libssh-0.6.4
  lua52-5.2.4
  openldap-client-2.4.40_1
  openssl-1.0.2_1
• After the installation of all the packages, check the gatekeeper, enter the command line:
  gnugk
  (Must see the informational message that it can not find the configuration file and accepts the default settings)
  Check it, you can also in Diagnostics: Sockets
  The installation process is completed

flagman

2) Setting:
The whole setup is reduced to the configuration file gatekeeper.ini (or gnugk.ini - this is set up, more on that later)
For initial setup, it is most convenient, gatekeeper run from the command line by typing gnugk. This will look gnugk configuration file in the directory in which you were at the time of recruitment team gnugk
For example, you went over SSH for root-ohm, hit the home directory / root, run gnugk, and he is looking for the configuration file in the directory gatekeeper.ini / root. Complete the process of Ctrl + C or killall gnugk.

• GNUGK after listening to the firewall, ie, to check all open ports and then after adjustment tighten the nuts …

Overview of the configuration file.
To start a small opening:

• Independently check the original instruction!
• The file is a simple text format consists of sections in square brackets.
• The following section shows the function of the values in this section.
• The ";" comment means, this line starts with «;» gnugk reads
• After changing the settings, it is desirable to restart the process gnugk (not in all cases refer to. Original manual)
  For example, with explanations, my file:

[Gatekeeper::Main] - Section global functions
Name=gatekeeper - Name gatekeeper who will see your device
TraceLevel=5 5 - The level of detail of information messages that
                      gnugk you will display on the command line.
CompareAliasType = 0 - Ignoring differences alias type E164
CompareAliasCase = 0 - Ignoring register the name of an alias
Home = 192.168.93.1, external IP - specify the address where gnugk listening ports
ExternalIP = External IP - Specify your external IP, without this value correctly, incoming calls will not be.
I think that the rest of the functions you learn without problems with the help of the original manual

So my gatekeeper.ini, which successfully works Polycom, looks like this (not yet dealt with a range of ports):

[Gatekeeper::Main]
Name=gatekeeper
TraceLevel=5
CompareAliasType=0
CompareAliasCase=0
Home=192.168.93.1,192.168.94.1,ExternalIP
ExternalIP=myIP

[RoutedMode]
GKRouted=1
H245Routed=1
AcceptNeighborsCalls=1
AcceptUnregisteredCalls=1
SupportNATedEndpoints=1
EnableH450.2=1
;EnableH46017=1
;EnableH46018=1
;EnableH46026=1
;DropCallsByReleaseComplete=1
;SendReleaseCompleteOnDRQ=1

[Proxy]
Enable=1
ProxyAlways=1

flagman

3) Monitoring
There are several ways:

• When you run from the command line, giving the command gnugk, logs all actions are displayed directly in the console, you'll see for sure.
  The level of detail of information messages that you gnugk will display on the command line, determined by the value (1 to 5) function TraceLevel, in section [Gatekeeper :: Main]. For example, TraceLevel = 3.
• If you close the console, gnugk continues to work, but after a while you want to see how he was behaving, through the console, you must:
  (I do not know what)
• Use a Telnet connection via the "PuTTY" on port 7000, please read this section [GkStatus :: Auth]. Refer also to the control commands via Telnet.
  For starters do so, add the section listed below for your configuration:
  [GkStatus :: Auth]
  rule = allow
  Shutdown = allow
• Paying closer attention to the modules to monitor GNUGK site developer, I think on the basis of them can PFsense to collect and pack …
  http://www.gnugk.org/gnugk-addon.html
  4) Auto start GNUGK

Start from the manufacturer was:
To let it start automatically on boot, you have to add
gnugk_enable = "YES" to /etc/rc.conf.
And of course you should edit /etc/gnugk.ini to match your
requirements.
Regards,
Jan
… ..
Now Read more:
After installing the file appears in the /etc/rc.d/gnugk
If you try to run it with the command: /etc/rc.d/gnugk
Gnugk will issue a list of commands:
Usage: /etc/rc.d/gnugk
[fast | force | one | quiet] (start | stop | restart | rcvar | enabled | reload | status | poll)
Enter:
/etc/rc.d/gnugk start
Gnugk does not start and will issue a warning:
WARNING: $ gnugk_enable is not set properly - see rc.conf (5).
Can not 'start' gnugk. Set gnugk_enable to YES in /etc/rc.conf or use 'onestart' instead of
'start'.
Open /etc/defaults/rc.conf. Add to the «Important initial Boot-time options»
after the line rc_conf_files = "/ etc / rc.conf /etc/rc.conf.local" adding:
gnugk_enable = "YES" . Save, close.
Enter:
/etc/rc.d/gnugk start
We get:
Starting gnugk.
Look in the Diagnostics: Sockets, GNUGK works!

Also, to add to the CRON:

• • • • • root /etc/rc.d/gnugk start

Restarting our PFsense, after downloading go to the Diagnostics: Sockets and see that
GNUGK works!

link to the installation package
https://yadi.sk/d/jvU5QdFjgiwVf

MikeSport

@flagman:

NAT H323 (video&audio VoIP) in FreeBSD 10.1
Good afternoon!
I do not know much English, I translated an article by google translator, for this I apologize in advance for possible translation is not correct. This article is the most understandable for beginners, so I myself am. I publish my actions, you can find other solutions for yourself
This article concerned OS of FreeBSD 10.1, in particular, PFsense 2.2.2 i386 х32 (at the moment of writing).
Overall objective: To provide reception of enter calls on the h323 device. or to several h323 devices
All of us known that in PFsense there are a problem forward protocol H323 for incoming calls

Tale:
In my local area network device appeared Polycom HDX6000,
I plug it in, set up the network for the first experience prokinul it all ports - NAT 1: 1. Made a an outgoing call to the remote subscriber in another city, it works! I think, well, that everything works, says the source:

• "Call me now you!"
• "Yes, of course, now!"
  I see - call, click on Polycom "take the challenge", and he continues to call it … the communication does not constitute! The only way out, according to the instruction, disable support for h323 Polycom ... check, yes indeed - without h323 session there, but it requires NAT (1024-65000), ie :
• Goodbye all other services, looking out, using these ports
• And besides, any package (such as a port scanner), who came to port 1720 from Polycom brings dormant once call it .... And this is very annoying guide!
• If you are still at least one device H323, -  is generally not possible
  Do not our way!

After a long search for suitable solutions for communication, focused on GNU Gatekeeper! http://www.gnugk.org/
Brief description (see. The manufacturer's website):

• Can run on Linux, Windows, MacOS X, Solaris, FreeBSD, OpenBSD and NetBSD
• Support for NAT traversal (H.460.17, H.460.18, H.460.19, H.460.23 and H.460.24)
  - Full H.323 proxy
  Here's what you need!

How does this work:

After starting GNUGK, Your device must be configured to work with the gatekeeper, look you settings of your device, and specify the local IP address of the gateway: in 1719, on which the GNUGK, there find where prescribed cart. Number H.323 (E.164). Under this number, your device will register with the gatekeeper, port of registry in 1719.

• In addition to GNUGK, NAT in PFsense do not need to customize!
• It is necessary to open incoming ports on the WAN that you can define yourself (see. Function ranges) should empirically …
• It is necessary to open incoming ports on the LAN c your device H323, preferably all, follow empirically ...
• Now someone phoned from an external device to your device, dialing must be: youIP ## ext. number, such as 8.8.8.8 ## 5693.
• If the external caller does not know your ext. the number of his call will be discarded GNUGK. Thus, the "crazy packages: 1720" will not disturb our device. A kind of protection.
  -If You need to call someone outside your network, simply type the IP address of the user (unless of course he does not use ext. Number, if used, similarly, - IP ## ext. Room)
• If your network will be another device, it will be registered under another extension, so no communication problems
  - And many other operating configurations GNUGK you expect. See the original guide/
  Instructions for action relates to PFsense 2.2.2 i386 x32:
  1) Installation:
  Here we will have a problem in ports FreeBSD 10.1 no Gatekeeper! For FreeBSD 10.1 need package format .TXZ.
  After a polite reference to the manufacturer Jan Willamowius, He make a complete package for installation on FreeBSD 10.1 i386 х32! gnugk-3.8-freebsd-10.1-32.txz
  It can also put together a package for x64, these services cost 20 euros for each package …
  Thus, the package we have at our the admin PC later in PFsense allows connections to SSH (System-Advanced-Enable Secure Shell). We need software: «PuTTY» and «WinSCP»
• Are connected via «PuTTY» via SSH to PFsense, using the username "root" password to it the same as the "admin".
• Visible built-in menu PFsense, select item 8, enter the Shell.
• Install package manager PKGNG, - the command prompt, type pkg
  (pfsense ask to install or not, agree.)
• Then check
  pkg info
  (see the version of the package manager)
• Update the repository
  pkg update -f
  (see how to download and update)
• Are connected via «WinSCP» via SSH to PFsense, copy the package gnugk-3.8-freebsd-10.1-32.txz in a convenient directory, for example, let it be in / root
• Using «PuTTY» go to the directory / root
  cd / root
• Browse the directory, making sure that our package is there:
  ls
• The package is installed -
  pkg install gnugk-3.8-freebsd-10.1-32.txz
  (Requesting the installation of additional packages, agree)
  Additional packages:
  libedit-3.1.20150325_1
  libssh-0.6.4
  lua52-5.2.4
  openldap-client-2.4.40_1
  openssl-1.0.2_1
• After the installation of all the packages, check the gatekeeper, enter the command line:
  gnugk
  (Must see the informational message that it can not find the configuration file and accepts the default settings)
  Check it, you can also in Diagnostics: Sockets
  The installation process is completed

Dear flagman

If I'm not wrong you installed  gnugk on pfsense firewall and with these configurations you were able to solve the port forwarding issue without making  any port forward or even without making traversal  Nat which is supported  by the gnugk, well I'm trying to do the same scenario you have done and I opened all the inbound ports without any port forwarding , but polycom machines which is located behind and in front of pfsense firewall  are not working without making the port forwarding , so I want to know how did you solve the port forwarding issue , does the solution for port forwarding is to install the gnugk on the pfsense firewall only ? or there is  some thing that I should do  in order to  achieve the main goal of  solving port forwarding.

Thank you for your appreciative efforts
Best Regards

MikeSport

Hello my friend I'm Sorry if I'm Bothering you , but I'm new with the GnuGk and with Pfsense thats why I'm  facing  problems in order to make the call establishment between two end devices one is behind LAN network and the other behind the WAN  network.

Sorry maybe I didn't understand what is your network and how you did configured it , did you register your device  with your GnuGk installed in the pfsense or you Register it in another place, I believe that to establish a call between 2 end devices they must be registered with the same Gatekeeper so that the Gatekeeper will route make the call establishment between the 2 users since it will know the IP and ext. number  for both end devices.

Actually I have some questions beyond your suggested solution and I found that  your solution does make sense , so I need your help and I need to benefit from your experience if there is no problem :)

1-where did you Register your devices , if you have 2 devices one behind the firewall and the other is outside your network and they want to call each other , do they need to be registered with the GnuGk ?

2-what is the benefit of installing GnuGk in the pfsense

3-Can you show me your GnuGk configuration file because I think I missing something

4- You said in your report that If someone phoned from an external device to your device, dialing must be: your IP##ext number such as 8.8.8.8##5693 where I should configure this option so that I can Dial using this syntax.

Thank you for your appreciative efforts :)