1:1 NAT issues with asterisk box and phones.



  • Ok here is a brief rundown of my setup.

    Cable connection with 5 available IPs xxx.xxx.xxx.114 - xxx.xxx.xxx.118

    Only going to use two of the 5 at the moment
    xxx.xxx.xxx.114 for the WAN and xxx.xxx.xxx.117 for the Asterisk server.

    I have setup pfSense 1.2-RELEASE built on Sun Feb 24 17:13:15 EST 2008 updated from 1.01 with 2 nics enabled, simple WAN and LAN.  I have an OPT1 on the MB, but am not using it at the moment, it is disabled.

    WAN (xxx.xxx.xxx.114)
    LAN DHCP 192.168.13.0/24 range 192.168.13.120 - 200
    VIP Asterisk (xxx.xxx.xxx.117) internal IP 192.168.13.117

    Cable > pfSense > switch > Asterisk and DHCP

    This sounds doable so far, right?

    I have the NAT reflection working (unchecked) and I can connect to the pfSense admin pages, but the phones still don't work.

    I have opened ports 5060 for setup and the port range 10000 - 10500 for the voice.

    I have read about making the port range for Static, but when I try to do this it changes the IP I assign it dropping it one number in the last octet.

    firewall:nat:outbound, checked the AON and entered:

    WAN * * 192.168.13.117/31 * * * YES

    It goes from 192.168.13.177 (Asterisk VIP) to 192.168.13.116 (unused static IP, no VIP assigned) as the Destination???  Strange behavior.

    Anyone have any ideas, I have read soo many different threads and tried them all, but nothing.

    I think I might scrub it and start fresh following a couple of the SOLVED threads I have read.



  • 1:1 nat always uses static ports so you don't need that additional advanced outbound nat. Are the phones at WAN? You might need to use a stun server or a proxy. Inside the SIP protocols the clients (asterisk and ipphones) send their IP and ports to each other when registering. As the systems only see there local IP and don't know about their public IP this might cause several issues. Using an external STUN server or a proxa that rewrites these IPs on the fly might solve the problem.



  • Thank you for your response hoba.

    I have seen others post that they have resolved these annoying issues without resorting to a STUN server or proxy… at least that is what I made of it when I read all the threads.

    With or without the AON it still does not work.  I am using AON because that is what I have found as solutions when I did a search of the forums.

    The only notable difference prior to trying pfSense is that they were on different subnets.  We put them on the same subnet this time.

    PfSense offers traffic shaping, something the prior FW did not have, it has become a priority and an annoyance all at once.

    I am getting this response from the show states.

    Proto    Source -> Router -> Destination    State   
    udp 192.168.13.200:5060 -> xxx.xxx.xxx.117:5060 SINGLE:NO_TRAFFIC
    udp xxx.xxx.xxx.117:5060 <- 192.168.13.200:5060 NO_TRAFFIC:SINGLE

    That does not look good. :(



  • Have you made the adjustments to your sip.conf file that are detailed in the following link?
    http://forum.pfsense.org/index.php/topic,8682.msg50287.html#msg50287

    These changes help tell asterisk what its local network address is so that it is less likely to give the wrong internal address in the SIP packets.


Locked