PfSense and Allworx PBX

  • Hello all,

    I'm having a devil of a time trying to get phones at a remote site behind pfSense to work with a public IP Allworx box at a different location. To me this has to be a NAT issue but I'm not having luck fixing it. There is a Netgear home router at the remote location now and the remote phones work. I don't have access to the Netgear router so I can't see what ports may be open/forwarded.

    For this thread:

    • public IP of Allworx PBX, it is also connected to the local lan for phones on
    • public IP of pfSense at remote location, connected to a local lan, phones live here but do not connect with pfSense but do w/Netgear
    • Allworx is happy to sit on the public Internet
    • Allowrx needs ports 2088 UDP, 5060 UDP, 8081 TCP, 15000-15511 UDP
    • I'm testing with a single phone at, Allworx 9102
    • pfSense 2.2.4 x64

    I installed DarktStat and can see the packet on the IN side but nothing on the OUT side.
    I tried SIProxd with no luck, mainly I used as reference
    I tried opening the ports in Firewall> Rules, basically the ports listed above as proto, src=any, dest=, port, gw=any. queue=none
    I added Firewall> NAT> Port Forward rules to match > proto src=any, ports=any, dest=WAN address, dest ports=ports above, NAT IP, NAT ports=ports above
    I tried adding Firewall> NAT> Outbound with int=WAN, src=any, src port=udp/*, dest=any, dest port=udp/*NAT add=WAN address, NAT port 2088, static port=no; added all ports listed above

    Any ideas would be appreciated. Routing is not my main gig which makes me think I'm making my own headaches!

  • I haven't used Allworx specifically, but I can give you my general technique for diagnosing Voip issues w/pfSense.

    I start with a vanilla setup, in particular NO NAT, stay away from installing packages like SipProx until you're SURE you need them.  I would definitely uninstall that as it adds complexity and can introduce unintended consequences that are hard to diagnose.

    I setup both ends of the Voip conx as required and let the stations try and register.
    In many scenarios if the Host is on a public IP you can get proper registration and functionality with no further action required.  Many of the NAT issues are handled by proper configuration of both the Host and the phones.

    If you still have issues, then I go to the pfSense logs and watch for Blocked UDP and other traffic from and/or to the Host IP address.
    If that corresponds to the range(s) you're expecting then consider enabling NAT as required.

    The KISS principle is your friend when configuring these devices.

    Keep at it and welcome to pfSense!

  • Yes, I was hoping to KISS but since it doesn't work straight out of the box I've had to delve in deeper.

    The SIProxd was a test since I wasn't getting anywhere with Firewall NAT'ing. The package notes say it is not needed as much with newer PBXes. My thinking was that the Allworx 24x is a bit on the older side so it may still apply. I've since removed the package.

    A basics NAT question - I need entries in both Rules and NAT correct?

    Also when trying NAT> Outbound I chose Manual as well as Hybrid with no positive effect.

Log in to reply