Siproxd, setup and configuration for voip… works great!!!

gl1176

I have got the siproxd working for my voip setup. My SIP and tftp servers are off site. I have Cisco 7960s with SIP firmware, Linksys SPA942, Aastra i57, Snom 360, and a few other SIP handsets for testing. The siproxd was needed to fix our NAT traslations on pfSense, the tftp-proxy will still be needed for tftp (which is unavalible for 1.2) so for now, I use a static route internally to another router with a public IP, to access the public tftp provisioning server. A basic diagram is below:

71.X.X.45=SIP<–>66.X.X.49=pfSense=192.168.1.1/24
                                                  ^
                                                  |
                                                  |----------------LAN=192.168.1.x/24
                                                  |
                                                  v
71.X.X.54=TFTP<->66.X.X.50=WRT54G=192.168.1.2/24

The configs for pfSense are a follows:
Firewall: Rules: WAN = none for SIP or RTP, the siproxd will fix this for us
Firewall: NAT: Port Forward = none, server is off site, only need this if you have an internal SIP PBX
Firewall: NAT: Outbound = Manual Outbound NAT, using default rule with NO Static Port mapping
Install siproxd package and reboot (IMPORTANT)
Services: siproxd: Settings = Inbound to LAN, Outbound to WAN, Port to 5060, Enable RTP proxy to Enable, Set RTP port ranges

Use the Diagnostics: Show States and apply a filter for 5060. All handsets should display state as MULTIPLE:MULTIPLE.

I also have dhcp option working from this post:
http://forum.pfsense.org/index.php/topic,1192.0.html

Enjoy  :)

chpalmer

Are there logs somewhere that will tell if voip services are truly using siproxd or not?

Guest

Status -> Package Logs

chpalmer

Thanks.

I always get "There are no packages with logging capabilities ….

chpalmer

Firewall: NAT: Outbound = Manual Outbound NAT, using default rule with NO Static Port mapping

Isnt "Automatic outbound NAT rule generation (IPsec passthrough)" the default?

I dont seem to have a problem with my two phones on the same provider, just using the default firewall with no addons so its hard for me to test if this is working or not.

fribert

Still no joy here.
My info is
Server: sip.viptel.dk
username: 12345678
Password: randomchars

Ok, I've installed the siproxd
Inbound Interface: LAN
Outbound Interface: WAN
Enable RTP Proxy: Enable

The rest is left for default

Then I've installed X-Lite.
I've set X-Lite to:
Username: 12345678
password: randomchars
authorzation user name 12345678
domain: sip.viptel.dk

Domain Proxy:
X Register with domain and receive incoming calls
Send outbound via
proxy address: pfsense-IP

Firewall Traversal:
X Use local IP address

STUN server
X Discover server

NO tick in enable ICE

The rest is left as default, but still, registration times out…

NebArch

I installed sipproxd as follows:

Inbound LAN
Outbound WAN
Port 5060
RTP 10000 to 20000

All of the rest are default.

Under Status - Services it show siproxd as running
Under Status - Packagae Logs it says "No packages with logging facilities are currently installed."
Under Diagnostics - States - Filter on 5060, all extensions are Multiple:Multiple

There are no NAT or Rules applied.
My trixbox is set to nat=route in sip_nat.conf

Here is the problem, I am still getting dropped inbound calls at about 30 seconds - maybe 1 in 20, which happened the same with NAT port forwarding (5004:5982, 8000:8500, & 10000:20000) and firewall rules to match.

Have I configured sipproxd correctly?
Do you need to do any setup under the Users Tab?

Thanks

sammy2ooo

There is a little pitfall about configuring siproxd. You need to enter the following information, at least this is working for me…

Inbound interface
Outbound interface
Listening port
Enable RTP proxy
RTP port range (lower)
RTP port range (upper)
RTP stream timeout

If you dont have any special needs, just go with the defaulst and you will be fine...

sammy2ooo

Otherwise you could also log in via SSH and run siproxd in debug mode in conjunction with tcpdump to see whats going on.

pkill siproxd

pgrep siproxd (should show up nothing here)

vi /usr/local/etc/siproxd.conf

-> change daemonize = 1 to daemonize = 0
-> save the changes

siproxd -d 1 -c /usr/local/etc/siproxd.conf

thekod

Just a heads up, siproxd isn't always necessary…I've got multiple endpoints behind nat set up without it.  Look at my post here: http://forum.pfsense.org/index.php/topic,12830.0.html

chrisacbr

I found that if you don't enter the RTP port range values you see messages like this:

rtpproxy_relay.c:617 closed socket 13 [0] for RTP stream because cant get pair sts=0
ERROR:rtpproxy_relay.c:630 rtp_relay_start_fwd: no RTP port available or bind() failed

Even though the form suggests that siproxd will use the default range starting at 7070, it doesn't seem to as made clear by a truss:

socket(PF_INET,SOCK_DGRAM,17)                    = 13 (0xd)
setsockopt(0xd,...) = 0 (0x0)
bind(13,{ AF_INET 192.168.1.5:0 },16)           = 0 (0x0)
fcntl(13,F_GETFL,)                               = 2 (0x2)
fcntl(13,F_SETFL,O_NONBLOCK|0x2)                 = 0 (0x0)
socket(PF_INET,SOCK_DGRAM,17)                    = 14 (0xe)
setsockopt(0xe,...) = 0 (0x0)
bind(14,{ AF_INET 192.168.1.5:1 },16)           ERR#13 'Permission denied'

I also had to patch some files:
http://cvstrac.pfsense.com/tktview?tn=1874

ps. If you are using Ekiga behind pfsense/siproxd, you need to set the NAT traversal type to "None".

jigpe

Good afternoon :) Thanks for the tips! :) I have a question, how to restart the siproxd on ssh? Command not found "siprox -d restart"

jigp
1.2.2

wallabybob

From the WEB GUI Services -> siproxd then click the Save button seems to restart siproxd.

If you have ssh'd in or from the console (slight modification of a recipe from an earlier reply in this topic:

pkill siproxd

pgrep siproxd (should show up nothing here)

siproxd -c /usr/local/etc/siproxd.conf

jigpe

Awesome! Thanks :)

But when i call soho router restarted..weird router…

blackb1rd

siproxyd works great, but does someone know how to get it's packets through the Traffic Shaper? Or should I patiently wait for pfsense 2.0 :)

danswartz

You could try disabling the RTP proxy - dunno how much you like that idea (or whether it will work for you.)  I ended up uninstalling siproxd for that (and other reasons), since I have only one client behind the pfsense - my asterisk server, so siproxd is not really needed.

cjkeeme

To the original poster.  Thank you.  :)

cjkeeme

siproxyd works great, but does someone know how to get it's packets through the Traffic Shaper? Or should I patiently wait for pfsense 2.0

I would also like to know if anyone knows the answer to this question.  I have all my phones registered, but if someone is using too much bandwidth call quality goes down significantly.

bb-mitch

I recently added siproxd to a site that WAS working before adding it… I added it because of a single phone which is not "nat friendly" - special purpose phone (boardroom) - at any rate, on adding siproxd, I could get the Linksys phones to work (SPA942, SPA962) however the latest phone Cisco/Linksys SPA525G with 7.2.5 firmware SEEMS to work however the ringer doesn't ring and if you answer there is no audio (indicating lack of RTP stream).

I couldn't see a way around the problem, so I hacked the package to change the firewall rule so that only phones in a given "Alias" are added to the proxy. I'd like to share that change, but I found one thing a little frustrating - unless I create a dummy rule in the firewall, the Alias does not seem to be parsed into a table (which causes my change to fail).

I also noticed siproxd seems to be behind - and yet the packages list does NOT indicate it is lacking a maintainer...

Basically I've solved my own issue, but think it would benefit others...

Thoughts? Thanks all!

vronp

bb-mitch,

I have two SPA962 that are configured identically.  I recently moved from a Cisco 5505 firewall to pfsense.

With siproxd setup I have one phone working but the other refuses to.

Just wondering if you ran into this problem with your Linksys phones.

thanks,

@bb-mitch:

I recently added siproxd to a site that WAS working before adding it… I added it because of a single phone which is not "nat friendly" - special purpose phone (boardroom) - at any rate, on adding siproxd, I could get the Linksys phones to work (SPA942, SPA962) however the latest phone Cisco/Linksys SPA525G with 7.2.5 firmware SEEMS to work however the ringer doesn't ring and if you answer there is no audio (indicating lack of RTP stream).

I couldn't see a way around the problem, so I hacked the package to change the firewall rule so that only phones in a given "Alias" are added to the proxy. I'd like to share that change, but I found one thing a little frustrating - unless I create a dummy rule in the firewall, the Alias does not seem to be parsed into a table (which causes my change to fail).

I also noticed siproxd seems to be behind - and yet the packages list does NOT indicate it is lacking a maintainer...

Basically I've solved my own issue, but think it would benefit others...

Thoughts? Thanks all!