Siproxd, setup and configuration for voip… works great!!!



  • I have got the siproxd working for my voip setup. My SIP and tftp servers are off site. I have Cisco 7960s with SIP firmware, Linksys SPA942, Aastra i57, Snom 360, and a few other SIP handsets for testing. The siproxd was needed to fix our NAT traslations on pfSense, the tftp-proxy will still be needed for tftp (which is unavalible for 1.2) so for now, I use a static route internally to another router with a public IP, to access the public tftp provisioning server. A basic diagram is below:

    71.X.X.45=SIP<–>66.X.X.49=pfSense=192.168.1.1/24
                                                      ^
                                                      |
                                                      |----------------LAN=192.168.1.x/24
                                                      |
                                                      v
    71.X.X.54=TFTP<->66.X.X.50=WRT54G=192.168.1.2/24

    The configs for pfSense are a follows:
    Firewall: Rules: WAN = none for SIP or RTP, the siproxd will fix this for us
    Firewall: NAT: Port Forward = none, server is off site, only need this if you have an internal SIP PBX
    Firewall: NAT: Outbound = Manual Outbound NAT, using default rule with NO Static Port mapping
    Install siproxd package and reboot (IMPORTANT)
    Services: siproxd: Settings = Inbound to LAN, Outbound to WAN, Port to 5060, Enable RTP proxy to Enable, Set RTP port ranges

    Use the Diagnostics: Show States and apply a filter for 5060. All handsets should display state as MULTIPLE:MULTIPLE.

    I also have dhcp option working from this post:
    http://forum.pfsense.org/index.php/topic,1192.0.html

    Enjoy  :)



  • Are there logs somewhere that will tell if voip services are truly using siproxd or not?



  • Status -> Package Logs



  • Thanks.

    I always get "There are no packages with logging capabilities ….



  • Firewall: NAT: Outbound = Manual Outbound NAT, using default rule with NO Static Port mapping

    Isnt "Automatic outbound NAT rule generation (IPsec passthrough)" the default?

    I dont seem to have a problem with my two phones on the same provider, just using the default firewall with no addons so its hard for me to test if this is working or not.



  • Still no joy here.
    My info is
    Server: sip.viptel.dk
    username: 12345678
    Password: randomchars

    Ok, I've installed the siproxd
    Inbound Interface: LAN
    Outbound Interface: WAN
    Enable RTP Proxy: Enable

    The rest is left for default

    Then I've installed X-Lite.
    I've set X-Lite to:
    Username: 12345678
    password: randomchars
    authorzation user name 12345678
    domain: sip.viptel.dk

    Domain Proxy:
    X Register with domain and receive incoming calls
    Send outbound via
    proxy address: pfsense-IP

    Firewall Traversal:
    X Use local IP address

    STUN server
    X Discover server

    NO tick in enable ICE

    The rest is left as default, but still, registration times out…



  • I installed sipproxd as follows:

    Inbound LAN
    Outbound WAN
    Port 5060
    RTP 10000 to 20000

    All of the rest are default.

    Under Status - Services it show siproxd as running
    Under Status - Packagae Logs it says "No packages with logging facilities are currently installed."
    Under Diagnostics - States - Filter on 5060, all extensions are Multiple:Multiple

    There are no NAT or Rules applied.
    My trixbox is set to nat=route in sip_nat.conf

    Here is the problem, I am still getting dropped inbound calls at about 30 seconds - maybe 1 in 20, which happened the same with NAT port forwarding (5004:5982, 8000:8500, & 10000:20000) and firewall rules to match.

    Have I configured sipproxd correctly?
    Do you need to do any setup under the Users Tab?

    Thanks



  • There is a little pitfall about configuring siproxd. You need to enter the following information, at least this is working for me…

    Inbound interface
    Outbound interface
    Listening port
    Enable RTP proxy
    RTP port range (lower)
    RTP port range (upper)
    RTP stream timeout

    If you dont have any special needs, just go with the defaulst and you will be fine...



  • Otherwise you could also log in via SSH and run siproxd in debug mode in conjunction with tcpdump to see whats going on.

    pkill siproxd

    pgrep siproxd (should show up nothing here)

    vi /usr/local/etc/siproxd.conf

    -> change daemonize = 1 to daemonize = 0
    -> save the changes

    siproxd -d 1 -c /usr/local/etc/siproxd.conf



  • Just a heads up, siproxd isn't always necessary…I've got multiple endpoints behind nat set up without it.  Look at my post here: http://forum.pfsense.org/index.php/topic,12830.0.html



  • I found that if you don't enter the RTP port range values you see messages like this:

    rtpproxy_relay.c:617 closed socket 13 [0] for RTP stream because cant get pair sts=0
    ERROR:rtpproxy_relay.c:630 rtp_relay_start_fwd: no RTP port available or bind() failed
    

    Even though the form suggests that siproxd will use the default range starting at 7070, it doesn't seem to as made clear by a truss:

    socket(PF_INET,SOCK_DGRAM,17)                    = 13 (0xd)
    setsockopt(0xd,...) = 0 (0x0)
    bind(13,{ AF_INET 192.168.1.5:0 },16)           = 0 (0x0)
    fcntl(13,F_GETFL,)                               = 2 (0x2)
    fcntl(13,F_SETFL,O_NONBLOCK|0x2)                 = 0 (0x0)
    socket(PF_INET,SOCK_DGRAM,17)                    = 14 (0xe)
    setsockopt(0xe,...) = 0 (0x0)
    bind(14,{ AF_INET 192.168.1.5:1 },16)           ERR#13 'Permission denied'
    

    I also had to patch some files:
    http://cvstrac.pfsense.com/tktview?tn=1874

    ps. If you are using Ekiga behind pfsense/siproxd, you need to set the NAT traversal type to "None".



  • Good afternoon :) Thanks for the tips! :) I have a question, how to restart the siproxd on ssh? Command not found "siprox -d restart"

    jigp
    1.2.2



  • From the WEB GUI Services -> siproxd then click the Save button seems to restart siproxd.

    If you have ssh'd in or from the console (slight modification of a recipe from an earlier reply in this topic:

    pkill siproxd

    pgrep siproxd (should show up nothing here)

    siproxd -c /usr/local/etc/siproxd.conf



  • Awesome! Thanks :)

    But when i call soho router restarted..weird router…



  • siproxyd works great, but does someone know how to get it's packets through the Traffic Shaper? Or should I patiently wait for pfsense 2.0 :)



  • You could try disabling the RTP proxy - dunno how much you like that idea (or whether it will work for you.)  I ended up uninstalling siproxd for that (and other reasons), since I have only one client behind the pfsense - my asterisk server, so siproxd is not really needed.



  • To the original poster.  Thank you.  :)



  • siproxyd works great, but does someone know how to get it's packets through the Traffic Shaper? Or should I patiently wait for pfsense 2.0

    I would also like to know if anyone knows the answer to this question.  I have all my phones registered, but if someone is using too much bandwidth call quality goes down significantly.



  • I recently added siproxd to a site that WAS working before adding it… I added it because of a single phone which is not "nat friendly" - special purpose phone (boardroom) - at any rate, on adding siproxd, I could get the Linksys phones to work (SPA942, SPA962) however the latest phone Cisco/Linksys SPA525G with 7.2.5 firmware SEEMS to work however the ringer doesn't ring and if you answer there is no audio (indicating lack of RTP stream).

    I couldn't see a way around the problem, so I hacked the package to change the firewall rule so that only phones in a given "Alias" are added to the proxy. I'd like to share that change, but I found one thing a little frustrating - unless I create a dummy rule in the firewall, the Alias does not seem to be parsed into a table (which causes my change to fail).

    I also noticed siproxd seems to be behind - and yet the packages list does NOT indicate it is lacking a maintainer...

    Basically I've solved my own issue, but think it would benefit others...

    Thoughts? Thanks all!



  • bb-mitch,

    I have two SPA962 that are configured identically.  I recently moved from a Cisco 5505 firewall to pfsense.

    With siproxd setup I have one phone working but the other refuses to.

    Just wondering if you ran into this problem with your Linksys phones.

    thanks,

    @bb-mitch:

    I recently added siproxd to a site that WAS working before adding it… I added it because of a single phone which is not "nat friendly" - special purpose phone (boardroom) - at any rate, on adding siproxd, I could get the Linksys phones to work (SPA942, SPA962) however the latest phone Cisco/Linksys SPA525G with 7.2.5 firmware SEEMS to work however the ringer doesn't ring and if you answer there is no audio (indicating lack of RTP stream).

    I couldn't see a way around the problem, so I hacked the package to change the firewall rule so that only phones in a given "Alias" are added to the proxy. I'd like to share that change, but I found one thing a little frustrating - unless I create a dummy rule in the firewall, the Alias does not seem to be parsed into a table (which causes my change to fail).

    I also noticed siproxd seems to be behind - and yet the packages list does NOT indicate it is lacking a maintainer...

    Basically I've solved my own issue, but think it would benefit others...

    Thoughts? Thanks all!



  • depending on what you are connecting to you could try turning off the nat options on the server and the phones and possibly the qualify options on teh asterisk server - one of my associates says he had to do that to support some newer cisco phones 79xx something I think?



  • Well, this is interesting.  Both phones were at firmware level 5.2.  I upgraded both to 6.1.5 (latest) and now everything works !

    @bb-mitch:

    depending on what you are connecting to you could try turning off the nat options on the server and the phones and possibly the qualify options on teh asterisk server - one of my associates says he had to do that to support some newer cisco phones 79xx something I think?



  • ALWAYS try the various firmwares ;-)
    They normally fix one thing and break something subtle, but 6.1.5(a) included a lot of fixes.
    cheers.



  • I spoke too soon.  One of them works but the other still does not.  This view of states seems to indicate why but I'm not sure what will fix this.  The .47 phone works but .49 does not.



  • Doesn't look like you have flushed states to me.



  • Yes, correct.  After flushing states, the "bad" phone is the only one that rings now and there is no audio.

    There is another piece missing here.



  • If you removed siproxd / disabled it, and the phone that wasn't working now rings, that means the SIP is working with NAT off.
    siproxd also has the ability to proxy the RTP - this has to be enabled too if you need rtp. There needs to be some documentation for this package I think. I believe I understand a bunch of it - and don't mind contributing, but who is the package maintainer?
    There are options / fields in the package gui that do not seem to be implemented or that I don't understand?

    SIP does things like connects the phone, and handles signalling (on hook, off hook, ring, call waiting, etc.).
    RTP carries the audio or video streams AFTER SIP is used to set them up / define them.

    If a phone rings without siproxd but doesn't carry audio I would think you have a mismatch in your settigns somewhere. But if you don't control the server you should be seeking some help with the people that do - they can probably tell you exactly what you should set to work with their server.

    m/



  • What version of pfsense are you using?



  • Well, I turned on siproxyd and it all works now.

    BTW, this is 1.2.3.



  • It would be really nice for semi-graceful failover if the pfSense GUI would allow siproxd to specify virtual ips in addition for the incoming and outgoing interfaces as well as offering the native interface addresses.



  • Hi Guys,

    I am using multiple Asterisk servers to connect to multiple providers on the internet. I also have enpoints from outside connecting to these Asterisk servers.

    Endpoints connecting from outside to one of the Asterisk servers I have work just find as I have NAT forward port 5060 and RTP ports to one Asterisk server.

    However, only one of my Asterisk servers can connect to the provider outside. If I try to connect more than one then the others stop working.

    Should Siproxd be the answer for both inbound and outbound SIP?

    Here is a diagram of what I have:

    -Asterisk A -Asterisk B -Asterisk C -Asterisk D–>pfsense1.2.3INTERNET<--Provider(s) AND <--Endpoints

    Thanks



  • I am having a similiar issue. We are Running ver 1.2.3. with 3 Fonality hosted phones, and a full T1. We are also running ntop, siproxd, and a few other packages. The issue is with call quality even at low bandwidth utlilization by other network devices.  We are using RTP 10000-20000 ports with firewall rule to allow traffic from IP address.(Fonality)  Fonality gave us a host range and we are still trying to figure out how to get a DNS name from them since we cant enter a range on PFsesne? Any ideas?

    We are getting the calls cut off for a few seconds every minute or two and not dropped.  We are loosing about 2-3 seconds of call quality ever 60-80 seconds.  Have ran traffic shapper till I am blue in the face and not sure what else to do!!  Any ideas.  See errors below from system log.

    Jan 24 16:58:37 siproxd[49015]: siproxd.c:287 INFO:siproxd-0.7.0-4577 i386-unknown-freebsd7.0 started
    Jan 24 16:58:37 siproxd[49015]: sock.c:65 INFO:bound to port 5060
    Jan 24 16:58:37 siproxd[49015]: siproxd.c:241 INFO:daemonized, pid=49015
    Jan 24 16:58:37 siproxd[49013]: siproxd.c:193 INFO:siproxd-0.7.0-4577 i386-unknown-freebsd7.0 starting up
    Jan 24 16:58:37 siproxd[49013]: readconf.c:309 ERROR:unknown keyword in config file, line:"load_plugin=plugin_logcall.la"
    Jan 24 16:58:37 siproxd[49013]: readconf.c:309 ERROR:unknown keyword in config file, line:"plugindir=/usr/local/lib/siproxd/"
    Jan 24 16:51:27 siproxd[20210]: dejitter.c:404 WARNING:stopping opposite stream
    Jan 24 16:51:27 siproxd[20210]: dejitter.c:397 ERROR:sendto() [74.115.98.40:13714 size=32] delayed call failed: Bad file descriptor
    Jan 24 16:32:41 check_reload_status: reloading filter

    also set my service curve to: 512=m1  5000=d  300=m2 for VOIP up and down.  Have made priority of 7 in parent q?  We have tried also just 300=m2 and no real difference for the voip ques.. I am beginning to think the issue is bc of my t1 but all seems ok there!

    Thanks for help and insight.  I am willing to look at any and all ways to fix.



  • @torontob:

    Hi Guys,

    I am using multiple Asterisk servers to connect to multiple providers on the internet. I also have enpoints from outside connecting to these Asterisk servers.

    Endpoints connecting from outside to one of the Asterisk servers I have work just find as I have NAT forward port 5060 and RTP ports to one Asterisk server.

    As you have pointed out, you are using the firewall and NAT. The problem with NAT is that an inbound port can be assigned to an internal address, but not multiple addresses. There are a couple of ways you can work around this issue with multiple Asterisk systems. One, you could assign each box to listen to a specific port such as one being on 5060, another on 5068, and another on 5046. Notice the span between port numbers? That is because in some cases sequential ports are used by one machine and you don't want them overlapping one another.

    Another solution and generally the best solution is to put a pfSense firewall in bridged mode in front of your Asterisk servers and then all ports and functions can remain the same on all boxes. I prefer running the firewall in bridged mode as it gives me the most flexibility and standard network device installations. You will no longer have complications with ports and your rules can be very well defined for access.

    For Asterisk VOIP systems it is extremely important to protect your ports from malicious intent. When you setup your rules make sure they only allow your endpoints access. I can't tell you how many times our clients have been compromised and systems rebuilt because the client insisted on public access. You should also make sure you have a very complicated / complex registration password for each account.

    Bottom line, the pfSense in bridged mode will eliminate the complications NAT presents in a VOIP environment and make it much more flexible to manage access to multiple servers.



  • Hello
    I have a question like all set and outgoing calls go and do not pass inside.
    and sorry for my bad english.








  • And what will happen if I have CARP, so my WAN have a private ip address?
    I will have to use host_outbound = mypublicip in the configuration file, but how to edit the file and avoid pfsense gui to overwrite it?


Locked