Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Inbound SIP Traffic

    NAT
    4
    9
    1784
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Visseroth last edited by

      I have a router in place that has a network dedicated to the phones

      Let's say, 192.168.2.1

      I have noticed lately that the SIP provider's IP has been sending traffic to our network, source port 5060 but the destination port is random.

      All the phones connect to a service provider. There is no SIP server on site.

      My question is how do I handle that incoming SIP traffic. The phones seem to work but I believe some of the traffic is being dropped when it should not be. The firewall shows the traffic being stopped in the logs. Source IP, source port 5060 to destination IP (DSL) destination port is random.

      I have a NAT for SIP traffic as shown in https://doc.pfsense.org/index.php/VoIP_Configuration

      But that's for outgoing traffic, what about the incoming?

      1 Reply Last reply Reply Quote 0
      • KOM
        KOM last edited by

        The VoIP phones initiate a state to the server end and keep it alive.  That's how the incoming calls can get through the firewall.  Are you sure you're not just seeing out of state traffic being blocked?

        1 Reply Last reply Reply Quote 0
        • V
          Visseroth last edited by

          It is possible but the source address is the provider's address.

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            Of course it is. That's where the packets are coming from.

            1 Reply Last reply Reply Quote 0
            • V
              Visseroth last edited by

              Exactly, and if there are packets coming from the provider there's likely a reason for it, question is why are they being dropped?

              1 Reply Last reply Reply Quote 0
              • chpalmer
                chpalmer last edited by

                My provider has been doing this as well lately.  Traffic should be showing up as the LAN address  172.16.15.25  but this traffic shows up with the WAN address actually from the same server we register on and one other that we don't use that they own.

                It doesn't affect my use of the phones and if I wasn't seeing it in the logs we would never even know it happens.

                1 Reply Last reply Reply Quote 0
                • V
                  Visseroth last edited by

                  I'll keep an eye on it, I just thought it weird and made me think that some traffic that should be getting through wasn't.

                  1 Reply Last reply Reply Quote 0
                  • KOM
                    KOM last edited by

                    question is why are they being dropped?

                    Could be due to an active state timing out and the connection being torn down on the pfSense end?  Unless you're actually having problems, I wouldn't worry about it.  If you are having an issue, explain and maybe we can track it down.  A lot of issues with VoIP phones can be due to a lack of traffic shaping that prioritizes your SIP traffic on a busy network, or latency issues with your VoIP provider.

                    1 Reply Last reply Reply Quote 0
                    • V
                      Visseroth last edited by

                      I think you're right. I've been watching the logs and everything looks good now. I think there was an alert that triggered the blocking of the SIP provider which also caused further traffic to be dropped. I'm not sure which rule caused the blocked at this time but I am keeping an eye on it. I tried whitelisting an alias which contains a list of IPs that we frequent but snort throws a fit with the alias whitelisted.

                      Anyhow, it seems to be working atm, but I am watching it. Thanks for replying.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post

                      Products

                      • Platform Overview
                      • TNSR
                      • pfSense Plus
                      • Appliances

                      Services

                      • Training
                      • Professional Services

                      Support

                      • Subscription Plans
                      • Contact Support
                      • Product Lifecycle
                      • Documentation

                      News

                      • Media Coverage
                      • Press
                      • Events

                      Resources

                      • Blog
                      • FAQ
                      • Find a Partner
                      • Resource Library
                      • Security Information

                      Company

                      • About Us
                      • Careers
                      • Partners
                      • Contact Us
                      • Legal
                      Our Mission

                      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                      Subscribe to our Newsletter

                      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                      © 2021 Rubicon Communications, LLC | Privacy Policy