Inbound SIP Traffic
-
I have a router in place that has a network dedicated to the phones
Let's say, 192.168.2.1
I have noticed lately that the SIP provider's IP has been sending traffic to our network, source port 5060 but the destination port is random.
All the phones connect to a service provider. There is no SIP server on site.
My question is how do I handle that incoming SIP traffic. The phones seem to work but I believe some of the traffic is being dropped when it should not be. The firewall shows the traffic being stopped in the logs. Source IP, source port 5060 to destination IP (DSL) destination port is random.
I have a NAT for SIP traffic as shown in https://doc.pfsense.org/index.php/VoIP_Configuration
But that's for outgoing traffic, what about the incoming?
-
The VoIP phones initiate a state to the server end and keep it alive. That's how the incoming calls can get through the firewall. Are you sure you're not just seeing out of state traffic being blocked?
-
It is possible but the source address is the provider's address.
-
Of course it is. That's where the packets are coming from.
-
Exactly, and if there are packets coming from the provider there's likely a reason for it, question is why are they being dropped?
-
My provider has been doing this as well lately. Traffic should be showing up as the LAN address 172.16.15.25 but this traffic shows up with the WAN address actually from the same server we register on and one other that we don't use that they own.
It doesn't affect my use of the phones and if I wasn't seeing it in the logs we would never even know it happens.
-
I'll keep an eye on it, I just thought it weird and made me think that some traffic that should be getting through wasn't.
-
question is why are they being dropped?
Could be due to an active state timing out and the connection being torn down on the pfSense end? Unless you're actually having problems, I wouldn't worry about it. If you are having an issue, explain and maybe we can track it down. A lot of issues with VoIP phones can be due to a lack of traffic shaping that prioritizes your SIP traffic on a busy network, or latency issues with your VoIP provider.
-
I think you're right. I've been watching the logs and everything looks good now. I think there was an alert that triggered the blocking of the SIP provider which also caused further traffic to be dropped. I'm not sure which rule caused the blocked at this time but I am keeping an eye on it. I tried whitelisting an alias which contains a list of IPs that we frequent but snort throws a fit with the alias whitelisted.
Anyhow, it seems to be working atm, but I am watching it. Thanks for replying.
