Strange problem with VoIP adapter

Erik · Nov 13, 2005, 4:49 PM

Hmm, I don't think I should be opening the port 55813 on the firewall. I tried rebooting the adapter, and the I get NATMapped Port: 53050. One more time, and I get 51048. If I understand correctly, outgoing connections are assigned a random port number, e.g. my connection to this site in the state table:

Type Proto Source->Router->Destination State
self tcp 216.135.66.8:80<-192.168.0.7:1407 ESTABLISHED:ESTABLISHED

The port 1407 changes for every new connection I make to this site. Likewise, it seems the NAT mapped port is randomly assigned. My guess is that pfsense is assigning the port and somehow my adapter is picking it up. These are the relevant entries in my state table:

Type Proto Source->Router->Destination State
self udp 192.168.0.1:53<-192.168.0.9:26789 MULTIPLE:MULTIPLE
self udp 212.130.74.56:5060<-192.168.0.9:5060 NO_TRAFFIC:SINGLE
self udp 212.130.74.60:3478<-192.168.0.9:5060 MULTIPLE:MULTIPLE
self udp 212.130.74.61:3479<-192.168.0.9:5060 MULTIPLE:MULTIPLE
self udp 192.168.0.9:5060->85.233.238.xxx:52852->212.130.74.56:5060 SINGLE:NO_TRAFFIC
self udp 192.168.0.9:5060->85.233.238.xxx:51028->212.130.74.60:3478 MULTIPLE:MULTIPLE
self udp 192.168.0.9:5060->85.233.238.xxx:53530->212.130.74.61:3479 MULTIPLE:MULTIPLE

I'm really on shaky ground here, but the first one is easy; it's a DNS lookup. Then we have three connections to to Telefin servers, plus three connections more, using seemingly random ports on the firewall WAN port. If I open e.g. port 51028, I will get an incoming connection from Telefin (but still no association), but otherwise I have no incoming connections.

Erik

Erik · Nov 13, 2005, 5:36 PM

Sorry to reply to myself, but Wikipedia can be your friend sometimes…

My adapter apparently calls a STUN server to establish a connection between clients behind NAT. Quoting Wikipedia, "It will not work with symmetric NAT" and quoting the adapter status page, "detected NAT type is symmetric NAT".

I have now tried disabling STUN on the adapter and using NAT to forward the WAN ports 5060, 5061 and 5004 to my adapter:

If Proto Ext. port range NAT IP Int. port range
WAN UDP 5060 - 5061 192.168.0.9 5060 - 5061
WAN TCP/UDP 5004 192.168.0.9 5004

My state table now reads:
self udp 192.168.0.1:53<-192.168.0.9:26789 MULTIPLE:MULTIPLE
self udp 212.130.74.56:5060<-192.168.0.9:5060 NO_TRAFFIC:SINGLE
self udp 192.168.0.9:5060->85.233.238.191:52855->212.130.74.56:5060 SINGLE:NO_TRAFFIC
self udp 85.233.238.191:5060<-212.130.74.56:5060 NO_TRAFFIC:SINGLE

Still no luck, though. Why is the last state not going through to 192.168.0.9 when I have the above NAT rules?

Erik

hoba · Nov 13, 2005, 5:59 PM

Maybe the sip-proxy (siproxd) package is worth a try. Give it a shot.

Erik · Nov 13, 2005, 7:00 PM

Damn, there is no package support for embedded platforms. I'm on a WRAP board :-/

I tried loading my working m0n0wall config file into pfsense, and the VoIP adapter still reports "symmetric NAT" as the NAT type, whereas it was "(port?) restricted cone" in m0n0wall. Is there any way to change the NAT type in pfsense?

Erik

keefe007 · Jan 3, 2006, 2:30 AM

Did you get this working ever?

Erik · Jan 3, 2006, 3:52 AM

No, unfortunately I had to switch back to m0n0wall since I lacked the time to investigate further. But I've aquired another CF card so testing is easier now, if anyone has suggestions.

Update: apparently Phil Regnauld from BSD-DK has it working with a Grandstream adapter by adding

set timeout { udp.first 60, udp.single 60, udp.multiple 60 }
nat on $ext_if from $int_net to any -> $ext_ip static-port

to /etc/pf.conf - the important part being the keyword "static-port". I'll try it when I have some spare time in the weekend.

sullrich · Jan 3, 2006, 4:38 AM

Beta 2 will include a static-port option in advanced outbound-nat.

Erik · Jan 3, 2006, 4:57 AM

Cool! Thanks for the notice, I'll let you know how it works out when beta2 is out.

keefe007 · Jan 3, 2006, 8:12 PM

I was able to get my asterisk SIP server working behind the pfsense firewall by using 1:1 NAT for that box.

It looks like regular NAT is symmetric while 1:1 uses cone NAT, which is what SIP needs.

sullrich · Feb 2, 2006, 6:33 AM

Newer testing versions are available at: http://www.pfsense.com/~sullrich/?M=D

Look for "TESTING" dirs.

keefe007 · Feb 3, 2006, 12:40 AM

@sullrich:

Newer testing versions are available at: http://www.pfsense.com/~sullrich/?M=D

Look for "TESTING" dirs.

What does this version have do make SIP work better?

Will it support multiple SIP devices connecting through the router? Such as multiple ATAs with multiple VoIP lines.

hoba · Feb 3, 2006, 12:47 AM

It includes the static port option.

Erik · Apr 6, 2006, 4:16 PM

So, I finally managed to get time to look at the problem. I installed BETA2 (leaps and bounds better than BETA1 in almost every area, thanks everybody!), and I'm glad to say that the static-port did the trick. Quick summary:

Enabled advanced outbound NAT, changed the default outbound rule to enable static-port. Reboot adapter. That's it!

I'm not sure if I still need the following rules on the NAT: port forward page:

WAN UDP 5060 - 5061 192.168.0.9 5060 - 5061
WAN TCP/UDP 5004 192.168.0.9 5004

Will have to test that.

Thanks to everybody who replied, end everyone who has worked so hard to make pfsense better!

Erik