Overview on configuring pfSense Firewall/NAT for VOIP SIP phones?


  • Could someone point me to any definitive resources for getting multiple SPA504G SIP phones successfully working behind pfSense? The forums here have answers in many different directions on answers.

    SIP Ports: 5060-5080
    RTP Ports: 10000-20000


  • Hello,

    SIP phones are actual able to realize or get as a hardware phone on the desk, as an adapter under the desk
    or as a piece of software inside of a PC, an Apple Mac or a Linux computer for sure as well also on BSD based
    PCs that an ability to go with. And all three solutions will be using the same Session Initiation Protocol (SIP).

    And also there are three common, well known and practicable ways to use them together with pfSense that
    is a software firewall.

    • Placing a STUN server in the Internet (at a hoster) or at your ISPs side or network
    • Placing a PBX appliance in the DMZ of the pfSense firewall likes (Askozia, Asterisk, MobyDick, ect…)
    • Using an SIP-ALG that is normally internally in any kind of router or firewall that comes with VOIP support.

    Because the pfSense is a software firewall here in that case you will be able to go with one solution two
    ways, but that is in my eyes a benefit that we get some on solutions top of other vendors are offering it.
    So be patient to chose also between Asterisk as a small PBX hardware appliance based on an PC Engines
    Alix or APU board and as a installable packet for pfSense it self directly. Here are some links about this.
    Asterisk VOIP as an internal PBX packet
    Siproxd an internal SIP-Proxy packet

    PBX VOIP NAT HowTo
    pfSense Doc´s can be used to connect to a STUN server at the outside
    VOIP configuration
    This is the internally part to connect the internal SIP phones correctly
    3CX phones and STUN a server - HowTo
    If you are planing to use 3CX phones and a STUN server.

    If I should suggest you something that I would go with, and related to narrow down the security risks
    I personally would be going to install a hardware based VOIP PBX appliance in a DMZ created in pfSense.
    Something that is reachable from the Internet should be placed inside of a DMZ so the entire LAN would be
    more save against opened ports on the WAN interface through the NAT and pf with connections to LAN devices.
    AstLinux VOIP appliance or
    Asterisk VOIP PBX
    PC Engines APU
    PC Engines APU2 (not fully ready yet)
    PC Engines Alix w/ pre-installed Asterisk bundle (pretty old but nice PBX appliance)

    So you see it will be more tend to what kind of way you would be going with and not what kind of phones
    you are using. Ok, the SIP phones should be compatible to the PBX appliance and work flawless with them too.

    Also actual and perhaps interesting for you. [SOLVED]VoIP phone not registering with outside PBX

  • Banned

    Hi!

    The ports you need to open (PS: via firewall rules on the LAN side) depend on your SIP provider, normally the service/help desk will provide you with the port numbers (and maybe even the IPs) to be allowed (protocol: UDP should work) in the respective LAN firewall rules set.

    I have one rule for a port in the 5060-something area and one for the RTP port range used by my provider (both limited to the IP ranges used by the provider). Works fine with a stand-alone SIP phone…


  • I don't port forward at all on any of my lines.  You shouldn't have to.  Simply make firewall rules that allow your carrier to your phones or ata's.  Both SIP and RTP. Depending on the carrier they might use a different server for RTP than they do for SIP so you would have to take that into account.

    If set up properly the phone/ata sends its NAT address as part of the SIP registration enabling your provider to find it.


  • Thank you for all the replies so far. For the sake of simplicity, let's make some assumptions about the configuration so that we can get a bit more specificity:

    1. In-house Asterisk server at the data center that has its own public IP. Standard PBX ports bound (5004-5082, 10000-20000)
    2. Three Cisco SPA508G phones in a satellite office with pfSense as the Firewall NAT. Each phone registers multiple extensions, with each extension using a different port along the range 5060-5080.
    3. No STUN Server.
    4. Default settings on pfSense.

    So, I see mention here (https://doc.pfsense.org/index.php/VoIP_Configuration) that pfSense uses the automatic rule configuration that should be compatible with multiple phones because of source port rewriting. Are these the only changes that are needed for the phones to register and audio to work?

    1. Port forward relevant 5060-5080 ports to the internal IPs for each phone.
    2. Can't port forward 10000-20000 because all the phones use the same range.

  • @cnvgrp:

    1. Port forward relevant 5060-5080 ports to the internal IPs for each phone.
    2. Can't port forward 10000-20000 because all the phones use the same range.

    You dont need to.  I generally use a different LAN subnet for my phones then make a WAN rule allowing my carriers servers as source and my phones subnet as the destination.

    Again- No port forwarding needed!


  • then make a WAN rule allowing my carriers servers as source and my phones subnet as the destination.

    You shouldn't even need to do that.  When your phones come to life, they reach out to their SIP server and those states are kept alive and used for incoming signaling & audio.  I'm using Polycom SoundPoint IP 335's and I have no special rules on WAN.  In fact, the only rules I have in regard to the phones are floating rules for traffic shaping.  Everything works perfectly.


  • @KOM:

    then make a WAN rule allowing my carriers servers as source and my phones subnet as the destination.

    You shouldn't even need to do that.  When your phones come to life, they reach out to their SIP server and those states are kept alive and used for incoming signaling & audio.  I'm using Polycom SoundPoint IP 335's and I have no special rules on WAN.  In fact, the only rules I have in regard to the phones are floating rules for traffic shaping.  Everything works perfectly.

    Yep- best thing to do is try.  In my case my SIP and RTP come from different servers and the rules just make the SIP registration more stable. And thus RTP rules are required. YMMV.

    I use SIProxd here so WAN rules point at the WAN address.  My accountants office does not use SIProxd. WAN rules point at the phone subnet.  Same VOIP service and same number of phone devices.  I started with SIProxd years ago so just stuck with it.


  • +2 on leave everything at default.

    I run more than one Asterisk box behind pfSense and normally let the SIP protocol deal with the behind NAT issues.
    Haven't needed sipproxd yet.
    Things have definitely progressed from the "bad-ol" days of needing to open ports willy nilly and still having flakey conx.

    More important to see what your Voip provider is expecting/can handle.