I have had VoIP traffic w/a commercial VoIP provider going through a PF
box for a short time. For the most part it seems to work, though some of
the SIP provided features (pre-call info, like caller id) dont work 100%
of the time and I haven't spent the time yet to fix them. Partially this
is due to issues I have read about the VoIP gateway which make me think
the problems have nothing at all to do with the packet filtering.
During the course of my troubleshooting the SIP problems, I added the
nat rule you have for a static port. I experienced similar problems to
what you are describing.
So I went back to just allowing the inbound and outbound UDP from/to
the VoIP provider and some basic settings for the SIP server to be able
to communicate.
A word of caution, this allows a bit more traffic through than you might
desire. You should fine tune this as much as possible to the settings
you observe w/tcpdump with a working VoIP call and your VoIP provider. A
word of advice, test both incoming and outgoing calls as well as all
calling features you expect to get before you decide your rule set is
sufficient.
Hopefully this will help you a bit (this is just the voip part,
presuming you already are keeping state on outbound TCP. You might want
to queue the TCP sessions from your IP phone into voip as well for
better performance):
voip_gw = "{ 192.168.45.33 }"
voip_nets = "{ Provider Netblocks here }"
altq on $ext_if cbq bandwidth 10Mb queue { normal, voip }
queue normal bandwidth 9800Kb priority 1 cbq(borrow,default)
queue voip bandwidth 200Kb priority 7 cbq(borrow)
# this is a recommended setting for SIP
set timeout { udp.first 300, udp.single 150, udp.multiple 900 }
# Allow external SIP control traffic
pass in quick on $ext_if proto udp from $voip_nets to any port 5060
keep state
# Allow udp from VoIP provider
pass out on $ext_if inet proto udp from $voip_gw to any queue voip
pass in on $int_if inet proto udp from $voip_gw to any queue voip
--
Aaron <[EMAIL PROTECTED]>
--- Begin Message ---
Hi all.
First, take a greeting from Venezuela.
I have an ATA VoIP (Analogue Telephone Adaptor) model HandyTone 486. I'll
try to connect it behind my server on OpenBSD 3.7 running PF and NAT.
Well, I think that you know whats the problem.
I use SIP, so, the ATA behind NAT don't works. I've put a few rules that I
find at one website, the rules are:
ipphone1="192.168.1.36"
nat on $ext_if proto udp from $ipphone1 to any -> ($ext_if) static-port
# pass VoIP traffic
pass in quick on $ext_if proto {udp,tcp} from any to any port {3478,10000}
keep state
pass out quick on $ext_if proto {udp,tcp} from any to any port
{3478,10000} keep state
pass in quick on $ext_if proto udp from any to any port 5060 keep state
pass out quick on $ext_if proto udp from $ext_if to any port 16384:32768 \
keep state
pass in quick on $ext_if proto udp from any to any port 8000:8012 keep state
pass out quick on $ext_if proto udp from any to any port 8000:8012 keep state
So, with this rules, the ATA receive calls, and I speak and my contrapart
listen me, but I can't hear him.
Any idea? Anybody can talk on VoIP behind NAT?
Thanks to all.
Regards.
--
Juan J D'Alessandro M
Coordinador General
Grupo BSD Venezuela
Valencia - Venezuela
--- End Message ---
