Patrick,
In my system the Phones and Asterisk are on the LAN. My WAN ip is my
public IP and I use NAT to forward the SIP ports to the internal LAN IP
of my Asterisk server. The NAT forwarding is only necessary if you use
an ITSP or want to have phones access your phone system from outside the
firewall.
WAN TCP/UDP 5004 - 5080 10.7.0.7
5004 - 5080 SIP Signal
WAN
UDP
10001 - 20000
10.7.0.7
10001 - 20000 RTP
The ports that need to be open may very depending on how your system is
configured. The ports shown above are farily broad and should work on
most systems. It is a good idea to find exactly what you need and open
on the the specific ports you need.
If you your remote users use a softphone and first connect to the VPN
and you are not using an ITSP then you will not need to forward any ports.
10.7.0.7 is the IP of my Asterisk server on the LAN.
My LAN is 10.7.0.0 / 255.255.255.0.
If you are using an ITSP you it may help to tell Asterisk what its
Public IP is and what the LAN network is.
You can do that by editing the [general] section of the sip.conf file in
the /etc/asterisk
<http://10.7.0.7/maint/modules/09_configedit/phpconfig.php?dir=/etc/asterisk>
directory.
[general]
externhost=domain.name.goes.here ; Use this if you have a dynamic
address.
; If you have a static ip use
externip instead of externhost
externrefresh=10 ; How often to refresh externhost if
; used
localnet=10.7.0.0/255.255.255.0
I have modified my PFSense firewall's DHCP server to give out the TFTP
server option I believe this is a feature that will come out in PFSense
1.3. I use Trixbox CE addition which has a built in TFTP server.
Best Regards,
Mark
Patrick wrote:
Hi Mark,
Thanks for the response. If I wanted to put our Asterisk server behind
the firewall (it has a public IP which would need to be retained), what
all would it entail?
Thanks again.
Patrick
On Fri, 2008-01-11 at 15:36 -0700, Mark Crane wrote:
Siproxyd is a proxy for SIP and has little to do with TFTP. The issue you
mentioned sounds like it is really an issue of getting TFTP to work.
You could really do one of two things put a TFTP inside the network with your phone or attempt to us NAT and rules to forward the TFTP traffic. I have not tried TFTP through NAT yet since my Asterisk server, TFTP server and phones are all on the LAN side of the network.
Hope this helps.
Mark Crane
user: mcrane on the forum
Patrick wrote:
I've been able to get the Cisco phone working behind the firewall now.
I'm able to make and receive phone calls.
There is one item which isn't working. Our PBX is outside of the
pfsense firewall. These Cisco phones use TFTP to pull the config files.
For some reason, I can't get the phones to connect to our PBX via TFTP.
They connect fine if I manually configure each phone one by one, but I
would prefer to use TFTP to update the configs.
I googled around and noticed that people were using siproxyd. Should I
install that via pfSense? Or is there something else I can do that will
allow tftp to work?
Thanks again.
Patrick
On Wed, 2008-01-02 at 21:06 -0500, Scott Ullrich wrote:
On 1/2/08, patrickm <[EMAIL PROTECTED]> wrote:
Hi all,
I'm in charge of replacing our Cisco PIX firewall with one that will allow
us to use VPN, and a bunch of my other sysadmin friends have suggested
using pfsense. Everything was super easy to set up initially, and now I
want to get our Cisco 7971 SIP VoIP phones working behind NAT.
I was wondering if anyone had to do something similar, or if anyone has a
link or links to some helpful resources that will push me in the right
direction.
Thanks in advance!
Visit Firewall, Nat, Outbound. Enable Advanced outbound NAT.
Edit auto-created LAN rule, check static-port. Save.
It should work okay now.
Scott
