...or you setup a small pbx (asterisk, askozia, ...) to have only one SIP
connection transiting your NAT.
Another possibility is to enable NAT awarness on SIP but that's not always
possible (either the device cannot or your SIP provider don't allow it).
And to also respond to Adam:
you are partially right.
Don't forget that IPsec is using not only destination 500 but also source 500.
In any way, several IPsec transiting NAT will use different source ports...
5 solutions:
- NAT-Traversal (UDP-4500)
- IPsec over TCP (TCP-10000 like Cisco does)
- OpenVPN
- SSL-VPN
- IPv6 (and no NAT at all !)
Daniele
Sam Newnam wrote:
We use multiple phones behind pf and we just increment the SIP port on
each.
Phone1 5060
Phone2 5061
Phone3 5062
Rule to allow all traffic from your provide IP to your LAN subnet
That functionality is provider specific, but it works in most cases.
Sam Newnam
Lead Solutions Engineer
Apparent Source, LLC
www.apparentsource.com
336-790-8780
-----Original Message-----
From: Lee J. Imber [mailto:[EMAIL PROTECTED]
Sent: Friday, June 13, 2008 3:48 PM
To: discussion@pfsense.com
Subject: [pfSense-discussion] SIP Phones and SIPROXD
Hi All,
I am stuck and hoping someone here can help.
Here is the situation.
I have 10 SIP phones Polycom IP320's on a internal 10.0.0.x net. These
phones then get dhcp from the pfsense 1.2-RELEASE box. Then out a
cable modem to the phone provider.
The Problem.
I can only get one phone to work. The first phone that boots works,
then remaining phones don't. When I say they don't work, they boot
fine, get Ip information but I get no dial tone and I cannot make
inbound or outbound calls. The phone that boot first works perfectly.
I have tried all the various NAT tweaks I can think of like enabling
static port and AON, nothing works same issue.
I read :
"SIP Limitation - By default, all TCP and UDP traffic other than SIP
and IPsec gets the source port rewritten. More information on this can
be found in the static port documentation. Because this source port
rewriting is how pf tracks which internal IP made the connection to
the given external server, and most all SIP traffic uses the same
source port, only one SIP device can connect simultaneously to a
single server on the Internet. Unless your SIP devices can operate
with source port rewriting (most can't), you cannot use multiple
phones with a single outside server without using a dedicated public
IP per device. The sipproxd package will provide a work around for
this issue, and is currently under development."
OK, forget playing with rules/nat.
I have installed siproxd and been digging through that documentation
and testing with no luck.
This is where I am, anyone have a working siproxd.conf that would be
similar to my topology?
Any pointers?
Thanks,
Lee
--
This message has been scanned for viruses and
dangerous content by MailGate, and is
believed to be clean.
