We currently are using a Switchvox 65 SMB connecting to an AT&T IP Flex SIP
connection through pfsense 1.2.3 at two locations. Not sure how much has
changed in 2.0.2, but it does work for us. We have two separate subnets
internally, one for LAN and one for VoIP. Each has it's own physical port on
the pfsense box (yes we could do it with one port and VLANS).
Port forwarding looks ok to me from what you describe. One thing that may be
different is we also have two rules in "Outbound
NAT". We choose "Manual Outbound NAT rule generation".
1) WAN | {LAN IP/24} | * | * | * | * | * | NO
2) WAN } {VoIP IP/24 | * | * | * | * | * | YES
Having Static port set to "Yes" for the VoIP subnet helped us initially get two
way voice working.
Do you have any firewall rules for this specifically? Allowing traffic in/out
from the SIP provider?
We did not need to use sipproxy for our setup to allow this to work.
If you want to go through the Switchvox settings too let me know. I am not
familiar with Cbeyond, but I have worked with a few different providers and
even spent some time on the phone with AT&T Labs (Bell labs???) at one point
when we were trying to get SipXecs working before switching to Switchvox. That
is another story.....
We were using Automatic Outbound NAT. I changed to Manual Outbound NAT and
there was a rule related to the LAN subnet for port 500 only. I changed that to
include all ports. Will test after the office has closed for the evening.
Yes, there are firewall rules for the relevant ports as follows (snipped for
brevity):
nat on xl0 inet from 192.168.1.0/24 to any -> <WAN Address> static-port
nat on xl0 inet from 192.168.1.0/24 to any -> <WAN Address> port 1024:65535
nat on xl0 inet from 127.0.0.0/8 to any -> <WAN Address> port 1024:65535
nat on xl0 inet from 192.168.2.0/24 to any port = isakmp -> <WAN Address>
static-port
nat on xl0 inet from 192.168.2.0/24 to any -> <WAN Address> port 1024:65535
nat on xl0 inet from 127.0.0.0/8 to any -> <WAN Address> port 1024:65535
rdr on xl0 inet proto tcp from any to <WAN Address> port = http -> <h_PBX>
round-robin
rdr on xl0 inet proto tcp from any to <WAN Address> port = https -> <h_PBX>
round-robin
rdr on xl0 inet proto udp from <g_Cbeyond_SIP_Connections> to <WAN Address>
port = 5060 -> <h_PBX> round-robin
rdr on xl0 inet proto udp from <g_Cbeyond_SIP_Connections> to <WAN Address>
port = 5062 -> <h_PBX> round-robin
rdr on xl0 inet proto udp from <g_Cbeyond_SIP_Connections> to <WAN Address>
port 10000:20000 -> <h_PBX> round-robin
rdr on xl0 inet proto udp from <g_Cbeyond_SIP_Connections> to <WAN Address>
port 4000:4999 -> <h_PBX> round-robin
rdr on xl0 inet proto udp from <g_Cbeyond_SIP_Connections> to <WAN Address>
port = 4569 -> <h_PBX> round-robin
rdr on xl0 inet proto tcp from <g_Cbeyond_SIP_Connections> to <WAN Address>
port = jabber-client -> <h_PBX> round-robin
rdr on xl0 inet proto tcp from <g_Cbeyond_SIP_Connections> to <WAN Address>
port = 843 -> <h_PBX> round-robin
rdr on xl0 inet proto tcp from <g_Cbeyond_SIP_Connections> to <WAN Address>
port = jabber-server -> <h_PBX> round-robin
pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto tcp from
any to <h_PBX> port = http flags S/SA keep state label "USER_RULE: NAT forward
incoming http packets to PBX"
pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto tcp from
any to <h_PBX> port = https flags S/SA keep state label "USER_RULE: NAT forward
https packets to PBX"
pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto udp from
any to <h_PBX> port = 5060 keep state label "USER_RULE: allow SIP packets from
Internet to PBX"
pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto udp from
<g_Cbeyond_SIP_Connections> to <h_PBX> port = 5060 keep state label "USER_RULE:
NAT "
pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto udp from
<g_Cbeyond_SIP_Connections> to <h_PBX> port = 5062 keep state label "USER_RULE:
NAT "
pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto udp from
<g_Cbeyond_SIP_Connections> to <h_PBX> port 9999 >< 20001 keep state label
"USER_RULE: NAT "
pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto udp from
<g_Cbeyond_SIP_Connections> to <h_PBX> port 3999 >< 5000 keep state label
"USER_RULE: NAT "
pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto udp from
<g_Cbeyond_SIP_Connections> to <h_PBX> port = 4569 keep state label "USER_RULE:
NAT "
pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto tcp from
<g_Cbeyond_SIP_Connections> to <h_PBX> port = jabber-client flags S/SA keep
state label "USER_RULE: NAT "
pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto tcp from
<g_Cbeyond_SIP_Connections> to <h_PBX> port = 843 flags S/SA keep state label
"USER_RULE: NAT "
pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto tcp from
<g_Cbeyond_SIP_Connections> to <h_PBX> port = jabber-server flags S/SA keep
state label "USER_RULE: NAT "
Our phones are in the 192.168.101.0/24 subnet. 192.168.102.0/24 points to our
DMZ zone.
I noticed in the pass rules the reply-to variables. I had never seen these
before. Apparently the WAN gateway address was used here and not the WAN
address. Is this correct?
Is the setup as described above correct?
I would like to go over the SIP settings for the Switchvox. As it is now it is
functional. Let me test with the changes you suggested tonight and I will
report back. Thanks for the time, Andrew.
~Doug
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
