In our case(similar scenario) manual outbound Wan to any static port yes worked For forwarding
VoIPPorts 5060:5061, 10000:30000, 3478, 7070:7079, 4569 Voipports Also do a server's allowed ips for incoming for extra security That worked fine for us but when we changed to alix outbound calls work randomly apparently something with the states sometimes goes out just other just dead silent, incoming always works though Sent from my iPhone On Feb 26, 2013, at 8:11 PM, "Doug Sampson" <[email protected]> wrote: > We currently are using a Switchvox 65 SMB connecting to an AT&T IP Flex SIP > connection through pfsense 1.2.3 at two locations. Not sure how much has > changed in 2.0.2, but it does work for us. We have two separate subnets > internally, one for LAN and one for VoIP. Each has it's own physical port on > the pfsense box (yes we could do it with one port and VLANS). > > Port forwarding looks ok to me from what you describe. One thing that may be > different is we also have two rules in "Outbound > NAT". We choose "Manual Outbound NAT rule generation". > > 1) WAN | {LAN IP/24} | * | * | * | * | * | NO > 2) WAN } {VoIP IP/24 | * | * | * | * | * | YES > > Having Static port set to "Yes" for the VoIP subnet helped us initially get > two way voice working. > > Do you have any firewall rules for this specifically? Allowing traffic > in/out from the SIP provider? > > We did not need to use sipproxy for our setup to allow this to work. > > If you want to go through the Switchvox settings too let me know. I am not > familiar with Cbeyond, but I have worked with a few different providers and > even spent some time on the phone with AT&T Labs (Bell labs???) at one point > when we were trying to get SipXecs working before switching to Switchvox. > That is another story..... > > We were using Automatic Outbound NAT. I changed to Manual Outbound NAT and > there was a rule related to the LAN subnet for port 500 only. I changed that > to include all ports. Will test after the office has closed for the evening. > > Yes, there are firewall rules for the relevant ports as follows (snipped for > brevity): > > nat on xl0 inet from 192.168.1.0/24 to any -> <WAN Address> static-port > nat on xl0 inet from 192.168.1.0/24 to any -> <WAN Address> port 1024:65535 > nat on xl0 inet from 127.0.0.0/8 to any -> <WAN Address> port 1024:65535 > nat on xl0 inet from 192.168.2.0/24 to any port = isakmp -> <WAN Address> > static-port > nat on xl0 inet from 192.168.2.0/24 to any -> <WAN Address> port 1024:65535 > nat on xl0 inet from 127.0.0.0/8 to any -> <WAN Address> port 1024:65535 > > rdr on xl0 inet proto tcp from any to <WAN Address> port = http -> <h_PBX> > round-robin > rdr on xl0 inet proto tcp from any to <WAN Address> port = https -> <h_PBX> > round-robin > rdr on xl0 inet proto udp from <g_Cbeyond_SIP_Connections> to <WAN Address> > port = 5060 -> <h_PBX> round-robin > rdr on xl0 inet proto udp from <g_Cbeyond_SIP_Connections> to <WAN Address> > port = 5062 -> <h_PBX> round-robin > rdr on xl0 inet proto udp from <g_Cbeyond_SIP_Connections> to <WAN Address> > port 10000:20000 -> <h_PBX> round-robin > rdr on xl0 inet proto udp from <g_Cbeyond_SIP_Connections> to <WAN Address> > port 4000:4999 -> <h_PBX> round-robin > rdr on xl0 inet proto udp from <g_Cbeyond_SIP_Connections> to <WAN Address> > port = 4569 -> <h_PBX> round-robin > rdr on xl0 inet proto tcp from <g_Cbeyond_SIP_Connections> to <WAN Address> > port = jabber-client -> <h_PBX> round-robin > rdr on xl0 inet proto tcp from <g_Cbeyond_SIP_Connections> to <WAN Address> > port = 843 -> <h_PBX> round-robin > rdr on xl0 inet proto tcp from <g_Cbeyond_SIP_Connections> to <WAN Address> > port = jabber-server -> <h_PBX> round-robin > > pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto tcp from > any to <h_PBX> port = http flags S/SA keep state label "USER_RULE: NAT > forward incoming http packets to PBX" > pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto tcp from > any to <h_PBX> port = https flags S/SA keep state label "USER_RULE: NAT > forward https packets to PBX" > pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto udp from > any to <h_PBX> port = 5060 keep state label "USER_RULE: allow SIP packets > from Internet to PBX" > pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto udp from > <g_Cbeyond_SIP_Connections> to <h_PBX> port = 5060 keep state label > "USER_RULE: NAT " > pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto udp from > <g_Cbeyond_SIP_Connections> to <h_PBX> port = 5062 keep state label > "USER_RULE: NAT " > pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto udp from > <g_Cbeyond_SIP_Connections> to <h_PBX> port 9999 >< 20001 keep state label > "USER_RULE: NAT " > pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto udp from > <g_Cbeyond_SIP_Connections> to <h_PBX> port 3999 >< 5000 keep state label > "USER_RULE: NAT " > pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto udp from > <g_Cbeyond_SIP_Connections> to <h_PBX> port = 4569 keep state label > "USER_RULE: NAT " > pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto tcp from > <g_Cbeyond_SIP_Connections> to <h_PBX> port = jabber-client flags S/SA keep > state label "USER_RULE: NAT " > pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto tcp from > <g_Cbeyond_SIP_Connections> to <h_PBX> port = 843 flags S/SA keep state label > "USER_RULE: NAT " > pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto tcp from > <g_Cbeyond_SIP_Connections> to <h_PBX> port = jabber-server flags S/SA keep > state label "USER_RULE: NAT " > > > Our phones are in the 192.168.101.0/24 subnet. 192.168.102.0/24 points to our > DMZ zone. > > I noticed in the pass rules the reply-to variables. I had never seen these > before. Apparently the WAN gateway address was used here and not the WAN > address. Is this correct? > > Is the setup as described above correct? > > I would like to go over the SIP settings for the Switchvox. As it is now it > is functional. Let me test with the changes you suggested tonight and I will > report back. Thanks for the time, Andrew. > > ~Doug > > > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
