From: [email protected] [mailto:[email protected]] On Behalf Of Zvonimir Mileta Sent: Tuesday, February 26, 2013 4:36 PM To: pfSense support and discussion Cc: pfSense support and discussion Subject: Re: [pfSense] SIP VoIP connection issue
In our case(similar scenario) manual outbound Wan to any static port yes worked For forwarding VoIPPorts 5060:5061, 10000:30000, 3478, 7070:7079, 4569 Voipports Also do a server's allowed ips for incoming for extra security That worked fine for us but when we changed to alix outbound calls work randomly apparently something with the states sometimes goes out just other just dead silent, incoming always works though Sent from my iPhone On Feb 26, 2013, at 8:11 PM, "Doug Sampson" <[email protected]<mailto:[email protected]>> wrote: We currently are using a Switchvox 65 SMB connecting to an AT&T IP Flex SIP connection through pfsense 1.2.3 at two locations. Not sure how much has changed in 2.0.2, but it does work for us. We have two separate subnets internally, one for LAN and one for VoIP. Each has it's own physical port on the pfsense box (yes we could do it with one port and VLANS). Port forwarding looks ok to me from what you describe. One thing that may be different is we also have two rules in "Outbound NAT". We choose "Manual Outbound NAT rule generation". 1) WAN | {LAN IP/24} | * | * | * | * | * | NO 2) WAN } {VoIP IP/24 | * | * | * | * | * | YES Having Static port set to "Yes" for the VoIP subnet helped us initially get two way voice working. Do you have any firewall rules for this specifically? Allowing traffic in/out from the SIP provider? We did not need to use sipproxy for our setup to allow this to work. If you want to go through the Switchvox settings too let me know. I am not familiar with Cbeyond, but I have worked with a few different providers and even spent some time on the phone with AT&T Labs (Bell labs???) at one point when we were trying to get SipXecs working before switching to Switchvox. That is another story..... We were using Automatic Outbound NAT. I changed to Manual Outbound NAT and there was a rule related to the LAN subnet for port 500 only. I changed that to include all ports. Will test after the office has closed for the evening. Yes, there are firewall rules for the relevant ports as follows (snipped for brevity): nat on xl0 inet from 192.168.1.0/24 to any -> <WAN Address> static-port nat on xl0 inet from 192.168.1.0/24 to any -> <WAN Address> port 1024:65535 nat on xl0 inet from 127.0.0.0/8 to any -> <WAN Address> port 1024:65535 nat on xl0 inet from 192.168.2.0/24 to any port = isakmp -> <WAN Address> static-port nat on xl0 inet from 192.168.2.0/24 to any -> <WAN Address> port 1024:65535 nat on xl0 inet from 127.0.0.0/8 to any -> <WAN Address> port 1024:65535 rdr on xl0 inet proto tcp from any to <WAN Address> port = http -> <h_PBX> round-robin rdr on xl0 inet proto tcp from any to <WAN Address> port = https -> <h_PBX> round-robin rdr on xl0 inet proto udp from <g_Cbeyond_SIP_Connections> to <WAN Address> port = 5060 -> <h_PBX> round-robin rdr on xl0 inet proto udp from <g_Cbeyond_SIP_Connections> to <WAN Address> port = 5062 -> <h_PBX> round-robin rdr on xl0 inet proto udp from <g_Cbeyond_SIP_Connections> to <WAN Address> port 10000:20000 -> <h_PBX> round-robin rdr on xl0 inet proto udp from <g_Cbeyond_SIP_Connections> to <WAN Address> port 4000:4999 -> <h_PBX> round-robin rdr on xl0 inet proto udp from <g_Cbeyond_SIP_Connections> to <WAN Address> port = 4569 -> <h_PBX> round-robin rdr on xl0 inet proto tcp from <g_Cbeyond_SIP_Connections> to <WAN Address> port = jabber-client -> <h_PBX> round-robin rdr on xl0 inet proto tcp from <g_Cbeyond_SIP_Connections> to <WAN Address> port = 843 -> <h_PBX> round-robin rdr on xl0 inet proto tcp from <g_Cbeyond_SIP_Connections> to <WAN Address> port = jabber-server -> <h_PBX> round-robin pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto tcp from any to <h_PBX> port = http flags S/SA keep state label "USER_RULE: NAT forward incoming http packets to PBX" pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto tcp from any to <h_PBX> port = https flags S/SA keep state label "USER_RULE: NAT forward https packets to PBX" pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto udp from any to <h_PBX> port = 5060 keep state label "USER_RULE: allow SIP packets from Internet to PBX" pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto udp from <g_Cbeyond_SIP_Connections> to <h_PBX> port = 5060 keep state label "USER_RULE: NAT " pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto udp from <g_Cbeyond_SIP_Connections> to <h_PBX> port = 5062 keep state label "USER_RULE: NAT " pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto udp from <g_Cbeyond_SIP_Connections> to <h_PBX> port 9999 >< 20001 keep state label "USER_RULE: NAT " pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto udp from <g_Cbeyond_SIP_Connections> to <h_PBX> port 3999 >< 5000 keep state label "USER_RULE: NAT " pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto udp from <g_Cbeyond_SIP_Connections> to <h_PBX> port = 4569 keep state label "USER_RULE: NAT " pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto tcp from <g_Cbeyond_SIP_Connections> to <h_PBX> port = jabber-client flags S/SA keep state label "USER_RULE: NAT " pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto tcp from <g_Cbeyond_SIP_Connections> to <h_PBX> port = 843 flags S/SA keep state label "USER_RULE: NAT " pass in quick on xl0 reply-to (xl0 <WAN Gateway Address>) inet proto tcp from <g_Cbeyond_SIP_Connections> to <h_PBX> port = jabber-server flags S/SA keep state label "USER_RULE: NAT " Our phones are in the 192.168.101.0/24 subnet. 192.168.102.0/24 points to our DMZ zone. I noticed in the pass rules the reply-to variables. I had never seen these before. Apparently the WAN gateway address was used here and not the WAN address. Is this correct? Is the setup as described above correct? I would like to go over the SIP settings for the Switchvox. As it is now it is functional. Let me test with the changes you suggested tonight and I will report back. Thanks for the time, Andrew. ~Doug I tested the configuration just a few minutes ago. The initial configuration didn’t appear to work. Inbound calls failed completely- no rings. Outbound calls didn’t work but for a different reason. The internal caller couldn’t hear the external caller at all but the external caller could hear the internal caller. I went into the Switchvox configuration and turned on “Allow NAT Port Forwarding” on and pointed it to the external IP address of the pfsense router. Then the networking component of the PBX box restarted applying the change. Lo and behold, the calls worked both directions! Unfortunately the OpenVPN server failed to process an OpenVPN client’s handshake correctly so I had to take it down for further work. At least we know how get the SIP calls working! Thanks. ~Doug
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
