As there were no takers on this, I'll re-phrase and hope someone bites... So my setup is bare metal running pfSense 2.0.3. Each box has 4x interfaces:
- WAN (faces the Internet, public IP network)
- LAN (faces local office network, private IP
network)
- CPTVPTL (captive portal interface, private IP
network)
- VPN (corporate WAN, private IP network)
All interfaces hook into an Ethernet switch, each separated
by VLAN's.
The WAN and VPN interfaces trunk into to a Cisco router
(802.1Q). No NAT is running on the router, only IP
routig/forwarding.
pfSense is running automatic outbound NAT. NAT typically
takes place between the LAN + WAN as well as CPTVPTL + WAN
interfaces, for obvious reasons.
For traffic going across the VPN interface, that follows
normal IP routing since pfSense is setup to route traffic
toward the LAN IP subnets of remote offices.
Given that no NAT "needs" to take place for any traffic
moving across the VPN interface (LAN<=>VPN flow), is there
any reason to assume pfSense "could be doing something" to
SIP traffic crossing these interfaces?
To add to the mystery, as mentioned in the original post, X-
Lite is able to register from a laptop (LAN) toward the
remote SIP server (via the VPN interface of the local
pfSense device). But the hard phone simply won't.
Cheers,
Mark.
On Saturday, May 25, 2013 09:27:48 PM Mark Tinka wrote:
> Hi all.
>
> I have what appears to be an interesting one...
>
> I'm provisioning Digium IP phones to a remote Switchvox
> appliance, i.e., the Switchvox appliance and IP phones
> are on separate Layer 2 domains.
>
> The connection between both sites is an l3vpn where
> routing is crossing pfSense firewalls at each site. Each
> pfSense has a dedicated connection between itself and a
> local router connecting into the l3vpn, so there is no
> NAT or firewall filters on that pfSense interface, or
> the router port it's connecting to.
>
> Remote provisioning of the IP phones involves booting the
> phone, looking at it fail to contact a local Switchvox
> appliance, and then manually entering the IP address of
> remote Switchvox appliance. The phone SHOULD then connect
> to the Switchvox appliance over IP and provision itself.
> That is where the problem begins.
>
> It appears udp/5060 packets leaving the phone hit the
> local pfSense (verified in the state tables), but you
> never see corresponding state in the other pfSense
> device.
>
> Using Telnet and Netcat to connect to tcp/5060 and
> udp/5060 from my laptop works fine, and state for that
> appears in each pfSense. However, when I reconnect the
> IP phone and try to get it to provision (it uses
> udp/5060 and udp/5062 for this), again, no state in the
> remote pfSense, but there is state in the local device.
>
> It's unclear whether this is a specific issue do the IP
> phone, or to Digium and pfSense, since my laptop is able
> to create state in both pfSense boxes, ruling out a
> routing issue.
>
> Anyone else come across this? Thanks.
>
> Cheers,
>
> Mark.
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
