Re: pf+voip

Wed, 28 May 2014 12:44:48 -0700 

> > Does pf have specific rules for voip,

no

> >may be example of working pf_rule with voip?

I use a hardware phone (Linksys SPA 901),
a software SIP client (CSipSimple) on an Android,
and pjsua on OpenBSD, all behind OpenBSD NAT.

In pf.conf I let "udp port sip" and "tcp port sip" in, and anything out.
That's all, and it just works. A call looks like this:

21:13:07.817559 phone.stare.cz.sip > sip.iba.cz.sip: udp 732 [tos 0x68]
21:13:07.844178 sip.iba.cz.sip > phone.stare.cz.sip: udp 504
21:13:07.857442 phone.stare.cz.sip > sip.iba.cz.sip: udp 407 [tos 0x68]
21:13:07.867210 phone.stare.cz.sip > sip.iba.cz.sip: udp 914 [tos 0x68]
21:13:07.899812 sip.iba.cz.sip > phone.stare.cz.sip: udp 424
21:13:08.364641 phone.stare.cz.sip > sip.iba.cz.sip: udp 341 [tos 0x68]
21:13:08.380952 sip.iba.cz.sip > phone.stare.cz.sip: udp 402
21:13:12.161079 sip.iba.cz.sip > phone.stare.cz.sip: udp 715
21:13:12.190490 phone.stare.cz.16438 > sip.iba.cz.10234: udp 172 [tos 0xb8]
21:13:12.210798 phone.stare.cz.16438 > sip.iba.cz.10234: udp 172 [tos 0xb8]
21:13:12.231161 phone.stare.cz.16438 > sip.iba.cz.10234: udp 172 [tos 0xb8]
21:13:12.232061 sip.iba.cz.10234 > phone.stare.cz.16438: udp 172
21:13:12.250886 phone.stare.cz.16438 > sip.iba.cz.10234: udp 172 [tos 0xb8]
21:13:12.252304 sip.iba.cz.10234 > phone.stare.cz.16438: udp 172
[...] # So how's everything? Ellaine left you yet?
21:13:21.110426 phone.stare.cz.16438 > sip.iba.cz.10234: udp 172 [tos 0xb8]
21:13:21.114272 sip.iba.cz.10234 > phone.stare.cz.16438: udp 172
21:13:21.126417 phone.stare.cz.sip > sip.iba.cz.sip: udp 536 [tos 0x68]
21:13:21.130172 sip.iba.cz.10234 > phone.stare.cz.16438: udp 172
21:13:21.131066 phone.stare.cz > sip.iba.cz: icmp: phone.stare.cz udp port 
16438 unreachable
21:13:21.138716 sip.iba.cz.sip > phone.stare.cz.sip: udp 473
21:13:23.393382 phone.stare.cz.sip > sip.iba.cz.sip: udp 341 [tos 0x68]
21:13:23.409789 sip.iba.cz.sip > phone.stare.cz.sip: udp 402

The initial and closing SIP dialog hapens on the sip port,
the actual call happens on high ports agreed upon.

> Assuming your VOIP client is in the em1 network it might run into
> problems with NAT traversal if you don't use the static-port option.
> 
>      static-port
>          With nat rules, the static-port option prevents pf(4) from
>          modifying the source port on TCP and UDP packets.

Never used that, and my SIP calls work fine.
Can someone please elaborate on why exactly
the static-port would be an issue?

> > - badly hear person on the phone (quiet)

Nothing to do with pf; this is about the audio payload
- the actual packet data, which pf doesn't deal with.

        Jan

Reply via email to