Hi Tim,
I have been running asterisk behind an OpenBSD 3.x firewall for two years
now.
It was a pain to get it working due to the fact that I didn't know much
about SIP and RTP at that time.
There are basically one problem to get this working and it's because the
private IP of the asterisk server is put into the packet payload in the
RTP handshaking. Other than that, it's a rdr problem.
This is my basic setup:
pf.conf:
#altq configuration
altq on $ext_if priq bandwidth 768kb queue { q_pri, sip, webb, dflt }
queue q_pri priority 6
queue sip priority 5
queue webb priority 4
queue dflt priority 1 priq(default)
#macros
asterisk_server="10.0.0.1"
rtp_ports = "{ 10000:11000 }" # taken from rtp.conf
#outgoing
nat on $ext_if inet proto udp from $asterisk_server to any port 5060 ->
$ext_if port 5060
nat on $ext_if inet proto udp from $asterisk_server to any port $rtp_ports
-> $ext_if static-port
#incoming
rdr on $ext_if proto udp from any to $external_addr port 5060 ->
$asterisk_server port 5060
rdr on $ext_if proto udp from any to $external_addr port $rtp_ports ->
$asterisk_server
# altq rules
pass out on $ext_if inet proto udp from any to any port $rtp_ports queue
(dflt, sip)
#fw rules
pass in on $ext_if proto udp from any port $rtp_udp to any
pass in on $ext_if proto { tcp, udp } from any port 5060 to $external_addr
/etc/asterisk/rtp.conf:
;
; RTP Configuration
;
[general]
;
; RTP start and RTP end configure start and end addresses
;
rtpstart=10000
rtpend=10999
You also need to tweak the sip.conf file:
[general]
port = 5060
bindaddr = 10.0.0.1 ; local addr
nat=yes
canreinvite=no
externip=a.b.c.d
localnet=10.0.0.0/24
What this means is that your asterisk server inserts the public IP
(nat=yes) in the RTP header instead of the private IP.
"canreinvite=no" tells asterisk that it shall transcode your SIP traffic,
which means that all voice channels should pass the asterisk server.
This is good if you don't want your sip private phones talk directly to
external phones. This also means that you can monitor calls. This is bad
if you have lots of telephone calls. Transcoding can be a very CPU
intensive process.
If you want your phones to only use the asterisk server for call setup
then you need to make sure that your phone is capable of doing the same
trick as the asterisk server for using public IP's instead of the private.
This is a different problem which involves nat, rdr and pass rules in
pf.conf.
I also use altq rules to make sure that the rtp traffic has higher
priority than "normal" traffic. Voice calls are very sensitive to network
delays.
This configuration works very well for me with a small number of IP phones
behind pf.
Hope this gets you going!
/Johan
> No ideas?
>
> Even though most are using asterisk behind a nat with simple port
> forwarding, it looks like I am unable to do this with pf. I have grown
> to love pf so much it would be a shame to have to dump it on MY network
> :-(
>
> I am having real trouble with PF and Asterisk behind a NAT.
>
> The long and short of it is that I'd really like NAT a subset of
> traffic, without putting the connection in the translation table. That
> is, I want to translate the source ip:port on the outbound, but not
> worry about return traffic (since it is handled by a RDR, hence the
> clash).
>
> Is that possible?
