[pfSense] Samba4 package and extend services with pfsense
Hi guys ! I have worked in the Samba4 package for pfsense, not only act as a domain member, but also act as a domain controller and i see this as an opportunity to extend the pfsense to be more than a firewall and act as a new service on the network in a new installation in another hardware to act as a domain controller in Active Directory with power tools native firewall. I already have some environments into production with it, but without a gui for configuration files. Of course this will impact other things in the environment, such as file management (for samba shares). But I think with a friendly tool and having own environment as an extension of the samba configuration, the environment does not get so complicated it may seem. To back up these files, we can take the help and recommendation of use of package bacula. Here are a few things that are in development: Inital samba4 setup: https://www.diigo.com/item/image/3lt7m/bw9t Squid with support to ntlm authentication: https://www.diigo.com/item/image/3lt7m/94v8 Squidguard with support to read users from a domain Active Directory and filter based on a ldap search: https://www.diigo.com/item/image/3lt7m/ugsa https://www.diigo.com/item/image/3lt7m/o3yn Any opinion about this will be very welcome! Thanks ! --- Luiz Gustavo Costa (Powered by BSD) *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ mundoUnix - Consultoria em Software Livre http://www.mundounix.com.br ICQ: 2890831 / MSN: cont...@mundounix.com.br Tel: 55 (21) 4063-7110 / 8194-1905 / (11) 4063-0407 Blog: http://www.luizgustavo.pro.br ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Samba4 package and extend services with pfsense
On Tue, Feb 26, 2013 at 7:49 AM, Luiz Gustavo Costa luizgust...@luizgustavo.pro.br wrote: I have worked in the Samba4 package for pfsense, not only act as a domain member, but also act as a domain controller and i see this as an opportunity to extend the pfsense to be more than a firewall and act as a new service on the network in a new installation in another hardware to act as a domain controller in Active Directory with power tools native firewall. This just seems like a really bad idea to add such non-core functionality to the firewall. If your intent is to use a separate appliance as your SMB file server/controller and disable the firewall features on it, then I would suggest looking at something like FreeNAS. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Samba4 package and extend services with pfsense
Keep up the good work. There's nothing wrong with this as long as you understand the potential security risks involved. Espen F. Johansen Sent with AquaMail for Android http://www.aqua-mail.com On 26. februar 2013 13:49:30 Luiz Gustavo Costa luizgust...@luizgustavo.pro.br wrote: Hi guys ! I have worked in the Samba4 package for pfsense, not only act as a domain member, but also act as a domain controller and i see this as an opportunity to extend the pfsense to be more than a firewall and act as a new service on the network in a new installation in another hardware to act as a domain controller in Active Directory with power tools native firewall. I already have some environments into production with it, but without a gui for configuration files. Of course this will impact other things in the environment, such as file management (for samba shares). But I think with a friendly tool and having own environment as an extension of the samba configuration, the environment does not get so complicated it may seem. To back up these files, we can take the help and recommendation of use of package bacula. Here are a few things that are in development: Inital samba4 setup: https://www.diigo.com/item/image/3lt7m/bw9t Squid with support to ntlm authentication: https://www.diigo.com/item/image/3lt7m/94v8 Squidguard with support to read users from a domain Active Directory and filter based on a ldap search: https://www.diigo.com/item/image/3lt7m/ugsa https://www.diigo.com/item/image/3lt7m/o3yn Any opinion about this will be very welcome! Thanks ! --- Luiz Gustavo Costa (Powered by BSD) *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ mundoUnix - Consultoria em Software Livre http://www.mundounix.com.br ICQ: 2890831 / MSN: cont...@mundounix.com.br Tel: 55 (21) 4063-7110 / 8194-1905 / (11) 4063-0407 Blog: http://www.luizgustavo.pro.br ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Samba4 package and extend services with pfsense
I think it would make more sense to run Samba and similar services on a separate VM. I realize that many embedded systems don't support virtualization but there are reasonable options now like Intel Atom S1200 family. On Tue, Feb 26, 2013 at 9:26 AM, Vick Khera vi...@khera.org wrote: On Tue, Feb 26, 2013 at 7:49 AM, Luiz Gustavo Costa luizgust...@luizgustavo.pro.br wrote: I have worked in the Samba4 package for pfsense, not only act as a domain member, but also act as a domain controller and i see this as an opportunity to extend the pfsense to be more than a firewall and act as a new service on the network in a new installation in another hardware to act as a domain controller in Active Directory with power tools native firewall. This just seems like a really bad idea to add such non-core functionality to the firewall. If your intent is to use a separate appliance as your SMB file server/controller and disable the firewall features on it, then I would suggest looking at something like FreeNAS. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Samba4 package and extend services with pfsense
Op 26-2-2013 13:49, Luiz Gustavo Costa schreef: Hi guys ! I have worked in the Samba4 package for pfsense, not only act as a domain member, but also act as a domain controller and i see this as an opportunity to extend the pfsense to be more than a firewall and act as a new service on the network in a new installation in another hardware to act as a domain controller in Active Directory with power tools native firewall. I already have some environments into production with it, but without a gui for configuration files. Of course this will impact other things in the environment, such as file management (for samba shares). But I think with a friendly tool and having own environment as an extension of the samba configuration, the environment does not get so complicated it may seem. To back up these files, we can take the help and recommendation of use of package bacula. Here are a few things that are in development: Inital samba4 setup: https://www.diigo.com/item/image/3lt7m/bw9t Squid with support to ntlm authentication: https://www.diigo.com/item/image/3lt7m/94v8 Squidguard with support to read users from a domain Active Directory and filter based on a ldap search: https://www.diigo.com/item/image/3lt7m/ugsa https://www.diigo.com/item/image/3lt7m/o3yn Any opinion about this will be very welcome! Thanks ! --- Luiz Gustavo Costa (Powered by BSD) *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ mundoUnix - Consultoria em Software Livre http://www.mundounix.com.br ICQ: 2890831 / MSN: cont...@mundounix.com.br Tel: 55 (21) 4063-7110 / 8194-1905 / (11) 4063-0407 Blog: http://www.luizgustavo.pro.br ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list Maybe it is a good idea to seperate some functionality to a new pfsense type of appliance. Like SMBSense strip the firewall functionality and add zfs support. I think people may like it if the style of all there apllianses have the same look and feel. squidsence, snortsense all comes to mind ! gr Johan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Samba4 package and extend services with pfsense
On 2/26/2013 10:26 AM, Vick Khera wrote: On Tue, Feb 26, 2013 at 7:49 AM, Luiz Gustavo Costa luizgust...@luizgustavo.pro.br mailto:luizgust...@luizgustavo.pro.br wrote: I have worked in the Samba4 package for pfsense, not only act as a domain member, but also act as a domain controller and i see this as an opportunity to extend the pfsense to be more than a firewall and act as a new service on the network in a new installation in another hardware to act as a domain controller in Active Directory with power tools native firewall. This just seems like a really bad idea to add such non-core functionality to the firewall. If your intent is to use a separate appliance as your SMB file server/controller and disable the firewall features on it, then I would suggest looking at something like FreeNAS. Really bad idea for a firewall and file serving, yes, but pfSense can also be used in appliance mode where it is not acting as a firewall in its main capacity. So not something on the edge of your network, but perhaps in a VM tucked away in a DMZ with just one interface. I wouldn't be interested in it for file serving, but perhaps for its AD/auth/etc type roles. FreeNAS is likely a better choice overall for that, but it's not entirely without merit/use, especially for people who like using pfSense as a platform for more than just firewalls. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Samba4 package and extend services with pfsense
* Jim Pingle (li...@pingle.org) wrote: On 2/26/2013 10:26 AM, Vick Khera wrote: On Tue, Feb 26, 2013 at 7:49 AM, Luiz Gustavo Costa luizgust...@luizgustavo.pro.br mailto:luizgust...@luizgustavo.pro.br wrote: I have worked in the Samba4 package for pfsense, not only act as a domain member, but also act as a domain controller and i see this as an opportunity to extend the pfsense to be more than a firewall and act as a new service on the network in a new installation in another hardware to act as a domain controller in Active Directory with power tools native firewall. This just seems like a really bad idea to add such non-core functionality to the firewall. If your intent is to use a separate appliance as your SMB file server/controller and disable the firewall features on it, then I would suggest looking at something like FreeNAS. Really bad idea for a firewall and file serving, yes, but pfSense can also be used in appliance mode where it is not acting as a firewall in its main capacity. So not something on the edge of your network, but perhaps in a VM tucked away in a DMZ with just one interface. I wouldn't be interested in it for file serving, but perhaps for its AD/auth/etc type roles. FreeNAS is likely a better choice overall for that, but it's not entirely without merit/use, especially for people who like using pfSense as a platform for more than just firewalls. The Samba4 not only offers a small file sharing service, it is a full-service Active Directory, with features similar to Windows 2008 R2. Really not a good idea, puts it as Domain Controller in the same function firewall at the network edge. So I said to use it as an internal server (within the network) and firewall rules for LAN. Do not remember the FreeNAS or NasFree offer such a service (yet). I see this scenario to pfSense (I use without a gui). Think also in smaller networks, where typically uses a simple router and LAN. We can offer not only the firewall service, as well as the services that Active Directory has (without the licenses that a customer small no buy from Microsoft) Due to the limited physical or structural (UPS, hardware, etc.), you can have it all in a single environment. Jim --- Luiz Gustavo Costa (Powered by BSD) *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ mundoUnix - Consultoria em Software Livre http://www.mundounix.com.br ICQ: 2890831 / MSN: cont...@mundounix.com.br Tel: 55 (21) 4063-7110 / 8194-1905 / (11) 4063-0407 Blog: http://www.luizgustavo.pro.br ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Samba4 package and extend services with pfsense
Sorry but I can`t see any good point for this. PFsense is a well known distribution due to the stability of it`s core-components and as a Firewall/Router appliance, not an all in one distribution. There are dozens of linux-based file-server distributions around, even at a small-office you can have both PFsense and younameit sharing the same physical hardware but on separate VMs. My $0.02 Seko - Original Message - From: Luiz Gustavo Costa luizgust...@luizgustavo.pro.br To: list@lists.pfsense.org Sent: Tuesday, February 26, 2013 9:49:30 AM Subject: [pfSense] Samba4 package and extend services with pfsense Hi guys ! I have worked in the Samba4 package for pfsense, not only act as a domain member, but also act as a domain controller and i see this as an opportunity to extend the pfsense to be more than a firewall and act as a new service on the network in a new installation in another hardware to act as a domain controller in Active Directory with power tools native firewall. ... ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Question about DHCP failover
Hi, We're running 2.1BETA1 on a two-nodes failover pfSense cluster. Each node is in a separate physical location, and connected to a different switch. We've got around 15 interfaces, 8 of which have an active DHCP server served by pfSense We encounter synchronization problems between the two nodes but only for DHCP and, it seems, only for some of the 8 DHCP server enabled interfaces. Status/DHCP Leases always report normal / normal for dhcp0, but things like recover / unknown state or communication interrupted / recover done, or even recover / recover for all the other interfaces. I know for sure it used to work with normal / normal for all interfaces, but between pfSense upgrades and configuration changes, something made it break. Now I'm wondering something, because when looking at the generated dhcpd.conf file it's not very clear for me : On the master node, for each interface onto which we've enabled the DHCP server, we've added in the Failover peer IP input box the address the slave node has on the very same interface. Is this really needed for each interface, or is it sufficient to put it only once ? If we set it multiple times I believe the synchronization is done multiple times too, and doing a simple modification and applying changes takes ages. Also, if it's needed for all interfaces, should we specify each time the IP address matching the other node on the same interface, or should we use, for all interfaces, the IP address of the other node has on the pfsync interface ? Please could someone enlighten me wrt the best way to achieve such configuration ? Thanks in advance -- Jérôme Alet - jerome.a...@univ-nc.nc - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Samba4 package and extend services with pfsense
We are talking about a package, right? Something people can choose to install or... you know... not? I like the idea of being able to turn on windows domain services on my router. For sites with smaller installations, or where all-in-one makes more sense than having a VM server, I don't see where this would be a problem, so long as it's optional. This isn't any different from DNS from my perspective. Will it integrate with the pfsense authentication? How about WINS/DNS/DHCP integration? I agree that a full on file server with shares is a bit much, but that should be left up to the end user. -peace On Tue, Feb 26, 2013 at 1:53 PM, Diego Barrios s...@dmesg.com.br wrote: Sorry but I can`t see any good point for this. PFsense is a well known distribution due to the stability of it`s core-components and as a Firewall/Router appliance, not an all in one distribution. There are dozens of linux-based file-server distributions around, even at a small-office you can have both PFsense and younameit sharing the same physical hardware but on separate VMs. My $0.02 Seko -- *From: *Luiz Gustavo Costa luizgust...@luizgustavo.pro.br *To: *list@lists.pfsense.org *Sent: *Tuesday, February 26, 2013 9:49:30 AM *Subject: *[pfSense] Samba4 package and extend services with pfsense Hi guys ! I have worked in the Samba4 package for pfsense, not only act as a domain member, but also act as a domain controller and i see this as an opportunity to extend the pfsense to be more than a firewall and act as a new service on the network in a new installation in another hardware to act as a domain controller in Active Directory with power tools native firewall. ... ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Question about DHCP failover
On 2/26/2013 3:23 PM, Jerome Alet wrote: On the master node, for each interface onto which we've enabled the DHCP server, we've added in the Failover peer IP input box the address the slave node has on the very same interface. Is this really needed for each interface, or is it sufficient to put it only once ? If we set it multiple times I believe the synchronization is done multiple times too, and doing a simple modification and applying changes takes ages. It is really needed for each interface. Also, if it's needed for all interfaces, should we specify each time the IP address matching the other node on the same interface, or should we use, for all interfaces, the IP address of the other node has on the pfsync interface ? You must use the IP for the other node in the subnet being served on that interface. So each interface will have a different IP address. There was an issue with the way the dhcp server config was being synced but a commit was made in the last week or so to fix it. Last I heard it was working better. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Question about DHCP failover
On 2/26/2013 3:56 PM, Jerome Alet wrote: What I find very strange is that even when removing the failover IP address for one of the interfaces, the synchronization still takes place, that's why I wondered if defining it on each interface was really needed. That field doesn't control synchronization, the sync happens based on the XML-RPC settings for DHCP in System High Avail Sync That field only sets the dhcp failover peer, which, when you want to sync DHCP, is required. BTW our upgrades with full backup take a very very long time because the full backup script includes Squid's cache. Yesterday I've tried to modify it to add --exclude var/squid/cache on tar's command line and launch the full backup manually, but the cache is still included in the full backup. Any idea why ? Shouldn't the full backup script, if the squid package is installed, ignore squid's cache directories ? That full backup script has no knowledge of packages. It tries to tar up the whole system so it could be restored in full to the previous state. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] SIP VoIP connection issue
Hello- We upgraded our phone system from an analog system to a Digium Switchvox D65 PBX. I would like to replace our home brewed Linux router with pfsense 2.0.2 but am having trouble making a good phone connection. While the home-brewed router has worked well in the past, traffic-shaping is not one of its strengths. Our PBX sits inside the firewall with 15 SIP phones connected to it. The PBX is connected via SIP to our SIP provider. What I did was to create port forwarding for a variety of ports mainly 5060 UDP and 1-2 UDP in the NAT section. I saw that the port forwarding rules were automatically created. So far so good. However when we attempt to connect from the outside, all we hear is blip blip blip. When we attempt to call from the inside, the connection is made but there is no sound. I saw a bunch of support documents at the pfsense web site. One document suggested to install sipproxy and configure it for the internal PBX. I also came across an external document (http://www.voipvoip.com/switchvox/) suggesting turning on NAT port forwarding within the Switchvox configuration (see the Notes section toward the end). I tried this with the Linux router but it didn't like it. I haven't tried that with pfsense. Another consideration would be to assign a public IP address to the PBX box and have all SIP phones connect to it from the inside- would that be the better scenario? What I would be interested in knowing at this point what your experiences with attempting to set up a SIP connection from an internal PBX box with a SIP provider (in our case, Cbeyond) using a pfsense 2.0.2 box. Are there any recommendation that you could offer to effect a fully functional SIP connection? Most of the SIP phones are internal but it is planned to have a few outside the LAN as well. Would it be more effective to place the PBX outside the LAN? Any thoughts that you can offer would be greatly appreciated! ~Doug ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] SIP VoIP connection issue
On Tue, Feb 26, 2013 at 5:10 PM, Doug Sampson do...@dawnsign.com wrote: Hello- ** ** We upgraded our phone system from an analog system to a Digium Switchvox D65 PBX. I would like to replace our home brewed Linux router with pfsense 2.0.2 but am having trouble making a good phone connection. While the home-brewed router has worked well in the past, traffic-shaping is not one of its strengths. ** ** Our PBX sits inside the firewall with 15 SIP phones connected to it. The PBX is connected via SIP to our SIP provider. What I did was to create port forwarding for a variety of ports mainly 5060 UDP and 1-2 UDP in the NAT section. I saw that the port forwarding rules were automatically created. So far so good. However when we attempt to connect from the outside, all we hear is blip blip blip. When we attempt to call from the inside, the connection is made but there is no sound. ** ** I saw a bunch of support documents at the pfsense web site. One document suggested to install sipproxy and configure it for the internal PBX. I also came across an external document (http://www.voipvoip.com/switchvox/) suggesting turning on NAT port forwarding within the Switchvox configuration (see the Notes section toward the end). I tried this with the Linux router but it didn’t like it. I haven’t tried that with pfsense. Another consideration would be to assign a public IP address to the PBX box and have all SIP phones connect to it from the inside- would that be the better scenario? ** ** What I would be interested in knowing at this point what your experiences with attempting to set up a SIP connection from an internal PBX box with a SIP provider (in our case, Cbeyond) using a pfsense 2.0.2 box. Are there any recommendation that you could offer to effect a fully functional SIP connection? Most of the SIP phones are internal but it is planned to have a few outside the LAN as well. Would it be more effective to place the PBX outside the LAN? ** ** Any thoughts that you can offer would be greatly appreciated! ** ** ~Doug ** ** Doug, We currently are using a Switchvox 65 SMB connecting to an ATT IP Flex SIP connection through pfsense 1.2.3 at two locations. Not sure how much has changed in 2.0.2, but it does work for us. We have two separate subnets internally, one for LAN and one for VoIP. Each has it's own physical port on the pfsense box (yes we could do it with one port and VLANS). Port forwarding looks ok to me from what you describe. One thing that may be different is we also have two rules in Outbound NAT. We choose Manual Outbound NAT rule generation. 1) WAN | {LAN IP/24} | * | * | * | * | * | NO 2) WAN } {VoIP IP/24 | * | * | * | * | * | YES Having Static port set to Yes for the VoIP subnet helped us initially get two way voice working. Do you have any firewall rules for this specifically? Allowing traffic in/out from the SIP provider? We did not need to use sipproxy for our setup to allow this to work. If you want to go through the Switchvox settings too let me know. I am not familiar with Cbeyond, but I have worked with a few different providers and even spent some time on the phone with ATT Labs (Bell labs???) at one point when we were trying to get SipXecs working before switching to Switchvox. That is another story. Andrew ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] SIP VoIP connection issue
We currently are using a Switchvox 65 SMB connecting to an ATT IP Flex SIP connection through pfsense 1.2.3 at two locations. Not sure how much has changed in 2.0.2, but it does work for us. We have two separate subnets internally, one for LAN and one for VoIP. Each has it's own physical port on the pfsense box (yes we could do it with one port and VLANS). Port forwarding looks ok to me from what you describe. One thing that may be different is we also have two rules in Outbound NAT. We choose Manual Outbound NAT rule generation. 1) WAN | {LAN IP/24} | * | * | * | * | * | NO 2) WAN } {VoIP IP/24 | * | * | * | * | * | YES Having Static port set to Yes for the VoIP subnet helped us initially get two way voice working. Do you have any firewall rules for this specifically? Allowing traffic in/out from the SIP provider? We did not need to use sipproxy for our setup to allow this to work. If you want to go through the Switchvox settings too let me know. I am not familiar with Cbeyond, but I have worked with a few different providers and even spent some time on the phone with ATT Labs (Bell labs???) at one point when we were trying to get SipXecs working before switching to Switchvox. That is another story. We were using Automatic Outbound NAT. I changed to Manual Outbound NAT and there was a rule related to the LAN subnet for port 500 only. I changed that to include all ports. Will test after the office has closed for the evening. Yes, there are firewall rules for the relevant ports as follows (snipped for brevity): nat on xl0 inet from 192.168.1.0/24 to any - WAN Address static-port nat on xl0 inet from 192.168.1.0/24 to any - WAN Address port 1024:65535 nat on xl0 inet from 127.0.0.0/8 to any - WAN Address port 1024:65535 nat on xl0 inet from 192.168.2.0/24 to any port = isakmp - WAN Address static-port nat on xl0 inet from 192.168.2.0/24 to any - WAN Address port 1024:65535 nat on xl0 inet from 127.0.0.0/8 to any - WAN Address port 1024:65535 rdr on xl0 inet proto tcp from any to WAN Address port = http - h_PBX round-robin rdr on xl0 inet proto tcp from any to WAN Address port = https - h_PBX round-robin rdr on xl0 inet proto udp from g_Cbeyond_SIP_Connections to WAN Address port = 5060 - h_PBX round-robin rdr on xl0 inet proto udp from g_Cbeyond_SIP_Connections to WAN Address port = 5062 - h_PBX round-robin rdr on xl0 inet proto udp from g_Cbeyond_SIP_Connections to WAN Address port 1:2 - h_PBX round-robin rdr on xl0 inet proto udp from g_Cbeyond_SIP_Connections to WAN Address port 4000:4999 - h_PBX round-robin rdr on xl0 inet proto udp from g_Cbeyond_SIP_Connections to WAN Address port = 4569 - h_PBX round-robin rdr on xl0 inet proto tcp from g_Cbeyond_SIP_Connections to WAN Address port = jabber-client - h_PBX round-robin rdr on xl0 inet proto tcp from g_Cbeyond_SIP_Connections to WAN Address port = 843 - h_PBX round-robin rdr on xl0 inet proto tcp from g_Cbeyond_SIP_Connections to WAN Address port = jabber-server - h_PBX round-robin pass in quick on xl0 reply-to (xl0 WAN Gateway Address) inet proto tcp from any to h_PBX port = http flags S/SA keep state label USER_RULE: NAT forward incoming http packets to PBX pass in quick on xl0 reply-to (xl0 WAN Gateway Address) inet proto tcp from any to h_PBX port = https flags S/SA keep state label USER_RULE: NAT forward https packets to PBX pass in quick on xl0 reply-to (xl0 WAN Gateway Address) inet proto udp from any to h_PBX port = 5060 keep state label USER_RULE: allow SIP packets from Internet to PBX pass in quick on xl0 reply-to (xl0 WAN Gateway Address) inet proto udp from g_Cbeyond_SIP_Connections to h_PBX port = 5060 keep state label USER_RULE: NAT pass in quick on xl0 reply-to (xl0 WAN Gateway Address) inet proto udp from g_Cbeyond_SIP_Connections to h_PBX port = 5062 keep state label USER_RULE: NAT pass in quick on xl0 reply-to (xl0 WAN Gateway Address) inet proto udp from g_Cbeyond_SIP_Connections to h_PBX port 20001 keep state label USER_RULE: NAT pass in quick on xl0 reply-to (xl0 WAN Gateway Address) inet proto udp from g_Cbeyond_SIP_Connections to h_PBX port 3999 5000 keep state label USER_RULE: NAT pass in quick on xl0 reply-to (xl0 WAN Gateway Address) inet proto udp from g_Cbeyond_SIP_Connections to h_PBX port = 4569 keep state label USER_RULE: NAT pass in quick on xl0 reply-to (xl0 WAN Gateway Address) inet proto tcp from g_Cbeyond_SIP_Connections to h_PBX port = jabber-client flags S/SA keep state label USER_RULE: NAT pass in quick on xl0 reply-to (xl0 WAN Gateway Address) inet proto tcp from g_Cbeyond_SIP_Connections to h_PBX port = 843 flags S/SA keep state label USER_RULE: NAT pass in quick on xl0 reply-to (xl0 WAN Gateway Address) inet proto tcp from g_Cbeyond_SIP_Connections to h_PBX port = jabber-server flags S/SA keep state label USER_RULE: NAT Our phones are in the 192.168.101.0/24 subnet. 192.168.102.0/24 points to our DMZ zone. I noticed
Re: [pfSense] SIP VoIP connection issue
In our case(similar scenario) manual outbound Wan to any static port yes worked For forwarding VoIPPorts 5060:5061, 1:3, 3478, 7070:7079, 4569 Voipports Also do a server's allowed ips for incoming for extra security That worked fine for us but when we changed to alix outbound calls work randomly apparently something with the states sometimes goes out just other just dead silent, incoming always works though Sent from my iPhone On Feb 26, 2013, at 8:11 PM, Doug Sampson do...@dawnsign.com wrote: We currently are using a Switchvox 65 SMB connecting to an ATT IP Flex SIP connection through pfsense 1.2.3 at two locations. Not sure how much has changed in 2.0.2, but it does work for us. We have two separate subnets internally, one for LAN and one for VoIP. Each has it's own physical port on the pfsense box (yes we could do it with one port and VLANS). Port forwarding looks ok to me from what you describe. One thing that may be different is we also have two rules in Outbound NAT. We choose Manual Outbound NAT rule generation. 1) WAN | {LAN IP/24} | * | * | * | * | * | NO 2) WAN } {VoIP IP/24 | * | * | * | * | * | YES Having Static port set to Yes for the VoIP subnet helped us initially get two way voice working. Do you have any firewall rules for this specifically? Allowing traffic in/out from the SIP provider? We did not need to use sipproxy for our setup to allow this to work. If you want to go through the Switchvox settings too let me know. I am not familiar with Cbeyond, but I have worked with a few different providers and even spent some time on the phone with ATT Labs (Bell labs???) at one point when we were trying to get SipXecs working before switching to Switchvox. That is another story. We were using Automatic Outbound NAT. I changed to Manual Outbound NAT and there was a rule related to the LAN subnet for port 500 only. I changed that to include all ports. Will test after the office has closed for the evening. Yes, there are firewall rules for the relevant ports as follows (snipped for brevity): nat on xl0 inet from 192.168.1.0/24 to any - WAN Address static-port nat on xl0 inet from 192.168.1.0/24 to any - WAN Address port 1024:65535 nat on xl0 inet from 127.0.0.0/8 to any - WAN Address port 1024:65535 nat on xl0 inet from 192.168.2.0/24 to any port = isakmp - WAN Address static-port nat on xl0 inet from 192.168.2.0/24 to any - WAN Address port 1024:65535 nat on xl0 inet from 127.0.0.0/8 to any - WAN Address port 1024:65535 rdr on xl0 inet proto tcp from any to WAN Address port = http - h_PBX round-robin rdr on xl0 inet proto tcp from any to WAN Address port = https - h_PBX round-robin rdr on xl0 inet proto udp from g_Cbeyond_SIP_Connections to WAN Address port = 5060 - h_PBX round-robin rdr on xl0 inet proto udp from g_Cbeyond_SIP_Connections to WAN Address port = 5062 - h_PBX round-robin rdr on xl0 inet proto udp from g_Cbeyond_SIP_Connections to WAN Address port 1:2 - h_PBX round-robin rdr on xl0 inet proto udp from g_Cbeyond_SIP_Connections to WAN Address port 4000:4999 - h_PBX round-robin rdr on xl0 inet proto udp from g_Cbeyond_SIP_Connections to WAN Address port = 4569 - h_PBX round-robin rdr on xl0 inet proto tcp from g_Cbeyond_SIP_Connections to WAN Address port = jabber-client - h_PBX round-robin rdr on xl0 inet proto tcp from g_Cbeyond_SIP_Connections to WAN Address port = 843 - h_PBX round-robin rdr on xl0 inet proto tcp from g_Cbeyond_SIP_Connections to WAN Address port = jabber-server - h_PBX round-robin pass in quick on xl0 reply-to (xl0 WAN Gateway Address) inet proto tcp from any to h_PBX port = http flags S/SA keep state label USER_RULE: NAT forward incoming http packets to PBX pass in quick on xl0 reply-to (xl0 WAN Gateway Address) inet proto tcp from any to h_PBX port = https flags S/SA keep state label USER_RULE: NAT forward https packets to PBX pass in quick on xl0 reply-to (xl0 WAN Gateway Address) inet proto udp from any to h_PBX port = 5060 keep state label USER_RULE: allow SIP packets from Internet to PBX pass in quick on xl0 reply-to (xl0 WAN Gateway Address) inet proto udp from g_Cbeyond_SIP_Connections to h_PBX port = 5060 keep state label USER_RULE: NAT pass in quick on xl0 reply-to (xl0 WAN Gateway Address) inet proto udp from g_Cbeyond_SIP_Connections to h_PBX port = 5062 keep state label USER_RULE: NAT pass in quick on xl0 reply-to (xl0 WAN Gateway Address) inet proto udp from g_Cbeyond_SIP_Connections to h_PBX port 20001 keep state label USER_RULE: NAT pass in quick on xl0 reply-to (xl0 WAN Gateway Address) inet proto udp from g_Cbeyond_SIP_Connections to h_PBX port 3999 5000 keep state label USER_RULE: NAT pass in quick on xl0 reply-to (xl0 WAN Gateway Address) inet proto udp from g_Cbeyond_SIP_Connections to h_PBX port = 4569 keep state label