Re: [pfSense] SIP problems.
I'm facing Asterisk problems whenever pfsense gets a new IP from my WAN.
And Asterisk reconnects to my operator when I reset the states. This is
really an annoying problem and it only happens with pfsense,
On Tue, Oct 15, 2013 at 2:44 PM, Jon Gerdes gerd...@blueloop.net wrote:
I use these parameters which seem to work regardless of where the phone is
(NAT or VPN)
nat=yes for all devices whether internal (VPN) or external
Set the RTP ports to the same as the Asterisk server or make the server
range a superset of the device's ranges
Enable symmetric RTP
Enable keep alives on the phones - some may have a NAT keep alive option
Make sure you have defined your localnet on Asterisk for each internal
subnet. I usually put 10.0.0.0/255.0.0.0 172.16.0.0/255.240.0.0 and
192.168.20.0/255.255.0.0 in on all Asterisks I configure - it covers most
eventualities.
Hope this helps
Cheers
Jon
i have nat=no set for those devices since it's over a tunnel (i've tried
yes and strict as well i think).
my RTP range is 1-2 on the asterisk device. (and they are allowed
through the firewall)
at the moment i'm using a snom m9 (RTP range 49152-65534)
but i've seen the same issues with a aastra 480 (rtp 3000-3003)
and a digium d50 (not sure on the RTP ports)
Should any of this matter over a OpenVPN tunnel? or only over NAT?
I'm not just losing voice btw (which i assume is the RTP), I'm loosing
all
connectivity (which I'm assuming means my Sip session is down).
On Mon, Oct 14, 2013 at 5:12 AM, Jon Gerdes gerd...@blueloop.net
wrote:
Are you using symmetric RTP? if not, try that along with a keep alive
option. As the RFC for it states it should be a default - shame it
isn't
on many systems. it fixes a lot of snags for me.
I have a phone - Cisco 504G - on my desk that can go weeks without
making/taking a call and yet just works. The PBX - Asterisk 11 - for
it
is over 50 miles away, behind pfSense 2.1 (formally 2.0.{1,2,3}), at
one
stage over IPSEC and now simply NATted.
Your problem is almost certainly the phone setting up an RTP port at
registration and then assuming it can carry on using it. The state
goes at
one end or the other and then calls fail. By using symmetric RTP you
effectively fix the RTP port at both ends and the state will properly
keep
alive - at both ends, PBX and phone.
Also make sure that your RTP port range is the same at both ends. There
are many range defaults depending on manufacturer. Asterisk defaults to
1-2 (check /etc/astyerisk/rtp.conf) but Cisco for example does
not.
So:
Get the RTP ranges fixed up
Use symmetric RTP
Use keep alives
Cheers
Jon
Already tried that, I think they are pinged every 30sec from the
asterisk
side.
On Thu, Oct 10, 2013 at 10:05 AM, Vick Khera vi...@khera.org wrote:
Can you configure your phones to use do a keepalive ping? It sounds
like
the states are timing out.
On Wed, Oct 9, 2013 at 5:44 PM, palesius . pales...@gmail.com
wrote:
To take a break from all the NSA talk...
I'm having some trouble routing traffic over an openvpn tunnel
between
two pfsense firewalls. Asterisk server on one end, a couple of
different
phones on the other side.
It was working fine when we had monowall on both ends. (W/ipsec
tunnel)
Since changing to pfsense it will register with the server just fine
but
will lose it's connection anywhere from a few minutes to hours
later.
I've tried both ipsec and openvpn tunnels and have pretty much the
same
result. I know mono and pfsense use a diffrerent firewall engine, is
there
something obvious I should set/change to fix this.
I had kind of dropped the issue a few months ago but wanted to take
another stab at it. I'll try to do some packet captures but don't
have
any
at the moment. Just hoping there is some easy general fix for
getting
SIP
working that someone else has already discovered.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
Registered Address : Blueloop House, Ilchester Road, YEOVIL, BA21 3AA
Registered England Wales - 3981322
CONFIDENTIAL INFORMATION
This e-mail and any files attached with it are confidential and for the
sole use of the intended recipient(s). If you are not the intended
recipient(s) you are prohibited from using, copying or distributing
this or
any information contained in it and should immediately notify the sender
and delete the message from your system.
Internet communications are not secure and Blueloop Limited is not
responsible for unauthorised use by third parties nor for alteration
Re: [pfSense] SIP problems.
Thanks that (keepalives on phone) seemed to help but we're suffering
unrelated connectivity problems between the sites, so I won't be able to
test until that is resolved, but if I'm having trouble still I'll try some
of your other suggestions.
On Oct 15, 2013 8:44 AM, Jon Gerdes gerd...@blueloop.net wrote:
I use these parameters which seem to work regardless of where the phone is
(NAT or VPN)
nat=yes for all devices whether internal (VPN) or external
Set the RTP ports to the same as the Asterisk server or make the server
range a superset of the device's ranges
Enable symmetric RTP
Enable keep alives on the phones - some may have a NAT keep alive option
Make sure you have defined your localnet on Asterisk for each internal
subnet. I usually put 10.0.0.0/255.0.0.0 172.16.0.0/255.240.0.0 and
192.168.20.0/255.255.0.0 in on all Asterisks I configure - it covers most
eventualities.
Hope this helps
Cheers
Jon
i have nat=no set for those devices since it's over a tunnel (i've tried
yes and strict as well i think).
my RTP range is 1-2 on the asterisk device. (and they are allowed
through the firewall)
at the moment i'm using a snom m9 (RTP range 49152-65534)
but i've seen the same issues with a aastra 480 (rtp 3000-3003)
and a digium d50 (not sure on the RTP ports)
Should any of this matter over a OpenVPN tunnel? or only over NAT?
I'm not just losing voice btw (which i assume is the RTP), I'm loosing
all
connectivity (which I'm assuming means my Sip session is down).
On Mon, Oct 14, 2013 at 5:12 AM, Jon Gerdes gerd...@blueloop.net
wrote:
Are you using symmetric RTP? if not, try that along with a keep alive
option. As the RFC for it states it should be a default - shame it
isn't
on many systems. it fixes a lot of snags for me.
I have a phone - Cisco 504G - on my desk that can go weeks without
making/taking a call and yet just works. The PBX - Asterisk 11 - for
it
is over 50 miles away, behind pfSense 2.1 (formally 2.0.{1,2,3}), at
one
stage over IPSEC and now simply NATted.
Your problem is almost certainly the phone setting up an RTP port at
registration and then assuming it can carry on using it. The state
goes at
one end or the other and then calls fail. By using symmetric RTP you
effectively fix the RTP port at both ends and the state will properly
keep
alive - at both ends, PBX and phone.
Also make sure that your RTP port range is the same at both ends. There
are many range defaults depending on manufacturer. Asterisk defaults to
1-2 (check /etc/astyerisk/rtp.conf) but Cisco for example does
not.
So:
Get the RTP ranges fixed up
Use symmetric RTP
Use keep alives
Cheers
Jon
Already tried that, I think they are pinged every 30sec from the
asterisk
side.
On Thu, Oct 10, 2013 at 10:05 AM, Vick Khera vi...@khera.org wrote:
Can you configure your phones to use do a keepalive ping? It sounds
like
the states are timing out.
On Wed, Oct 9, 2013 at 5:44 PM, palesius . pales...@gmail.com
wrote:
To take a break from all the NSA talk...
I'm having some trouble routing traffic over an openvpn tunnel
between
two pfsense firewalls. Asterisk server on one end, a couple of
different
phones on the other side.
It was working fine when we had monowall on both ends. (W/ipsec
tunnel)
Since changing to pfsense it will register with the server just fine
but
will lose it's connection anywhere from a few minutes to hours
later.
I've tried both ipsec and openvpn tunnels and have pretty much the
same
result. I know mono and pfsense use a diffrerent firewall engine, is
there
something obvious I should set/change to fix this.
I had kind of dropped the issue a few months ago but wanted to take
another stab at it. I'll try to do some packet captures but don't
have
any
at the moment. Just hoping there is some easy general fix for
getting
SIP
working that someone else has already discovered.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
Registered Address : Blueloop House, Ilchester Road, YEOVIL, BA21 3AA
Registered England Wales - 3981322
CONFIDENTIAL INFORMATION
This e-mail and any files attached with it are confidential and for the
sole use of the intended recipient(s). If you are not the intended
recipient(s) you are prohibited from using, copying or distributing
this or
any information contained in it and should immediately notify the sender
and delete the message from your system.
Internet communications are not secure and Blueloop Limited is not
responsible for unauthorised use by
Re: [pfSense] SIP problems.
I played around with qualify frequency and settings without success. I
didn't have such problems with Openwrt and dedicated router from my
operator.
This is not reliable and If I can not find a solution for this I'll have to
give up pfsense.
Any help in this case is appreciated!
On Wed, Oct 16, 2013 at 12:31 PM, palesius . pales...@gmail.com wrote:
Thanks that (keepalives on phone) seemed to help but we're suffering
unrelated connectivity problems between the sites, so I won't be able to
test until that is resolved, but if I'm having trouble still I'll try some
of your other suggestions.
On Oct 15, 2013 8:44 AM, Jon Gerdes gerd...@blueloop.net wrote:
I use these parameters which seem to work regardless of where the phone
is (NAT or VPN)
nat=yes for all devices whether internal (VPN) or external
Set the RTP ports to the same as the Asterisk server or make the server
range a superset of the device's ranges
Enable symmetric RTP
Enable keep alives on the phones - some may have a NAT keep alive option
Make sure you have defined your localnet on Asterisk for each internal
subnet. I usually put 10.0.0.0/255.0.0.0 172.16.0.0/255.240.0.0 and
192.168.20.0/255.255.0.0 in on all Asterisks I configure - it covers
most eventualities.
Hope this helps
Cheers
Jon
i have nat=no set for those devices since it's over a tunnel (i've tried
yes and strict as well i think).
my RTP range is 1-2 on the asterisk device. (and they are
allowed
through the firewall)
at the moment i'm using a snom m9 (RTP range 49152-65534)
but i've seen the same issues with a aastra 480 (rtp 3000-3003)
and a digium d50 (not sure on the RTP ports)
Should any of this matter over a OpenVPN tunnel? or only over NAT?
I'm not just losing voice btw (which i assume is the RTP), I'm loosing
all
connectivity (which I'm assuming means my Sip session is down).
On Mon, Oct 14, 2013 at 5:12 AM, Jon Gerdes gerd...@blueloop.net
wrote:
Are you using symmetric RTP? if not, try that along with a keep alive
option. As the RFC for it states it should be a default - shame it
isn't
on many systems. it fixes a lot of snags for me.
I have a phone - Cisco 504G - on my desk that can go weeks without
making/taking a call and yet just works. The PBX - Asterisk 11 - for
it
is over 50 miles away, behind pfSense 2.1 (formally 2.0.{1,2,3}), at
one
stage over IPSEC and now simply NATted.
Your problem is almost certainly the phone setting up an RTP port at
registration and then assuming it can carry on using it. The state
goes at
one end or the other and then calls fail. By using symmetric RTP you
effectively fix the RTP port at both ends and the state will properly
keep
alive - at both ends, PBX and phone.
Also make sure that your RTP port range is the same at both ends.
There
are many range defaults depending on manufacturer. Asterisk defaults
to
1-2 (check /etc/astyerisk/rtp.conf) but Cisco for example does
not.
So:
Get the RTP ranges fixed up
Use symmetric RTP
Use keep alives
Cheers
Jon
Already tried that, I think they are pinged every 30sec from the
asterisk
side.
On Thu, Oct 10, 2013 at 10:05 AM, Vick Khera vi...@khera.org
wrote:
Can you configure your phones to use do a keepalive ping? It sounds
like
the states are timing out.
On Wed, Oct 9, 2013 at 5:44 PM, palesius . pales...@gmail.com
wrote:
To take a break from all the NSA talk...
I'm having some trouble routing traffic over an openvpn tunnel
between
two pfsense firewalls. Asterisk server on one end, a couple of
different
phones on the other side.
It was working fine when we had monowall on both ends. (W/ipsec
tunnel)
Since changing to pfsense it will register with the server just
fine
but
will lose it's connection anywhere from a few minutes to hours
later.
I've tried both ipsec and openvpn tunnels and have pretty much the
same
result. I know mono and pfsense use a diffrerent firewall engine,
is
there
something obvious I should set/change to fix this.
I had kind of dropped the issue a few months ago but wanted to take
another stab at it. I'll try to do some packet captures but don't
have
any
at the moment. Just hoping there is some easy general fix for
getting
SIP
working that someone else has already discovered.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
Registered Address : Blueloop House, Ilchester Road, YEOVIL, BA21 3AA
Registered England Wales - 3981322
CONFIDENTIAL INFORMATION
This e-mail and any files attached with it are confidential and for the
sole use of
Re: [pfSense] SIP problems.
On Wed, Oct 16, 2013 at 3:21 AM, Hannes Werner jgoe...@gmail.com wrote: I'm facing Asterisk problems whenever pfsense gets a new IP from my WAN. And Asterisk reconnects to my operator when I reset the states. This is really an annoying problem and it only happens with pfsense, What is it in it only happens? That your WAN address changes? How do you expect *any* connections to persist across an IP address change? If your provider is changing your IP address, that's their issue, not your router's. Your router cannot influence that. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] issue a STARTTLS command
Hello all! php: /system_advanced_notifications.php: Could not send the message to i...@anup.de -- Error: 530 5.7.0 Must issue a STARTTLS command first Is starttls possible with pfsense? Greetings Andreas ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] issue a STARTTLS command
As of about a month ago ( https://github.com/pfsense/pfsense/commit/1cddd59c4ed2341f87cf58d9b67d45c82ffd99d0) StartTLS is an independant setting and should work no matter what port you are using. I do not know whether that code has made it to a release (can log in to check from where I am now) and I don't know how much that changed the behavior from before, but it is probably worth a look. - Y On Wed, Oct 16, 2013 at 5:53 PM, Andreas Meyer anme...@anup.de wrote: Hello! Moshe Katz mo...@ymkatz.net wrote: On Wed, Oct 16, 2013 at 5:41 PM, Andreas Meyer anme...@anup.de wrote: Hello all! php: /system_advanced_notifications.php: Could not send the message to i...@anup.de -- Error: 530 5.7.0 Must issue a STARTTLS command first Is starttls possible with pfsense? There is a checkbox on the System - Advanced - Notifications page that says Enable SSL/TLS Authentication. Make sure that box is checked, and it should work. Isn't that checkbox for port 465 only? php: /system_advanced_notifications.php: Could not send the message to i...@anup.de -- Error: could not connect to the host mail.anup.de: ?? Moshe Andreas ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] issue a STARTTLS command
Hell! I tried with both, port 587 and port 25. I use 2.1-RELEASE (i386) built on Wed Sep 11 18:16:22 EDT 2013 FreeBSD 8.3-RELEASE-p11 nanobsd (4g) Andreas Yehuda Katz yeh...@ymkatz.net wrote: As of about a month ago ( https://github.com/pfsense/pfsense/commit/1cddd59c4ed2341f87cf58d9b67d45c82ffd99d0) StartTLS is an independant setting and should work no matter what port you are using. I do not know whether that code has made it to a release (can log in to check from where I am now) and I don't know how much that changed the behavior from before, but it is probably worth a look. - Y On Wed, Oct 16, 2013 at 5:53 PM, Andreas Meyer anme...@anup.de wrote: Hello! Moshe Katz mo...@ymkatz.net wrote: On Wed, Oct 16, 2013 at 5:41 PM, Andreas Meyer anme...@anup.de wrote: Hello all! php: /system_advanced_notifications.php: Could not send the message to i...@anup.de -- Error: 530 5.7.0 Must issue a STARTTLS command first Is starttls possible with pfsense? There is a checkbox on the System - Advanced - Notifications page that says Enable SSL/TLS Authentication. Make sure that box is checked, and it should work. Isn't that checkbox for port 465 only? php: /system_advanced_notifications.php: Could not send the message to i...@anup.de -- Error: could not connect to the host mail.anup.de: ?? Moshe Andreas ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] openvpn configuration?
-Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Kurt Buff Sent: Wednesday, October 16, 2013 4:59 PM To: pfSense support and discussion Subject: [pfSense] openvpn configuration? All, Been quite a while since I've messed with pfsense, and am putting up a new box with the latest pfsense (2.1-RELEASE AMD64.) I created a non-admin user as well. I've configured OpenVPN, and have installed the client on a Win7 x64 machine. When I connect with the non-admin (or admin) user, I get prompted to access the cert, then to enter credentials, but then am disconnected with the error message stating that Not an Access Server. I've run through a couple of tutorials, including: https://doc.pfsense.org/index.php/VPN_Capability_OpenVPN and http://blog.stefcho.eu/?p=492 I'm still getting the above error. Can anyone give me some pointers on where to look to resolve this? Kurt ___ Hello, Kurt I used this YouTube tutorial step by step and worked a treat. http://www.youtube.com/watch?v=VdAHVSTl1ys Peder ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
