Re: [pfSense] SIP problems.
I'm facing Asterisk problems whenever pfsense gets a new IP from my WAN. And Asterisk reconnects to my operator when I reset the states. This is really an annoying problem and it only happens with pfsense, On Tue, Oct 15, 2013 at 2:44 PM, Jon Gerdes gerd...@blueloop.net wrote: I use these parameters which seem to work regardless of where the phone is (NAT or VPN) nat=yes for all devices whether internal (VPN) or external Set the RTP ports to the same as the Asterisk server or make the server range a superset of the device's ranges Enable symmetric RTP Enable keep alives on the phones - some may have a NAT keep alive option Make sure you have defined your localnet on Asterisk for each internal subnet. I usually put 10.0.0.0/255.0.0.0 172.16.0.0/255.240.0.0 and 192.168.20.0/255.255.0.0 in on all Asterisks I configure - it covers most eventualities. Hope this helps Cheers Jon i have nat=no set for those devices since it's over a tunnel (i've tried yes and strict as well i think). my RTP range is 1-2 on the asterisk device. (and they are allowed through the firewall) at the moment i'm using a snom m9 (RTP range 49152-65534) but i've seen the same issues with a aastra 480 (rtp 3000-3003) and a digium d50 (not sure on the RTP ports) Should any of this matter over a OpenVPN tunnel? or only over NAT? I'm not just losing voice btw (which i assume is the RTP), I'm loosing all connectivity (which I'm assuming means my Sip session is down). On Mon, Oct 14, 2013 at 5:12 AM, Jon Gerdes gerd...@blueloop.net wrote: Are you using symmetric RTP? if not, try that along with a keep alive option. As the RFC for it states it should be a default - shame it isn't on many systems. it fixes a lot of snags for me. I have a phone - Cisco 504G - on my desk that can go weeks without making/taking a call and yet just works. The PBX - Asterisk 11 - for it is over 50 miles away, behind pfSense 2.1 (formally 2.0.{1,2,3}), at one stage over IPSEC and now simply NATted. Your problem is almost certainly the phone setting up an RTP port at registration and then assuming it can carry on using it. The state goes at one end or the other and then calls fail. By using symmetric RTP you effectively fix the RTP port at both ends and the state will properly keep alive - at both ends, PBX and phone. Also make sure that your RTP port range is the same at both ends. There are many range defaults depending on manufacturer. Asterisk defaults to 1-2 (check /etc/astyerisk/rtp.conf) but Cisco for example does not. So: Get the RTP ranges fixed up Use symmetric RTP Use keep alives Cheers Jon Already tried that, I think they are pinged every 30sec from the asterisk side. On Thu, Oct 10, 2013 at 10:05 AM, Vick Khera vi...@khera.org wrote: Can you configure your phones to use do a keepalive ping? It sounds like the states are timing out. On Wed, Oct 9, 2013 at 5:44 PM, palesius . pales...@gmail.com wrote: To take a break from all the NSA talk... I'm having some trouble routing traffic over an openvpn tunnel between two pfsense firewalls. Asterisk server on one end, a couple of different phones on the other side. It was working fine when we had monowall on both ends. (W/ipsec tunnel) Since changing to pfsense it will register with the server just fine but will lose it's connection anywhere from a few minutes to hours later. I've tried both ipsec and openvpn tunnels and have pretty much the same result. I know mono and pfsense use a diffrerent firewall engine, is there something obvious I should set/change to fix this. I had kind of dropped the issue a few months ago but wanted to take another stab at it. I'll try to do some packet captures but don't have any at the moment. Just hoping there is some easy general fix for getting SIP working that someone else has already discovered. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list Registered Address : Blueloop House, Ilchester Road, YEOVIL, BA21 3AA Registered England Wales - 3981322 CONFIDENTIAL INFORMATION This e-mail and any files attached with it are confidential and for the sole use of the intended recipient(s). If you are not the intended recipient(s) you are prohibited from using, copying or distributing this or any information contained in it and should immediately notify the sender and delete the message from your system. Internet communications are not secure and Blueloop Limited is not responsible for unauthorised use by third parties nor for alteration
Re: [pfSense] SIP problems.
Thanks that (keepalives on phone) seemed to help but we're suffering unrelated connectivity problems between the sites, so I won't be able to test until that is resolved, but if I'm having trouble still I'll try some of your other suggestions. On Oct 15, 2013 8:44 AM, Jon Gerdes gerd...@blueloop.net wrote: I use these parameters which seem to work regardless of where the phone is (NAT or VPN) nat=yes for all devices whether internal (VPN) or external Set the RTP ports to the same as the Asterisk server or make the server range a superset of the device's ranges Enable symmetric RTP Enable keep alives on the phones - some may have a NAT keep alive option Make sure you have defined your localnet on Asterisk for each internal subnet. I usually put 10.0.0.0/255.0.0.0 172.16.0.0/255.240.0.0 and 192.168.20.0/255.255.0.0 in on all Asterisks I configure - it covers most eventualities. Hope this helps Cheers Jon i have nat=no set for those devices since it's over a tunnel (i've tried yes and strict as well i think). my RTP range is 1-2 on the asterisk device. (and they are allowed through the firewall) at the moment i'm using a snom m9 (RTP range 49152-65534) but i've seen the same issues with a aastra 480 (rtp 3000-3003) and a digium d50 (not sure on the RTP ports) Should any of this matter over a OpenVPN tunnel? or only over NAT? I'm not just losing voice btw (which i assume is the RTP), I'm loosing all connectivity (which I'm assuming means my Sip session is down). On Mon, Oct 14, 2013 at 5:12 AM, Jon Gerdes gerd...@blueloop.net wrote: Are you using symmetric RTP? if not, try that along with a keep alive option. As the RFC for it states it should be a default - shame it isn't on many systems. it fixes a lot of snags for me. I have a phone - Cisco 504G - on my desk that can go weeks without making/taking a call and yet just works. The PBX - Asterisk 11 - for it is over 50 miles away, behind pfSense 2.1 (formally 2.0.{1,2,3}), at one stage over IPSEC and now simply NATted. Your problem is almost certainly the phone setting up an RTP port at registration and then assuming it can carry on using it. The state goes at one end or the other and then calls fail. By using symmetric RTP you effectively fix the RTP port at both ends and the state will properly keep alive - at both ends, PBX and phone. Also make sure that your RTP port range is the same at both ends. There are many range defaults depending on manufacturer. Asterisk defaults to 1-2 (check /etc/astyerisk/rtp.conf) but Cisco for example does not. So: Get the RTP ranges fixed up Use symmetric RTP Use keep alives Cheers Jon Already tried that, I think they are pinged every 30sec from the asterisk side. On Thu, Oct 10, 2013 at 10:05 AM, Vick Khera vi...@khera.org wrote: Can you configure your phones to use do a keepalive ping? It sounds like the states are timing out. On Wed, Oct 9, 2013 at 5:44 PM, palesius . pales...@gmail.com wrote: To take a break from all the NSA talk... I'm having some trouble routing traffic over an openvpn tunnel between two pfsense firewalls. Asterisk server on one end, a couple of different phones on the other side. It was working fine when we had monowall on both ends. (W/ipsec tunnel) Since changing to pfsense it will register with the server just fine but will lose it's connection anywhere from a few minutes to hours later. I've tried both ipsec and openvpn tunnels and have pretty much the same result. I know mono and pfsense use a diffrerent firewall engine, is there something obvious I should set/change to fix this. I had kind of dropped the issue a few months ago but wanted to take another stab at it. I'll try to do some packet captures but don't have any at the moment. Just hoping there is some easy general fix for getting SIP working that someone else has already discovered. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list Registered Address : Blueloop House, Ilchester Road, YEOVIL, BA21 3AA Registered England Wales - 3981322 CONFIDENTIAL INFORMATION This e-mail and any files attached with it are confidential and for the sole use of the intended recipient(s). If you are not the intended recipient(s) you are prohibited from using, copying or distributing this or any information contained in it and should immediately notify the sender and delete the message from your system. Internet communications are not secure and Blueloop Limited is not responsible for unauthorised use by
Re: [pfSense] SIP problems.
I played around with qualify frequency and settings without success. I didn't have such problems with Openwrt and dedicated router from my operator. This is not reliable and If I can not find a solution for this I'll have to give up pfsense. Any help in this case is appreciated! On Wed, Oct 16, 2013 at 12:31 PM, palesius . pales...@gmail.com wrote: Thanks that (keepalives on phone) seemed to help but we're suffering unrelated connectivity problems between the sites, so I won't be able to test until that is resolved, but if I'm having trouble still I'll try some of your other suggestions. On Oct 15, 2013 8:44 AM, Jon Gerdes gerd...@blueloop.net wrote: I use these parameters which seem to work regardless of where the phone is (NAT or VPN) nat=yes for all devices whether internal (VPN) or external Set the RTP ports to the same as the Asterisk server or make the server range a superset of the device's ranges Enable symmetric RTP Enable keep alives on the phones - some may have a NAT keep alive option Make sure you have defined your localnet on Asterisk for each internal subnet. I usually put 10.0.0.0/255.0.0.0 172.16.0.0/255.240.0.0 and 192.168.20.0/255.255.0.0 in on all Asterisks I configure - it covers most eventualities. Hope this helps Cheers Jon i have nat=no set for those devices since it's over a tunnel (i've tried yes and strict as well i think). my RTP range is 1-2 on the asterisk device. (and they are allowed through the firewall) at the moment i'm using a snom m9 (RTP range 49152-65534) but i've seen the same issues with a aastra 480 (rtp 3000-3003) and a digium d50 (not sure on the RTP ports) Should any of this matter over a OpenVPN tunnel? or only over NAT? I'm not just losing voice btw (which i assume is the RTP), I'm loosing all connectivity (which I'm assuming means my Sip session is down). On Mon, Oct 14, 2013 at 5:12 AM, Jon Gerdes gerd...@blueloop.net wrote: Are you using symmetric RTP? if not, try that along with a keep alive option. As the RFC for it states it should be a default - shame it isn't on many systems. it fixes a lot of snags for me. I have a phone - Cisco 504G - on my desk that can go weeks without making/taking a call and yet just works. The PBX - Asterisk 11 - for it is over 50 miles away, behind pfSense 2.1 (formally 2.0.{1,2,3}), at one stage over IPSEC and now simply NATted. Your problem is almost certainly the phone setting up an RTP port at registration and then assuming it can carry on using it. The state goes at one end or the other and then calls fail. By using symmetric RTP you effectively fix the RTP port at both ends and the state will properly keep alive - at both ends, PBX and phone. Also make sure that your RTP port range is the same at both ends. There are many range defaults depending on manufacturer. Asterisk defaults to 1-2 (check /etc/astyerisk/rtp.conf) but Cisco for example does not. So: Get the RTP ranges fixed up Use symmetric RTP Use keep alives Cheers Jon Already tried that, I think they are pinged every 30sec from the asterisk side. On Thu, Oct 10, 2013 at 10:05 AM, Vick Khera vi...@khera.org wrote: Can you configure your phones to use do a keepalive ping? It sounds like the states are timing out. On Wed, Oct 9, 2013 at 5:44 PM, palesius . pales...@gmail.com wrote: To take a break from all the NSA talk... I'm having some trouble routing traffic over an openvpn tunnel between two pfsense firewalls. Asterisk server on one end, a couple of different phones on the other side. It was working fine when we had monowall on both ends. (W/ipsec tunnel) Since changing to pfsense it will register with the server just fine but will lose it's connection anywhere from a few minutes to hours later. I've tried both ipsec and openvpn tunnels and have pretty much the same result. I know mono and pfsense use a diffrerent firewall engine, is there something obvious I should set/change to fix this. I had kind of dropped the issue a few months ago but wanted to take another stab at it. I'll try to do some packet captures but don't have any at the moment. Just hoping there is some easy general fix for getting SIP working that someone else has already discovered. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list Registered Address : Blueloop House, Ilchester Road, YEOVIL, BA21 3AA Registered England Wales - 3981322 CONFIDENTIAL INFORMATION This e-mail and any files attached with it are confidential and for the sole use of
Re: [pfSense] SIP problems.
On Wed, Oct 16, 2013 at 3:21 AM, Hannes Werner jgoe...@gmail.com wrote: I'm facing Asterisk problems whenever pfsense gets a new IP from my WAN. And Asterisk reconnects to my operator when I reset the states. This is really an annoying problem and it only happens with pfsense, What is it in it only happens? That your WAN address changes? How do you expect *any* connections to persist across an IP address change? If your provider is changing your IP address, that's their issue, not your router's. Your router cannot influence that. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] issue a STARTTLS command
Hello all! php: /system_advanced_notifications.php: Could not send the message to i...@anup.de -- Error: 530 5.7.0 Must issue a STARTTLS command first Is starttls possible with pfsense? Greetings Andreas ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] issue a STARTTLS command
As of about a month ago ( https://github.com/pfsense/pfsense/commit/1cddd59c4ed2341f87cf58d9b67d45c82ffd99d0) StartTLS is an independant setting and should work no matter what port you are using. I do not know whether that code has made it to a release (can log in to check from where I am now) and I don't know how much that changed the behavior from before, but it is probably worth a look. - Y On Wed, Oct 16, 2013 at 5:53 PM, Andreas Meyer anme...@anup.de wrote: Hello! Moshe Katz mo...@ymkatz.net wrote: On Wed, Oct 16, 2013 at 5:41 PM, Andreas Meyer anme...@anup.de wrote: Hello all! php: /system_advanced_notifications.php: Could not send the message to i...@anup.de -- Error: 530 5.7.0 Must issue a STARTTLS command first Is starttls possible with pfsense? There is a checkbox on the System - Advanced - Notifications page that says Enable SSL/TLS Authentication. Make sure that box is checked, and it should work. Isn't that checkbox for port 465 only? php: /system_advanced_notifications.php: Could not send the message to i...@anup.de -- Error: could not connect to the host mail.anup.de: ?? Moshe Andreas ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] issue a STARTTLS command
Hell! I tried with both, port 587 and port 25. I use 2.1-RELEASE (i386) built on Wed Sep 11 18:16:22 EDT 2013 FreeBSD 8.3-RELEASE-p11 nanobsd (4g) Andreas Yehuda Katz yeh...@ymkatz.net wrote: As of about a month ago ( https://github.com/pfsense/pfsense/commit/1cddd59c4ed2341f87cf58d9b67d45c82ffd99d0) StartTLS is an independant setting and should work no matter what port you are using. I do not know whether that code has made it to a release (can log in to check from where I am now) and I don't know how much that changed the behavior from before, but it is probably worth a look. - Y On Wed, Oct 16, 2013 at 5:53 PM, Andreas Meyer anme...@anup.de wrote: Hello! Moshe Katz mo...@ymkatz.net wrote: On Wed, Oct 16, 2013 at 5:41 PM, Andreas Meyer anme...@anup.de wrote: Hello all! php: /system_advanced_notifications.php: Could not send the message to i...@anup.de -- Error: 530 5.7.0 Must issue a STARTTLS command first Is starttls possible with pfsense? There is a checkbox on the System - Advanced - Notifications page that says Enable SSL/TLS Authentication. Make sure that box is checked, and it should work. Isn't that checkbox for port 465 only? php: /system_advanced_notifications.php: Could not send the message to i...@anup.de -- Error: could not connect to the host mail.anup.de: ?? Moshe Andreas ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] openvpn configuration?
-Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Kurt Buff Sent: Wednesday, October 16, 2013 4:59 PM To: pfSense support and discussion Subject: [pfSense] openvpn configuration? All, Been quite a while since I've messed with pfsense, and am putting up a new box with the latest pfsense (2.1-RELEASE AMD64.) I created a non-admin user as well. I've configured OpenVPN, and have installed the client on a Win7 x64 machine. When I connect with the non-admin (or admin) user, I get prompted to access the cert, then to enter credentials, but then am disconnected with the error message stating that Not an Access Server. I've run through a couple of tutorials, including: https://doc.pfsense.org/index.php/VPN_Capability_OpenVPN and http://blog.stefcho.eu/?p=492 I'm still getting the above error. Can anyone give me some pointers on where to look to resolve this? Kurt ___ Hello, Kurt I used this YouTube tutorial step by step and worked a treat. http://www.youtube.com/watch?v=VdAHVSTl1ys Peder ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list