pf+voip
Does pf have specific rules for voip, may be example of working pf_rule
with voip?
Because for «standart rules» i have problems with voip.
set skip on lo
match out on pppoe0 from { em1:network } nat-to (pppoe0)
block
pass out
pass in on { em1 }
- after hanging up, the line near 3 minutes still busy (may be keep
state set to no state in rules)
- badly hear person on the phone (quiet)
Re: pf+voip
On Tue, May 27, 2014 at 01:59:07PM +0400, wrote:
Does pf have specific rules for voip, may be example of working
pf_rule with voip?
Because for «standart rules» i have problems with voip.
set skip on lo
match out on pppoe0 from { em1:network } nat-to (pppoe0)
block
pass out
pass in on { em1 }
- after hanging up, the line near 3 minutes still busy (may be keep
state set to no state in rules)
- badly hear person on the phone (quiet)
Hey,
I don't use this anymore, but i still have the blurbs from my pf.conf
that had a pretty much perfect working voip connection:
Queuing: this was originally around 900kbit up when i used it (diff
isp). i also had given the voip queue around 12% i think, left it
there as I was unsure of whether i'd still be using the voip phone
after i left that company, and just knocked it down to 2% ;)
also pre-newqueue, warning! ;)
ext01 and ext02 are aastra phone and obihai voip device, respectively.
--snip--
# hfsc queueing
altq on $ext_if bandwidth 460Kb hfsc queue \
{ voip, ack, dns, game, ssh, www_ftp, std_out }
queue voipbandwidth 2% priority 8 hfsc(realtime 2%)
queue ack bandwidth 15% priority 7 hfsc(realtime 15%)
queue gamebandwidth 37% priority 6 hfsc(realtime 40%)
queue dns bandwidth 5% priority 5 hfsc(realtime 5%)
queue ssh bandwidth 15% priority 4 hfsc(realtime 17%) {ssh_im, ssh_bulk}
queue ssh_im bandwidth 90% priority 4 hfsc
queue ssh_bulk bandwidth 10% priority 3 hfsc
queue www_ftp bandwidth 3% priority 2 hfsc(linkshare 3%)
queue std_out bandwidth 15% hfsc(linkshare 5% default)
--snip--
# NAT voip, static-port required to maintain UDP port mappings for SIP proxy
match out on $ext_if from $ext01 to any nat-to ($ext_if) static-port
match out on $ext_if from $ext02 to any nat-to ($ext_if) static-port
# queue voip, to AND from
match inet proto udp to port $rtp_ports scrub(set-tos ef) queue voip
match inet proto udp from port $rtp_ports scrub(set-tos ef) queue voip
--snip--
above here took care of the rest. this was using both a obihai voip
device for hookup of a POTS phone, and an Aastra phone as my primary
voip phone hooked into the company directory etc (all quite easy with
asterisk!)
The above worked enough that I could take business calls including calls
that may have resulted in sales of voip service, without it sounding
like i was on a shitty link with various vocal artifacts etc.
in the end i could pretty much hammer my inet connection as hard as
i wanted while a call was in progress and never really lost anything.
YMMV :) I found my values via hours of tweaking, hammering with
various bandwidth-intensive applications, and hammering more.
I believe we did have a form of STUN or SIP proxy, the phones we
used could be preconfigured to fetch a config from the company server,
which would include things like a STUN or SIP proxy ip.
in my setup, my normal nat line in pf does not use static-port, hence
the added line before that point to catch the voip devices and make
sure they are natted with static-port.
Cheers,
-ryan
Re: PF, VoIP and SIP
Am Samstag, 8. Januar 2005 04:16 schrieb SB: I'm trying to get an IP phone to talk to our local office over my DSL line. It's a SIP based phone (Cisco 7940) and I believe I have all the right options opened in PF, but it's not quite working. Would someone care to take a look at it and see if I missed something? is your IP phone working with pf disabled? pfctl -d ( -e ) Do you reach the SIP-gateway? no (error) messages in the Cisco log? regards -- . ___ | | | |
PF, VoIP and SIP
I'm trying to get an IP phone to talk to our local office over my DSL
line. It's a SIP based phone (Cisco 7940) and I believe I have all the
right options opened in PF, but it's not quite working. Would someone
care to take a look at it and see if I missed something?
TIA,
Steve
## PF Ruleset--
#
##
## Macros
ext_if = fxp0
int_if = fxp1
wi_if = fxp2
external_addr = x.x.x.x
int_network = 192.168.1.0/24
int_gw= 192.168.1.1/32
wi_network= 10.0.26.0/24
wi_gw = 10.0.26.1/32
icmp_types= echoreq
voip_tcp = 5060
voip_udp = { 5060, 4569, 5036, 20001, 2727 }
## Tables
# IANA reserved IP blocks as of 8/2004
# http://www.completewhois.com/iana-ipv4-addresses.txt
table reserved const { 0/8, 1/8, 2/8, 5/8, 7/8, 10/8, 14/8, 23/8,
27/8, 31/8, 36/8, 37/8, 39/8, 41/8, \
49/8, 50/8, 42/8, 73/8, 74/8, 75/8, 76/8, 77/8, 78/8, 79/8, 89/8,
90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 96/8,\
97/8, 98/8, 99/8, 100/8, 101/8, 102/8, 103/8, 104/8, 105/8, 106/8,
107/8, 108/8, 109/8, 110/8, 111/8, 112/8,\
113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8,
123/8, 124/8, 125/8, 126/8, 127/8, 173/8,\
174/8, 175/8, 176/8, 177/8, 178/8, 179/8, 180/8, 181/8, 182/8, 183/8,
184/8, 185/8, 186/8, 187/8, 189/8, 190/8,\
197/8, 223/8, 240/8, 241/8, 242/8, 243/8, 244/8, 245/8, 246/8, 247/8,
248/8, 249/8, 250/8, 251/8, 252/8, 253/8,\
254/8, 255/8 }
## Options
set block-policy return
set loginterface $ext_if
set optimization normal
## Scrub
scrub in on $ext_if all random-id fragment reassemble
## Translation - NAT/RDR
nat on $ext_if from $int_if:network to any - ($ext_if)
nat on $ext_if from $wi_if:network to any - ($ext_if)
rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021
## Filter rules
block in all
antispoof log quick for $ext_if inet
# drop dsl noise/broadcast packets
block in quick on $ext_if inet from any to { 255.255.255.255 }
# Block all reserved IP addresses.
block in quick on $ext_if inet from reserved to any
block out quick on $ext_if inet from reserved to any
# block extra DNS replies
block return in on $ext_if inet proto udp from port=domain to port=domain
# Block NetBIOS traffic to the local LAN
block in quick on $ext_if inet proto tcp from any to any port { 135,
137 139, 445 }
block out quick on $ext_if inet proto tcp from any to any port { 135,
137 139, 445 }
# block nmap attempts
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA
# pass loopback traffic
pass in quick on lo0 all
pass out quick on lo0 all
# pass SSH traffic
pass in on $ext_if inet proto tcp from any to any port ssh flags S/SA keep state
# pass VoIP traffic
pass in on $ext_if inet proto tcp from any to any port $voip_tcp
flags S/SA keep state
pass out on $ext_if inet proto tcp all flags S/SA keep state
pass in on $ext_if inet proto udp from any to any port $voip_udp keep state
pass out on $ext_if proto udp all keep state
# allow internally generated traffic to pass
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any
pass out on $int_if from any to $int_if:network
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
