Re: [pfSense] Multi-WAN port forwarding

2015-02-13 Thread Steve Spencer
What VOIP platform is it? We have successfully implemented firewall 
allow rules for our Digium Switchvox PBX using PfSense. We might have 
similar rule set requirements if that helps at all.


On 02/13/2015 01:01 PM, Tiernan OToole wrote:

Right... So after a bit of digging, I found the following from my VoIP Server 
provider:

http://www.3cx.com/blog/voip-howto/pfsense-firewall/

They walked me though setting up the firewall rules, and port preservation, 
which worked to an extent... originally, no traffic was hitting the required 
ports (5060, 5090 and 9000-9099) but now it is... Its still getting blocked 
somewhere, but at least it’s a start!

Now more digging!

--Tiernan

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jon Gerdes
Sent: Friday 13 February 2015 13:57
To: list@lists.pfsense.org
Subject: Re: [pfSense] Multi-WAN port forwarding


On Thu, 2015-02-12 at 21:13 +, Tiernan OToole wrote:

Thanks for the tip Chris (Doh!) but tried setting it to UDP and still no luck...

--Tiernan

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris
L
Sent: Thursday 12 February 2015 20:36
To: pfSense Support and Discussion Mailing List
Subject: Re: [pfSense] Multi-WAN port forwarding

SIP is UDP, not TCP.


On Feb 12, 2015, at 12:33 PM, Tiernan OToole  wrote:

Morning all.

I have a question I hope someone can help me with.

I have my PFSense server with 3 WAN connections, load balanced and I
need to start forwarding ports, specifically SIP ports. I have done
port forwarding on port 80, and it works grand, but doing the same
steps with 5060, not so much…

The steps I took was:

Firewall/NAT, Add, interface = WAN1, proto TCP, src addr and port
are both *, dest = WAN1 address, dst port 5060, nat IP (internal ip
of the voip box), nat ports 5060

Did this for each WAN connection and again for other ports… but the VoIP 
firewall checker is still telling me the ports aint open… What am I doing wrong?

It works on port 80! Why not SIP?!

Thanks.

--Tiernan


Start by making sure that traffic is actually hitting the rule.  Enable logging 
on the rule and/or run a packet capture on the pfSense box with the interface 
set to the WAN link, proto UDP port 5060.

You could also do a pcap on the LAN interface with the IP of the PBX to see 
both directions.  Install Wireshark obn your PC to look deeply into the pcap 
(download button)

Once you get SIP to work which is usually pretty easy, then you get to diagnose 
why you get one way audio (RTP).  Hopefully that wont happen.
Symmetric RTP is your friend here ...

Another thing to watch out for is SIP ALGs upstream of the pfSense and making 
sure that your VoIP system knows its external IP address.

Cheers
Jon

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold




--
--
Steven G. Spencer, Network Administrator
KSC Corporate - The Kelly Supply Family of Companies
Office 308-382-8764 Ext. 1131
Mobile 402-765-8010
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Dandy pfSense appliance

2013-04-25 Thread Steve Spencer

On 04/25/2013 03:31 AM, Ulrik Lunddahl wrote:

Hi Odhiambo!

I have done quite a few pfSense 2.x installations on those two machines.

http://www.intel.com/content/www/us/en/motherboards/desktop-motherboards/desktop-kit-dccp847dye.html
http://www.intel.com/content/www/us/en/motherboards/desktop-motherboards/desktop-kit-dc3217by.html

All you have to add is RAM and a small mSATA SSD, change the BIOS to IDE, 
pfSense does not work with AHCI apparently.

Now, those devices does only have 1 Gigabit Port, so I combine them with a VLAN 
switch, they are very cheap.

I usually use the D-Link DGS-1100 Series and configure one port as an uplink to 
the NUC, and the rest in a combination of WAN, LAN and OPT ports.

This obviously does not work very well if you have servers on one VLAN and 
Clients on another, AND do heavy bulk transfers of large files between the two 
VLANS, but for everything else, it works like a charm.

The Celeron 847 is normally fast enough for most setups, and the Core i3 
version give you a lot of power for the price and wattage.

Better yet, you can pick all hardware up almost everywhere.



Med venlig hilsen, Best regards
Ulrik Lunddahl

Sales Manager - Salgschef
PROconsult Data A/S - Landbrugsvej 2 - 5260  Odense S
Tel: +45 6311 - Tel dir: +45 63113341 - Mobil: +45 26363341
E-mail: u...@proconsult.dk - Web site: www.proconsult.dk






-Oprindelig meddelelse-
Fra: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] På 
vegne af Odhiambo Washington
Sendt: 24. april 2013 19:40
Til: pfSense support and discussion
Emne: [pfSense] Dandy pfSense appliance

I'd like to acquire a nicely designed device running pfSense. Is there a nicely 
designed device the size of a typical Netgear WiFi router device, with high 
specs?

I'd like to respond in-line, but the top post kind of makes it 
difficult. At any rate, the units described by Ulrik could easily be 
multiple Ethernet units. You would just need to carry a few USB Ethernet 
adapters along with the unit in your back back.


Thanks,

--
Steven G. Spencer, Network Administrator
KSC Corporate - The Kelly Supply Family of Companies
Office 308-382-8764 Ext. 231
Mobile 308-380-7957
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] PfSense 1.2.2 to 2.0 Release and Digium Switchvox remote phone issue

2012-12-10 Thread Steve Spencer

On 12/10/2012 09:32 AM, Vick Khera wrote:

The remote phones in question are not using NAT, but are publicly
>addressed. Local phones on our LAN continue to work just fine. The firewall
>is at the local end and sits between the cloud and the switchvox server.
>When you say, "going back to a static port on 5060" what do you mean?
>Currently, there is an alias set up for VOIP UDP ports and for VOIP TCP
>port. All traffic inbound is allowed to those ports if the destination is
>the Switchvox server. 5060 is included in the UDP ports alias.
>

Did you configure the "NAT" option for those lines in switchvox?  I don't
have any public IP phones, just some that are at remote locations using
IPsec VPN.  I also had to tell switchvox that the other LANs were "local".

With 1.x pfSense, I used the SIP proxy package.  With 2.0 I do not, and it
does still seem to work just fine.

I /may/ have just found my problem, though still not sure. On the old 
firewall (1.2.2) I had enabled manual outbound NAT and had specified 
only the LAN network in the mappings. On the new (2.2) firewall, I had 
left automatic outbound NAT enabled, which generates rules for all the 
interfaces except, of course, for the WAN. I may be able to fix my 
problem by simply turning on manual outbound NAT and then deleting all 
the auto-generated rules except the LAN interface. The Switchvox server 
has it's only network (publicly addressable) so it is not necessary to 
NAT, I wouldn't think.


Sound reasonable?

Thanks,

--
--
Steven G. Spencer, Network Administrator
KSC Corporate - The Kelly Supply Family of Companies
Office 308-382-8764 Ext. 231
Mobile 308-380-7957
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] PfSense 1.2.2 to 2.0 Release and Digium Switchvox remote phone issue

2012-12-10 Thread Steve Spencer

On 12/09/2012 03:07 AM, Chris Buechler wrote:

ll,
>
>I've been attempting to our old 1.2.2 firewall to new hardware and version
>2.0 Release. Everything works with one big exception of the remote phones on
>our Digium Switchvox server. I've attempted this move 3 times, and each time
>I pull the new firewall back to our office after the failure and comb
>through the firewall rules for the Switchvox segment with a fine tooth comb.
>They are identical rule sets on both 1.2.2 and 2.0.
>

The difference between 1.x and 2.x, assuming you're using automatic
outbound NAT, is the former won't rewrite the source port on UDP 5060
and the latter will. 2.x's behavior works significantly more of the
time than 1.x's, but there isn't one setting that works for
everything. Going back to static port on 5060 likely will fix.
http://doc.pfsense.org/index.php/VoIP_Configuration


Chris,

Thanks for the reply, but having read the document you linked and your 
email, I'm still not positive that this relates to my situation. Forgive 
me for asking for a little more clarification and providing the same.


The remote phones in question are not using NAT, but are publicly 
addressed. Local phones on our LAN continue to work just fine. The 
firewall is at the local end and sits between the cloud and the 
switchvox server. When you say, "going back to a static port on 5060" 
what do you mean? Currently, there is an alias set up for VOIP UDP ports 
and for VOIP TCP port. All traffic inbound is allowed to those ports if 
the destination is the Switchvox server. 5060 is included in the UDP 
ports alias.


Any further ideas are greatly appreciated!

Thanks,
--
--
Steven G. Spencer, Network Administrator
KSC Corporate - The Kelly Supply Family of Companies
Office 308-382-8764 Ext. 231
Mobile 308-380-7957
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


[pfSense] PfSense 1.2.2 to 2.0 Release and Digium Switchvox remote phone issue

2012-12-07 Thread Steve Spencer

All,

I've been attempting to our old 1.2.2 firewall to new hardware and 
version 2.0 Release. Everything works with one big exception of the 
remote phones on our Digium Switchvox server. I've attempted this move 3 
times, and each time I pull the new firewall back to our office after 
the failure and comb through the firewall rules for the Switchvox 
segment with a fine tooth comb. They are identical rule sets on both 
1.2.2 and 2.0.


When we deploy the 2.0 server, we are able to see all of the phones from 
the Switchvox server without issue and we can call those remote phones 
from this location and talk to the user at the other end, BUT, when they 
call back, the phone rings and we answer but nothing can be heard on 
either end. We've cleared arp on all affected routers and rebooted the 
Switchvox server and phones to no avail. I've even gone so far in my 
testing to literally allow all traffic to the VOIP segment, and still 
this does not work. Switching back to the old firewall works just fine 
without any hoop jumping.


There are many features on the new 2.0 server that I want to use here, 
but I have to be able to jump through the VOIP hurdle first. Has anyone 
run into this? If so, what did you do to fix the issue?


Thanks in advance,
--
--
Steven G. Spencer, Network Administrator
KSC Corporate - The Kelly Supply Family of Companies
Office 308-382-8764 Ext. 231
Mobile 308-380-7957
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list