Re: [pfSense] Multi-WAN port forwarding
What VOIP platform is it? We have successfully implemented firewall allow rules for our Digium Switchvox PBX using PfSense. We might have similar rule set requirements if that helps at all. On 02/13/2015 01:01 PM, Tiernan OToole wrote: Right... So after a bit of digging, I found the following from my VoIP Server provider: http://www.3cx.com/blog/voip-howto/pfsense-firewall/ They walked me though setting up the firewall rules, and port preservation, which worked to an extent... originally, no traffic was hitting the required ports (5060, 5090 and 9000-9099) but now it is... Its still getting blocked somewhere, but at least it’s a start! Now more digging! --Tiernan -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jon Gerdes Sent: Friday 13 February 2015 13:57 To: list@lists.pfsense.org Subject: Re: [pfSense] Multi-WAN port forwarding On Thu, 2015-02-12 at 21:13 +, Tiernan OToole wrote: Thanks for the tip Chris (Doh!) but tried setting it to UDP and still no luck... --Tiernan -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris L Sent: Thursday 12 February 2015 20:36 To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Multi-WAN port forwarding SIP is UDP, not TCP. On Feb 12, 2015, at 12:33 PM, Tiernan OToole wrote: Morning all. I have a question I hope someone can help me with. I have my PFSense server with 3 WAN connections, load balanced and I need to start forwarding ports, specifically SIP ports. I have done port forwarding on port 80, and it works grand, but doing the same steps with 5060, not so much… The steps I took was: Firewall/NAT, Add, interface = WAN1, proto TCP, src addr and port are both *, dest = WAN1 address, dst port 5060, nat IP (internal ip of the voip box), nat ports 5060 Did this for each WAN connection and again for other ports… but the VoIP firewall checker is still telling me the ports aint open… What am I doing wrong? It works on port 80! Why not SIP?! Thanks. --Tiernan Start by making sure that traffic is actually hitting the rule. Enable logging on the rule and/or run a packet capture on the pfSense box with the interface set to the WAN link, proto UDP port 5060. You could also do a pcap on the LAN interface with the IP of the PBX to see both directions. Install Wireshark obn your PC to look deeply into the pcap (download button) Once you get SIP to work which is usually pretty easy, then you get to diagnose why you get one way audio (RTP). Hopefully that wont happen. Symmetric RTP is your friend here ... Another thing to watch out for is SIP ALGs upstream of the pfSense and making sure that your VoIP system knows its external IP address. Cheers Jon ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- -- Steven G. Spencer, Network Administrator KSC Corporate - The Kelly Supply Family of Companies Office 308-382-8764 Ext. 1131 Mobile 402-765-8010 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Dandy pfSense appliance
On 04/25/2013 03:31 AM, Ulrik Lunddahl wrote: Hi Odhiambo! I have done quite a few pfSense 2.x installations on those two machines. http://www.intel.com/content/www/us/en/motherboards/desktop-motherboards/desktop-kit-dccp847dye.html http://www.intel.com/content/www/us/en/motherboards/desktop-motherboards/desktop-kit-dc3217by.html All you have to add is RAM and a small mSATA SSD, change the BIOS to IDE, pfSense does not work with AHCI apparently. Now, those devices does only have 1 Gigabit Port, so I combine them with a VLAN switch, they are very cheap. I usually use the D-Link DGS-1100 Series and configure one port as an uplink to the NUC, and the rest in a combination of WAN, LAN and OPT ports. This obviously does not work very well if you have servers on one VLAN and Clients on another, AND do heavy bulk transfers of large files between the two VLANS, but for everything else, it works like a charm. The Celeron 847 is normally fast enough for most setups, and the Core i3 version give you a lot of power for the price and wattage. Better yet, you can pick all hardware up almost everywhere. Med venlig hilsen, Best regards Ulrik Lunddahl Sales Manager - Salgschef PROconsult Data A/S - Landbrugsvej 2 - 5260 Odense S Tel: +45 6311 - Tel dir: +45 63113341 - Mobil: +45 26363341 E-mail: u...@proconsult.dk - Web site: www.proconsult.dk -Oprindelig meddelelse- Fra: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] På vegne af Odhiambo Washington Sendt: 24. april 2013 19:40 Til: pfSense support and discussion Emne: [pfSense] Dandy pfSense appliance I'd like to acquire a nicely designed device running pfSense. Is there a nicely designed device the size of a typical Netgear WiFi router device, with high specs? I'd like to respond in-line, but the top post kind of makes it difficult. At any rate, the units described by Ulrik could easily be multiple Ethernet units. You would just need to carry a few USB Ethernet adapters along with the unit in your back back. Thanks, -- Steven G. Spencer, Network Administrator KSC Corporate - The Kelly Supply Family of Companies Office 308-382-8764 Ext. 231 Mobile 308-380-7957 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] PfSense 1.2.2 to 2.0 Release and Digium Switchvox remote phone issue
On 12/10/2012 09:32 AM, Vick Khera wrote: The remote phones in question are not using NAT, but are publicly >addressed. Local phones on our LAN continue to work just fine. The firewall >is at the local end and sits between the cloud and the switchvox server. >When you say, "going back to a static port on 5060" what do you mean? >Currently, there is an alias set up for VOIP UDP ports and for VOIP TCP >port. All traffic inbound is allowed to those ports if the destination is >the Switchvox server. 5060 is included in the UDP ports alias. > Did you configure the "NAT" option for those lines in switchvox? I don't have any public IP phones, just some that are at remote locations using IPsec VPN. I also had to tell switchvox that the other LANs were "local". With 1.x pfSense, I used the SIP proxy package. With 2.0 I do not, and it does still seem to work just fine. I /may/ have just found my problem, though still not sure. On the old firewall (1.2.2) I had enabled manual outbound NAT and had specified only the LAN network in the mappings. On the new (2.2) firewall, I had left automatic outbound NAT enabled, which generates rules for all the interfaces except, of course, for the WAN. I may be able to fix my problem by simply turning on manual outbound NAT and then deleting all the auto-generated rules except the LAN interface. The Switchvox server has it's only network (publicly addressable) so it is not necessary to NAT, I wouldn't think. Sound reasonable? Thanks, -- -- Steven G. Spencer, Network Administrator KSC Corporate - The Kelly Supply Family of Companies Office 308-382-8764 Ext. 231 Mobile 308-380-7957 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] PfSense 1.2.2 to 2.0 Release and Digium Switchvox remote phone issue
On 12/09/2012 03:07 AM, Chris Buechler wrote: ll, > >I've been attempting to our old 1.2.2 firewall to new hardware and version >2.0 Release. Everything works with one big exception of the remote phones on >our Digium Switchvox server. I've attempted this move 3 times, and each time >I pull the new firewall back to our office after the failure and comb >through the firewall rules for the Switchvox segment with a fine tooth comb. >They are identical rule sets on both 1.2.2 and 2.0. > The difference between 1.x and 2.x, assuming you're using automatic outbound NAT, is the former won't rewrite the source port on UDP 5060 and the latter will. 2.x's behavior works significantly more of the time than 1.x's, but there isn't one setting that works for everything. Going back to static port on 5060 likely will fix. http://doc.pfsense.org/index.php/VoIP_Configuration Chris, Thanks for the reply, but having read the document you linked and your email, I'm still not positive that this relates to my situation. Forgive me for asking for a little more clarification and providing the same. The remote phones in question are not using NAT, but are publicly addressed. Local phones on our LAN continue to work just fine. The firewall is at the local end and sits between the cloud and the switchvox server. When you say, "going back to a static port on 5060" what do you mean? Currently, there is an alias set up for VOIP UDP ports and for VOIP TCP port. All traffic inbound is allowed to those ports if the destination is the Switchvox server. 5060 is included in the UDP ports alias. Any further ideas are greatly appreciated! Thanks, -- -- Steven G. Spencer, Network Administrator KSC Corporate - The Kelly Supply Family of Companies Office 308-382-8764 Ext. 231 Mobile 308-380-7957 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] PfSense 1.2.2 to 2.0 Release and Digium Switchvox remote phone issue
All, I've been attempting to our old 1.2.2 firewall to new hardware and version 2.0 Release. Everything works with one big exception of the remote phones on our Digium Switchvox server. I've attempted this move 3 times, and each time I pull the new firewall back to our office after the failure and comb through the firewall rules for the Switchvox segment with a fine tooth comb. They are identical rule sets on both 1.2.2 and 2.0. When we deploy the 2.0 server, we are able to see all of the phones from the Switchvox server without issue and we can call those remote phones from this location and talk to the user at the other end, BUT, when they call back, the phone rings and we answer but nothing can be heard on either end. We've cleared arp on all affected routers and rebooted the Switchvox server and phones to no avail. I've even gone so far in my testing to literally allow all traffic to the VOIP segment, and still this does not work. Switching back to the old firewall works just fine without any hoop jumping. There are many features on the new 2.0 server that I want to use here, but I have to be able to jump through the VOIP hurdle first. Has anyone run into this? If so, what did you do to fix the issue? Thanks in advance, -- -- Steven G. Spencer, Network Administrator KSC Corporate - The Kelly Supply Family of Companies Office 308-382-8764 Ext. 231 Mobile 308-380-7957 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list