pfSense Support Subscription

Author Topic: Strange problem with VoIP adapter  (Read 10723 times)

0 Members and 1 Guest are viewing this topic.

Offline Erik

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Strange problem with VoIP adapter
« on: November 12, 2005, 05:51:22 pm »
Hi

Sorry, I'm quite a firewall newbie... My Grandstream 286 VoIP adapter is having problems connecting to my VoIP provider. I have just switched from m0n0wall to pfsense, and I had no problems with the device in m0n0wall. Here is some diagnosis, I can provide more (e.g. a working config file from m0n0wall):

Setup:
internet <--> firewall <--> switch <--> adapter

According to my provider (Telefin.dk) I have to open UDP port 5060 og 5061, plus port 5004 on the firewall. My WAN ruleset is now:

Proto        Source  Port Destination     Port            Gateway
TCP          *            *     192.168.0.2     80 (HTTP)  *
TCP          *            *     192.168.0.2     22 (SSH)    *
TCP          *            *     192.168.0.2     25 (SMTP) *
UDP         *            *     192.168.0.9     5060           *
UDP         *            *     192.168.0.9     5061           *
TCP/UDP *            *     192.168.0.9     5004           *

and LAN:
 *            LAN net  *      *                     *                *

where 192.168.0.2 is my www/ssh/mail server and 192.168.0.9 is the adapter. Both have a static IP adress, given to them by DHCP.
My NAT config is:

If      Proto           Ext. port range NAT IP            Int. port range
WAN     TCP         80 (HTTP)        192.168.0.2     80 (HTTP)
WAN     TCP         22 (SSH)          192.168.0.2     22 (SSH)
WAN     TCP         25 (SMTP)       192.168.0.2     25 (SMTP)

From the status page of the adapter I get:

MAC Address:      00.0B.82.02.F3.D7
WAN IP Address: 192.168.0.9
Registered:           No
PPPoE Link Up:   disabled
NAT:                     detected NAT type is symmetric NAT
NAT Mapped IP:   85.233.238.xxx     # (xxx added for extra Security(TM))
NAT Mapped Port:55813

This worries me; shouldn't WAN and NAT be switched around?

IN the firewall log I see (apart from 2 million Windows-vira) the following packets blocked:

WAN      212.130.74.61.3479      85.233.238.191.55813      UDP

212.130.74.61 is a Telefin server. Notice that the port 55813 is the "NAT Mapped Port" announced by the adapter.

I have tried opening port 55813 without any luck. I have tried mapping port 5060-5061 and 5004 on WAN to the same ports on the adapter in the NAT setup without any luck. I have not fiddled with any "advanced" settings... Any suggestions?

Kind regards,
Erik Andersen

Offline hoba

  • Administrator
  • Hero Member
  • *****
  • Posts: 5837
  • Karma: +3/-0
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: Strange problem with VoIP adapter
« Reply #1 on: November 12, 2005, 06:32:40 pm »
I guess the voipadapter calls his interface "wan" (it looks like as it even supports pppoe, so this might be the case). So the WAN/NAT IP might be something you shouldn't worry about. Have you tried forwarding the port the adapter wants to use (55813)? Not only opening up the port but forwarding it? As you see blocks on WAN for this port you should revisit this setting and check it again. Also note that the protocol that is blocked is UDP not TCP.

Offline Erik

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Strange problem with VoIP adapter
« Reply #2 on: November 13, 2005, 10:49:54 am »
Hmm, I don't think I should be opening the port 55813 on the firewall. I tried rebooting the adapter, and the I get NATMapped Port: 53050. One more time, and I get 51048. If I understand correctly, outgoing connections are assigned a random port number, e.g. my connection to this site in the state table:

Type  Proto  Source->Router->Destination             State
self    tcp     216.135.66.8:80<-192.168.0.7:1407  ESTABLISHED:ESTABLISHED

The port 1407 changes for every new connection I make to this site. Likewise, it seems the NAT mapped port is randomly assigned. My guess is that pfsense is assigning the port and somehow my adapter is picking it up. These are the relevant entries in my state table:

Type Proto Source->Router->Destination State
self   udp   192.168.0.1:53<-192.168.0.9:26789                                          MULTIPLE:MULTIPLE
self   udp   212.130.74.56:5060<-192.168.0.9:5060                                     NO_TRAFFIC:SINGLE
self   udp   212.130.74.60:3478<-192.168.0.9:5060                                     MULTIPLE:MULTIPLE
self   udp   212.130.74.61:3479<-192.168.0.9:5060                                     MULTIPLE:MULTIPLE
self   udp   192.168.0.9:5060->85.233.238.xxx:52852->212.130.74.56:5060  SINGLE:NO_TRAFFIC
self   udp   192.168.0.9:5060->85.233.238.xxx:51028->212.130.74.60:3478  MULTIPLE:MULTIPLE
self   udp   192.168.0.9:5060->85.233.238.xxx:53530->212.130.74.61:3479  MULTIPLE:MULTIPLE

I'm really on shaky ground here, but the first one is easy; it's a DNS lookup. Then we have three connections to to Telefin servers, plus three connections more, using seemingly random ports on the firewall WAN port. If I open e.g. port 51028, I will get an incoming connection from Telefin (but still no association), but otherwise I have no incoming connections.

Erik

Offline Erik

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Strange problem with VoIP adapter
« Reply #3 on: November 13, 2005, 11:36:04 am »
Sorry to reply to myself, but Wikipedia can be your friend sometimes...

My adapter apparently calls a STUN server to establish a connection between clients behind NAT. Quoting Wikipedia, "It will not work with symmetric NAT" and quoting the adapter status page, "detected NAT type is symmetric NAT".

I have now tried disabling STUN on the adapter and using NAT to forward the WAN ports 5060, 5061 and 5004 to my adapter:

If       Proto       Ext. port range  NAT IP          Int. port range
WAN  UDP         5060 - 5061      192.168.0.9  5060 - 5061
WAN  TCP/UDP  5004                192.168.0.9  5004

My state table now reads:
self   udp   192.168.0.1:53<-192.168.0.9:26789                                          MULTIPLE:MULTIPLE
self   udp   212.130.74.56:5060<-192.168.0.9:5060                                     NO_TRAFFIC:SINGLE
self   udp   192.168.0.9:5060->85.233.238.191:52855->212.130.74.56:5060  SINGLE:NO_TRAFFIC
self   udp   85.233.238.191:5060<-212.130.74.56:5060                                NO_TRAFFIC:SINGLE

Still no luck, though. Why is the last state not going through to 192.168.0.9 when I have the above NAT rules?

Erik

Offline hoba

  • Administrator
  • Hero Member
  • *****
  • Posts: 5837
  • Karma: +3/-0
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: Strange problem with VoIP adapter
« Reply #4 on: November 13, 2005, 11:59:38 am »
Maybe the sip-proxy (siproxd) package is worth a try.  Give it a shot.

Offline Erik

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Strange problem with VoIP adapter
« Reply #5 on: November 13, 2005, 12:06:53 pm »
Damn, there is no package support for embedded platforms. I'm on a WRAP board :-/

I tried loading my working m0n0wall config file into pfsense, and the VoIP adapter still reports "symmetric NAT" as the NAT type, whereas it was "(port?) restricted cone" in m0n0wall. Is there any way to change the NAT type in pfsense?

Erik
« Last Edit: November 13, 2005, 01:00:31 pm by Erik »

Offline keefe007

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Strange problem with VoIP adapter
« Reply #6 on: January 02, 2006, 08:30:52 pm »
Did you get this working ever?

Offline Erik

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Strange problem with VoIP adapter
« Reply #7 on: January 02, 2006, 09:10:33 pm »
No, unfortunately I had to switch back to m0n0wall since I lacked the time to investigate further. But I've aquired another CF card so testing is easier now, if anyone has suggestions.

Update: apparently Phil Regnauld from BSD-DK has it working with a Grandstream adapter by adding

set timeout { udp.first 60, udp.single 60, udp.multiple 60 }
nat on $ext_if from $int_net to any -> $ext_ip static-port

to /etc/pf.conf - the important part being the keyword "static-port". I'll try it when I have some spare time in the weekend.
« Last Edit: January 02, 2006, 09:52:42 pm by Erik »

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +3/-0
    • View Profile
    • pfSense
Re: Strange problem with VoIP adapter
« Reply #8 on: January 02, 2006, 10:38:58 pm »
Beta 2 will include a static-port option in advanced outbound-nat.

Offline Erik

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Strange problem with VoIP adapter
« Reply #9 on: January 02, 2006, 10:57:13 pm »
Cool! Thanks for the notice, I'll let you know how it works out when beta2 is out.

Offline keefe007

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Strange problem with VoIP adapter
« Reply #10 on: January 03, 2006, 02:12:49 pm »
I was able to get my asterisk SIP server working behind the pfsense firewall by using 1:1 NAT for that box.

It looks like regular NAT is symmetric while 1:1 uses cone NAT, which is what SIP needs.

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +3/-0
    • View Profile
    • pfSense
Re: Strange problem with VoIP adapter
« Reply #11 on: February 02, 2006, 12:33:26 am »
Newer testing versions are available at: http://www.pfsense.com/~sullrich/?M=D

Look for "TESTING" dirs.

Offline keefe007

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: Strange problem with VoIP adapter
« Reply #12 on: February 02, 2006, 06:40:01 pm »
Newer testing versions are available at: http://www.pfsense.com/~sullrich/?M=D

Look for "TESTING" dirs.

What does this version have do make SIP work better?

Will it support multiple SIP devices connecting through the router?  Such as multiple ATAs with multiple VoIP lines.

Offline hoba

  • Administrator
  • Hero Member
  • *****
  • Posts: 5837
  • Karma: +3/-0
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: Strange problem with VoIP adapter
« Reply #13 on: February 02, 2006, 06:47:01 pm »
It includes the static port option.

Offline Erik

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Strange problem with VoIP adapter
« Reply #14 on: April 06, 2006, 11:16:45 am »
So, I finally managed to get time to look at the problem. I installed BETA2 (leaps and bounds better than BETA1 in almost every area, thanks everybody!), and I'm glad to say that the static-port did the trick. Quick summary:

Enabled advanced outbound NAT, changed the default outbound rule to enable static-port. Reboot adapter. That's it!

I'm not sure if I still need the following rules on the NAT: port forward page:

 WAN      UDP      5060 - 5061      192.168.0.9      5060 - 5061
WAN    TCP/UDP    5004    192.168.0.9    5004

Will have to test that.

Thanks to everybody who replied, end everyone who has worked so hard to make pfsense better!

Erik