The pfSense Store

Author Topic: Incoming RTP traffic being dropped at pfsense (Cisco VCS-E)  (Read 177 times)

0 Members and 1 Guest are viewing this topic.

Offline yyaghi

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Incoming RTP traffic being dropped at pfsense (Cisco VCS-E)
« on: November 02, 2017, 08:44:38 pm »
Hi All,

I have a Video/Voice (Cisco VCS-E) server sitting in my environment, I can make outgoing calls and UDP connections are fine (Voice/Video from my units are reaching remote destination) but the traffic from the remote destinations are being dropped.

I setup my pfsense to have a virtual IP that was provided from my ISP, created a 1:1 NAT Rule and opened the following ports:
  • 5060
  • 5061
  • and the Media Port range the server is using

First 2 are TCP and the last is UDP.

Initially, looking at the logs in the firewall rules, outgoing UDP ports were being blocked, but I enabled that. But I can't seem to figure out why incoming UDP ports from my WAN interface is being dropped.
I even did a packet capture on the interfaces. I see the UDP traffic hitting my WAN interface, but when I run the PCAP on my Internal Interface, I don't see them.

Oh, I forgot to mention, I also created an outbound rule for traffic to from that server to only go though my public IP. So not sure what is going on. I've seen a bunch of forums but none are really helping.

Any ideas are welcome :D

Regards!
« Last Edit: November 02, 2017, 09:11:28 pm by yyaghi »

Offline chpalmer

  • Hero Member
  • *****
  • Posts: 1748
  • Karma: +93/-3
    • View Profile
    • Home of Cablenut
Re: Incoming RTP traffic being dropped at pfsense (Cisco VCS-E)
« Reply #1 on: November 02, 2017, 11:54:22 pm »
Quote
I setup my pfsense to have a virtual IP that was provided from my ISP, created a 1:1 NAT Rule and opened the following ports:
  • 5060
  • 5061
  • and the Media Port range the server is using[/l][/l]
If you create a 1:1 NAT  then you do not need to port forward.  Only create firewall rules to the LAN address..



[/list]
P.S. statements made by me are not necessarily condoned by the management of this fine organization.  http://badmodems.com

Offline yyaghi

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: Incoming RTP traffic being dropped at pfsense (Cisco VCS-E)
« Reply #2 on: November 03, 2017, 12:16:57 am »
Hi chpalmer,

I don't believe I did any port forwarding. I created FW rules on the WAN interface to allow the ports provided above.
The image labeled 7 should reflect that unless I did that incorrectly.

Thanks

Offline chpalmer

  • Hero Member
  • *****
  • Posts: 1748
  • Karma: +93/-3
    • View Profile
    • Home of Cablenut
Re: Incoming RTP traffic being dropped at pfsense (Cisco VCS-E)
« Reply #3 on: November 03, 2017, 12:46:31 am »
Hi chpalmer,

I don't believe I did any port forwarding. I created FW rules on the WAN interface to allow the ports provided above.
The image labeled 7 should reflect that unless I did that incorrectly.

Thanks

Ah-  i misunderstood your comment.

VOIP was never designed to be behind NAT originally..  It was a later addition to the VOIP standards.  Im not sure this is affecting you in any way right now.  But something to keep in the back of your head.

Im curious what would happen if you were to move your RTP rule on WAN above the SIP rule.   Just a simple test.


« Last Edit: November 03, 2017, 12:56:23 am by chpalmer »
P.S. statements made by me are not necessarily condoned by the management of this fine organization.  http://badmodems.com

Offline yyaghi

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: Incoming RTP traffic being dropped at pfsense (Cisco VCS-E)
« Reply #4 on: November 03, 2017, 09:06:06 am »
While that is true, the Cisco VCS-E actually has a "NAT" IP and everything to allow for NAT'ing to work more efficiently.

Let me try that and I'll get right back to you. Sorry - I fell asleep :)

Offline yyaghi

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: Incoming RTP traffic being dropped at pfsense (Cisco VCS-E)
« Reply #5 on: November 03, 2017, 09:11:35 am »
That didn't work :(

Offline andphil2

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: Incoming RTP traffic being dropped at pfsense (Cisco VCS-E)
« Reply #6 on: November 03, 2017, 09:39:58 am »
Hi @yyaghi -

Do you have a network diagram?

Did you permit the ports in both directions?

Offline yyaghi

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: Incoming RTP traffic being dropped at pfsense (Cisco VCS-E)
« Reply #7 on: November 03, 2017, 10:42:59 am »
Hi @andphil2,

Attached is a Visio of my network. My VCS-E is on the LAB Network. Hope that helps!

The ports 5060/5061 and the media ports have WAN rules to come in. Outgoing, I'm allowing everything.