The pfSense Store

Author Topic: Firewall HELP, VOIP wont work!  (Read 7832 times)

0 Members and 1 Guest are viewing this topic.

Offline cybercare

  • Jr. Member
  • **
  • Posts: 93
  • Karma: +0/-0
    • View Profile
Firewall HELP, VOIP wont work!
« on: September 21, 2007, 03:22:35 pm »
I get the following in the log (raw)
and our Cisco 7940G wont work.... Our provider brought us a cheap d-link for them to work but seems wont work with anything else. I made rules even and didnt help. We dont have any other problems. I am on latest build of 1.2 dated today, have tried traffic shape and all and it wont work. They did work on skinny but we just got changed to Sip and now they wont work on pf.

Sep 21 16:16:43 pf: 582619 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 49, id 32373, offset 0, flags [DF], proto: UDP (17), length: 58) 208.67.249.67.33673 > 67.79.181.215.56408: UDP, length 30
Sep 21 16:16:43 pf: 000317 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 50, id 24665, offset 0, flags [DF], proto: UDP (17), length: 136) 208.67.249.67.33674 > 67.79.181.215.58860: UDP, length 108
Sep 21 16:16:43 pf: 019943 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 50, id 56327, offset 0, flags [DF], proto: UDP (17), length: 136) 208.67.249.67.33682 > 67.79.181.215.58860: UDP, length 108
Sep 21 16:16:43 pf: 000362 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 50, id 40472, offset 0, flags [DF], proto: UDP (17), length: 58) 208.67.249.67.33683 > 67.79.181.215.56408: UDP, length 30
Sep 21 16:16:43 pf: 391922 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 50, id 25617, offset 0, flags [DF], proto: UDP (17), length: 544) 208.67.249.67.33669 > 67.79.181.215.56821: UDP, length 516
Sep 21 16:16:44 pf: 612534 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 50, id 43813, offset 0, flags [DF], proto: UDP (17), length: 58) 208.67.249.67.33675 > 67.79.181.215.56408: UDP, length 30
Sep 21 16:16:44 pf: 000257 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 49, id 47194, offset 0, flags [DF], proto: UDP (17), length: 136) 208.67.249.67.33681 > 67.79.181.215.58860: UDP, length 108
Sep 21 16:16:47 pf: 2. 989800 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 50, id 14102, offset 0, flags [DF], proto: UDP (17), length: 58) 208.67.249.67.33684 > 67.79.181.215.56408: UDP, length 30
Sep 21 16:16:47 pf: 002443 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 50, id 60687, offset 0, flags [DF], proto: UDP (17), length: 136) 208.67.249.67.33685 > 67.79.181.215.58860: UDP, length 108
Sep 21 16:16:47 pf: 397542 rule 191/0(match): block in on fxp1: (tos 0x0, ttl 50, id 65352, offset 0, flags [DF], proto: UDP (17), length: 544) 208.67.249.67.33672 > 67.79.181.215.56821: UDP, length 516


Thx

Offline GruensFroeschli

  • Green Frog
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 5066
  • Karma: +4/-0
  • No i will not fix your computer!
    • View Profile
    • FFXI related
Re: Firewall HELP, VOIP wont work!
« Reply #1 on: September 21, 2007, 05:03:10 pm »
How is your network setup? What rules do you have?
This logoutput says only that some traffic is being blocked and nothing else.
We do what we must, because we can.
(Except when you PM me to help you directly - DONT: keep your issues in the forum)

Offline cybercare

  • Jr. Member
  • **
  • Posts: 93
  • Karma: +0/-0
    • View Profile
Re: Firewall HELP, VOIP wont work!
« Reply #2 on: September 21, 2007, 05:33:54 pm »
That is the traffic being blocked is what I need. I have everything wide open right now, allow all in and allow all out, and I have even tried direct individual to and from's.

What is being logged is below, nothing else as all else is passing and whats being logged is what makes it stop. From my VOIP provider, its just these Cisco 7940 phones and sip dont work well with firewalls but I would hope that with how flexable pf is we could determin what needs to be done.

What can I do to make the box not block the below?

Thx

Offline GruensFroeschli

  • Green Frog
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 5066
  • Karma: +4/-0
  • No i will not fix your computer!
    • View Profile
    • FFXI related
Re: Firewall HELP, VOIP wont work!
« Reply #3 on: September 21, 2007, 05:54:02 pm »
Could it be that your allow rule only allows TCP traffic and no UDP?
If you say you have a rule that allows anything then i assume that the rule 191 is the default invisible block everything rule that is below every other rule.
We do what we must, because we can.
(Except when you PM me to help you directly - DONT: keep your issues in the forum)

Offline cybercare

  • Jr. Member
  • **
  • Posts: 93
  • Karma: +0/-0
    • View Profile
Re: Firewall HELP, VOIP wont work!
« Reply #4 on: September 21, 2007, 07:55:20 pm »
I have it set to ANY, but have also tried TCP/UDP, and also just UDP.

It seems that these phones do something that make the box still block it.

I have even tried just for kicks to forward an entire public IP to one phone with everything allowed in and out and still same problem.

The system the phones trys to talk to uses only UDP and I have the server IP and all the ports and no matter what it wont work. Its a Trixbox VOIP server that our provider is using right now. Any other phones work and the software based ones do which all use the same ports, but these Cisco 7940g's wont. Yet they work on a cheap d-link. They told us they cant get the cisco phones to work with anything but this one d-link and they even hope I can find a way around this.

Anyone else have any idea? Got to be something that can be changed to make it happy. I did a few google searches and find a few people with same issue and no one answering how to correct for them also.

Thx

Offline dhipo

  • Full Member
  • ***
  • Posts: 110
  • Karma: +0/-0
  • Everything Secure
    • View Profile
    • Dhix Networks
Re: Firewall HELP, VOIP wont work!
« Reply #5 on: September 25, 2007, 05:54:16 pm »
try change ... Clear DF bit instead of dropping on system advanced menu ..

the voip packets can be fragmented .. 

to see what the rule blocking

use the command pfctl -sr on shell
Dhix Networks
Everything Secure

http://www.dhix.com.br

Offline cybercare

  • Jr. Member
  • **
  • Posts: 93
  • Karma: +0/-0
    • View Profile
Re: Firewall HELP, VOIP wont work!
« Reply #6 on: October 19, 2007, 09:12:34 am »
Still no luck...

I heard from a friend who said they talked to scott and it was said to be a known issue that pfsense is doing something to the packets. It only affects certain phones and I guess our Cisco phones are one of them.

Can anyone confirm this and any idea if it will get fixed? It is said this was not an issue with 1.01 but with all the version changes in the code for 1.2 it was broke with something new..

Offline chazers18

  • Full Member
  • ***
  • Posts: 103
  • Karma: +0/-0
    • View Profile
Re: Firewall HELP, VOIP wont work!
« Reply #7 on: October 19, 2007, 01:57:33 pm »
i have a dual wan set up with  a trixbox set up behind the lan. i was able to get a remote extension ported though the firewall to my home. i have ports
10000-20000 udp open
5004-5090 tcp/udp
4569 udp open


also make sure you have the NAT pointing correctly

i did have this set up working on a cisco 7940\60.
the 7912 was giving me a little attitude but it worked... sorta

Offline cybercare

  • Jr. Member
  • **
  • Posts: 93
  • Karma: +0/-0
    • View Profile
Re: Firewall HELP, VOIP wont work!
« Reply #8 on: October 20, 2007, 09:22:11 am »
Well we have multiple phones but I cant even get it to work with one... I even set all ports udp/tcp open and to forward to the one phone and no go.

What firmware did your 7940/7960 have? Ours worked with pfsense also until our provider switched over to sip, than it stopped... It seems that these phones do something on sip that the firewall dont like or is not doing right itself.

It all worked fine when the phone was aeg but the sip just did it in... They are on latest firmware and the firewall is on 1.2RC3...

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6333
  • Karma: +0/-0
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: Firewall HELP, VOIP wont work!
« Reply #9 on: October 20, 2007, 10:56:59 pm »
I heard from a friend who said they talked to scott and it was said to be a known issue that pfsense is doing something to the packets. It only affects certain phones and I guess our Cisco phones are one of them.

Can anyone confirm this and any idea if it will get fixed? It is said this was not an issue with 1.01 but with all the version changes in the code for 1.2 it was broke with something new..

This is absolutely not true, don't spread FUD.

It's actually much less likely that VoIP gets broken in the 1.2 snapshots because normal SIP port 5060 traffic isn't source port rewritten by default. Yours doesn't use 5060 though. You probably need static port, which is what everybody needed in 1.0 but now only systems that use atypical ports require it.
http://doc.pfsense.org/index.php/Static_Port


Offline cybercare

  • Jr. Member
  • **
  • Posts: 93
  • Karma: +0/-0
    • View Profile
Re: Firewall HELP, VOIP wont work!
« Reply #10 on: February 21, 2008, 12:21:53 pm »
Anyone have any update on this?

I still have no luck... I have a trixbox server setup at a colo working, all remote phones can connect to it except ones that are behind pfsense... They cant download the configuration and do not register.. They connect just enough to get the time/date...

I have opened all ports, the firewall log shows nothing blocked so I am just lost... Our softphones work fine though pfsense, just these darn Cisco 7940 phones wont....

The phone if I go to status just says W250 TFTP Error: Timeout

If I put it behind a cheap dlink router it will work though... ( I know the dlink dont filter crap which is why it works I am sure)

And I still have it setup to do static ports even as suggested... That does not seem to matter either way it wont work, lol
« Last Edit: February 21, 2008, 12:30:45 pm by cybercare »

Offline ermal

  • Administrator
  • Hero Member
  • *****
  • Posts: 3364
  • Karma: +1/-0
    • View Profile
Re: Firewall HELP, VOIP wont work!
« Reply #11 on: February 21, 2008, 01:54:46 pm »
Ssh in pfSense
open for editing /etc/inc/filter.inc

find this in that file:
#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
comment out these 2 lines
block in $log quick all label "Default block all just to be sure."
block out $log quick all label "Default block all just to be sure."

Save and see if it blocks packets!

Try even to see if your provider has some kind of SIP gateway/proxy so you can configure on phones.

Even though what cmb suggest is true, use static port.
« Last Edit: February 21, 2008, 01:57:16 pm by eri-- »

Offline cybercare

  • Jr. Member
  • **
  • Posts: 93
  • Karma: +0/-0
    • View Profile
Re: Firewall HELP, VOIP wont work!
« Reply #12 on: February 21, 2008, 03:29:51 pm »
Well, tried it and no diffrence...

But right now I dont get any blocks that show... I did originally as seen in first post a few months ago, but now it does not show blocks anymore (I have had rules in place forever.)

Other than this any other suggestions?

It seems it wont register or download its configs via TFTP, but it can get the time and date, lol

Thx in advance
« Last Edit: February 21, 2008, 04:25:23 pm by cybercare »

Offline ermal

  • Administrator
  • Hero Member
  • *****
  • Posts: 3364
  • Karma: +1/-0
    • View Profile
Re: Firewall HELP, VOIP wont work!
« Reply #13 on: February 22, 2008, 12:42:10 pm »
You need a TFTP-PROXY. AFAIK this is a feature in HEAD and it will be available on 1.2 or 1.3 if you push it with a bounty.

Offline cybercare

  • Jr. Member
  • **
  • Posts: 93
  • Karma: +0/-0
    • View Profile
Re: Firewall HELP, VOIP wont work!
« Reply #14 on: February 22, 2008, 01:26:09 pm »
That just doesn't seem right... pfsense supports tftp, it has it listed even as rules?

But okay, that explains the tftp part, but what about the phones?

I can get the configuratio to the phone but it still wont talk to the server... Does it need a sip proxy too?

I know pfsense has a package for one, just not sure if thats right for my setup, and it does not seem to work...

The cheap dlink that works has ALG with SIP which is why it works..

As for doing a bounty, its pointless for me than because they wont put any new features in 1.2 from my understanding, and 1.3 is so buggy and not even public to mess with.... I just would think this wonderful flexable firewall could do simple things... I know other people have sip working through it fine, but whatever these cisco's are doing that it does not like just sucks... Our softphones work fine through PfSense. ARg..