AsteriskNow/FreePBX and pfsense

itamar · August 29, 2011, 6:34am

Hello,

I’m writing this because it took me a lot of work to find this solution.

I had my reasons but for a special reason I had to remove my DD-WRT based router which has handling my NAT/Firewall/Gateway at my place and it was amazing for handling the VoIP.

After removing it I found that Linksys “Business Class” routers dropped my RDP over any kind of VPN (a valid bug they refuse to fix) and that the SMC Baracade line of routers blocked SIP and RTP traffic by default).

So eventually I put up a mini-tower running pfsense and of course ran into a number of problems with getting FreePBX to work with it. So here is what you need to do to reproduce my success with pfsense and FreePBX.

First off here were the key trunk settings:
qualify=yes
insecure=invite,port
nat=no
canreinvite=no

Then make sure you have the module ‘Asterisk SIP Settings’ installed and configure these ones this way:
NAT=yes
IP Configuration= (not public IP, pick one of the other 2 depending on if your FreePBX has a DHCP or static IP)
External IP= I used the WAN IP my ISP assigned me.
Local Network= (Click the ‘auto configure’ button.)

Reinvite Behavior= No

Make sure to configure your RTP ports if you have any special needs. You can do this by editing the following file:
/etc/asterisk/rtp.conf

Now the rest is an issue with pfsense.
First off make sure to NOT create any NAT or Rules entries for your SIP or RTP traffic. That is a mistake.
Second do not install the package ‘siproxd’ as this won’t help pfsense blocking you.

Go to ‘Firewall:NAT:Outbound’ and change to “Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))” and click ‘Save’.
You will now have a rule you have to edit. So click to edit that rule and check off the ‘static port’ check box and save the rule.

Now under ‘System:Advanced’ find ‘Disables the PF scrubbing option which can sometimes interfere with NFS and PPTP traffic.’ and check that one also and save.

Now one last step. Click ‘Status:System’ and then click ‘Show States’.
Now click ‘Reset States’ at the top and click the ‘Reset’ button.

Your browser should now look like it’s hung on processing the page. Just click on the ‘States’ tab at the top again and you should see the list is very short.

Now WAIT… wait again… wait some more… wait about 5 minutes for every connection in your network to renew. Anything you had open will be cut off for a few seconds.

Now if you check and your FreePBX trunk is registered again/still then try calling it.

For the record my symptoms were that I could call out just fine but if anyone tried to call me I could not hear them at all and after exactly 30 seconds the call would be cut. The Asterisk Log just showed that it found no RTP traffic and the people in the IRC chat had no clue why it was cutting off.

vegastech · December 14, 2011, 6:32am

Hey, this is great but could you do a bit more clarification? I think the big diff is I am using pfSense v2. Similar problems: cannot dial-in, can dial out and hear audio at remote phone but no audio from remote phone to local/Asterisk phone.

–Start 1
First off here were the key trunk settings:
qualify=yes
insecure=invite,port
nat=no
canreinvite=no

Does this go in the Trunks> ‘your_fpbx_trunk’> PEER Details? When I make the change there my SIPSTATION shows yellow at Gateways> Primary (I did not change secondary). I can add this to ‘USER Details’ but what should the Context be?
–End 1

–Start 2
Go to ‘Firewall:NAT:Outbound’ and change to “Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))” and click ‘Save’.
You will now have a rule you have to edit. So click to edit that rule and check off the ‘static port’ check box and save the rule.

In pfSense v2 once you change NAT to manual you do not get a rule to edit. So I created a new rule, under Source I added my network (i.e. 192.168.1.0/24) and under Translation I enabled/checked the ‘Static Port’ option. Any other changes needed for this rule?
–End 2

–Start 3
Now one last step. Click ‘Status:System’ and then click ‘Show States’.
Now click ‘Reset States’ at the top and click the ‘Reset’ button.

in pfSense v2 this is under Diagnostics>States
–End 3

Afolabi · December 21, 2011, 4:27pm

I am working on this asteriskNow for the first time, i installed the distro and got freepbx 2.7.0.0 with a default IP. I need to link the server to my current network, so i use the following command :
cd /etc/sysconfig/network-scripts
sudo nano ifcfg-eth0
hit return
change “dhcp” to none,
Then assign IPADDR, NETMASK , and GATEWAY
save and exit.
While i type the command "service network restart"
It was giving me error command not found, then i could not even access the server from the default IP on GUI again. Please someone help.

SkykingOH · December 21, 2011, 4:57pm

Were you logged in with root privs?

Afolabi · December 22, 2011, 11:47am

Yes i log on from the root, the error response while i type ifconfig to check the ip is IPADDR command not found …

SkykingOH · December 22, 2011, 3:40pm

are you typing it in lower case?

Did not log in as root or su up to root privs? If you used su don’t forget to do ‘su -’ to inherit your path variable.

w14219 · June 12, 2012, 12:27pm

I believe I am having the same issue with my freepbx setup and will try your solution in the near future. Thank you for your post.

Best Regards

randomloop · November 17, 2013, 9:27am

NAT -> Outbound -> Manual Outbound NAT rule generatio (AON)
Interface-Source-Source Port-Destination-Destination Port-NAT Address-NAT Port-Static Port
WAN 192.168.0.0/24 * * 500 WAN address * YES
WAN 192.168.0.0/24 * * * WAN address * YES
WAN 127.0.0.0/8 * * * WAN address * YES

Check the box that turns off PF scrubbing.
Reset the states.

And now inbound is no longer receiving a busy signal.

Whew.

pcunite · November 23, 2013, 1:17am

So eventually I put up a mini-tower running pfsense
and of course ran into a number of problems with getting
FreePBX to work with it.
Give MikroTik a try, it’s what we use. Small and use very little electricity.

JohnF · December 6, 2013, 9:56pm

Same problem, tried all the previous, no luck.
With an ADSL connection, I lost registration to provider (Sipgate) every time that the public IP was renewed, could restore by resetting firewall states.

Found the answer from Bart on the pfsense forum:
http://forum.pfsense.org/index.php/topic,66126.msg363262.html#msg363262

I was then able to remove all port forwarding, just left an “allow all” firewall rule from Sipgate.net to pbx

bfis108137 · March 6, 2014, 7:04am

Hi I just wanted to post this advice. I had been trying all different kinds of firewall distros. I tried pfsense, monowall, smoothwall, dd-wrt, and then I came on ipcops. Ipcops works well with sip right out of the box. Just forward your sip port (usually 5060) and your rtp ports (default is 10000-20000) and you are that’s it. I saw this tutorial and was about to do it and thought that there must be a better way. Here is my summary.

Pfsense-felt like it was fitting a square peg into a round hole and maybe disabling all of the built in pfsense features would make it harder for regular router tasks later on.

monowall-pfsense is based on this so it should have the same issues

smoothwall-looks good but I needed custom routes due to my isp and this is a commercial only feature and I like free not only for the source but also the cost

ipcop-looks a little basic and rough around the edges but sometimes simple is best and in this case it was.