Extensions thru PfSense VPN

I have two locations connected via PfSense (firewall) IpSec VPN tunnel. Location “A” has my FreePBX box behind it and location “B” has two IP telephone extensions behind it.

Everything was working fine until I discovered that my FreePBX box (and firewall) were being attacked by rogue (known blacklisted VOIP) ip addresses. When I determined how to set PfS to accept ONLY connection from my SIP provider then the location “B” extensions had no RTP in or out. I could dial in and out but calls had no voice connection and would time out after 31 seconds.

This is the part that baffles me. PfS is connected via IPSec VPN so no settings on WAN should effect the VPN traffic but, location “B” RTP is being blocked. When I added the location “B” to allow FreePBX to have connection RTP traffic returned.

The PfSense forum is concerned that I might be exposing my FreePBX box or my location “B” extensions to the internet due to the current settings being used.

I am in a difficult position in that this could be a firewall issue, which is not a FreePBX forum issue but without the ability to understand testing and logfile entries of FreePBX I will not be able to figure this out what is wrong, if anything.

My question is what log files do I need to look at to determine the changes in RTP connection? Is there something to “turn on” to help me debug this issue?

Wouldn’t the only firewall rule needed is to permit traffic between the vpn subnet and freepbx ip for rtp traffic? How would that open either up to the internet?

"When I added the location “B” to allow FreePBX to have connection RTP traffic returned. "
How did you implement this?

How did you implement this?

Created an aliases for my SIP provider and used that alias as a source for Firewall >> NAT >> “port forwarding” to allow ONLY connections from my SIP and block any further attempts by blacklisted VOIP ip address attacks. Then added the dynamicDNS hostname as an allowed additional host to the SIP provider alias this allowed RTP to reconnect between location “A” and location “B”. (Location “A” has a static WAN address and location “B” has dynamic WAN address.)

Hoe do your extensions connect to FreePBX? UDP, TCP or TLS(TCP)?

UDP port 5060

One of my clients has a similar network setup. Main branch static IP with pfSense and remote branch with a dynamic IP and pfSense.

I find it easier and more efficient to NOT use a VPN and use SIP over TLS with SRTP instead.

The remote site updates it’s IP via DDNS and the main site allows connections through the firewall based on the FQDN of the remote site.

I see too many people here struggling with NAT issues and then trying to add VPN tunneling too.