I am running a trial of the provider but am having a few issues. I have the distro (4.211.64-5) up and running and it seems to be ok. I have a Watchguard XTM330 firewall at the office and I have all outgoing ports allowed from the phones to the WAN. I am using Cisco SPA525G2 handsets upgraded with the latest firmware (7.5.5 I believe). I am able to get the phone to register to the VPBX and I am able to receive calls from the outside in but I cannot make calls. As soon as I dial an outside number, I immediately get a denied message that come up on the screen of the phone. I have played around with the NAT settings and such and if I change it from the way it is now, I loose the ability to receive calls. I am using Sipstation for my trunk and used the autoconfigure option in the Sipstation module. The trunks are showing as up and green. I can also see that the phone is registered from the FreePBX status landing page. I am not sure what to do to get this to work. Any thoughts? If I can’t get this working in a timely manner, I will have to go back to an onsite solution, which I am trying to avoid because I have multiple offices that I want to move to the VPBX so for instance the office manager has a common VM box no matter which location she is currently at.

Thanks in advance,

It currently isn’t enabled. I will just have to do some research on NAT 1-to-many with the Watchguard and see what I come up with.

I appreciate the help so far.

It’s not the ports that aren’t allowed, it’s the NAT settings in the Watchguard.

I am not familiar with Watchguard so I can’t give you any pointers.

Why don’t you call Cyberlink (FreePBX hosting folks) and see if they will set you up an ipsec VPN to your site. Their site says they offer VPN connections.

I will check with them on that but I believe they charge extra for that. What do the rules need to look like to allow the NAT traffic? If you can give me a large picture view I might be able to get the Watchguard setup correctly. I figured it was something with the firewall.

Thanks for the quick reply,

Just turn the SIP ALG/Proxy off.

It’s not really a proxy unless you register your phones to the proxy then let it Register to Asterisk

There is a SIP/ALG proxy in the Watchguard so I will play around with that. I assume that it needs to allow outgoing traffic from my LAN to the WAN? I will also open up a ticket with Watchguard unless anyone else has some ideas or maybe some experience with a Watchguard and a VPBX.


It’s not rules. Every firewall calls it something different. Essentially you need to do pure 1 to many NAT (Symmetric) without any type of packet manipulation.

Some firewalls call it a SIP helper, others an ALG. Cisco calls it protocol Fixup. Whatever you call it is bad for SIP/RTP

If you are having trouble configuring FreePBX or your phones, you can always purchase support credit to have one of our techs assist, or point you in the right direction.