Perplexed, need help

Here is my situation. pfsense firewall and freepbx phone server can both be accessed from 117.x.x.114. Internal phones have no problem making and receiving calls because they can access the internal 192.x.x.42 address of the phone server. External phones have to register using 117.x.x.114 because they can’t reach 192.x.x.42. Those external phones might be able to register but no voice is transferred, and no ringing, on external test phone. We do have one remote phone that hears incoming audio but has no outgoing audio. We can’t use openvpn because its a GS2100 and doesn’t support it.
I have looked at all forums in regards to NAT and forwarding ports and nothing seems to work. Any ideas at all would be greatly appreciated. I am tearing my hair out and I don’t have much anyways, lol.

Hi Red,

Intermediate pfSense user here. Would be glad to help once I know the hardware setup.

let me know what you need. pfsense is version 2.3.4. freepbx is version

Is your pfSnese box from Netgate or a DIY build?

How many ports on your pfSense box and PBX?

Well its installed on a dell computer but has netgate device ID. What ports in question?

So it’s a DIY box. That’s ok. Netgate has a slightly tweaked software for their own hardware.

How many ethernet ports on both boxes and how are things wired up?

pfsense has one wan port one lan port. it looks like from the GUI of the pbx there is only one ethernet port being used, statically assigned, 192.x.x.42, with gateway 192.x.x.1. Take into consideration this was a box from a different company, and everything went to **** when comcast modem got hit 6 times in one day, by power bumps.

Ok. Now that I have a better understanding of your hardware setup can you post screenshots of your NAT settings?

Also, who is your current ISP? Do you have a static or dynamic WAN IP?

NAT is yes for asterisk sip settings. ip on pbx is static. current isp is comcast. it is static WAN on pfsense.

Is NAT set to yes for each individual remote extension? Also, is canreinvite set to “No” for each individual remote extension?

Can you post pfSense NAT settings?

Either yes or automatic in the case of my test extension. my test extension is set to yes, just changed to no.

Interface Protocol Source Address Source Ports Dest. Address Dest. Ports NAT IP NAT Ports Description Actions
WAN TCP * * WAN address 8080 192.x.x.1 8080 Remote Access
WAN TCP * * WAN address 80 (HTTP) 192.x.x.42 80 (HTTP) FreePBX Web
WAN UDP * * WAN address 1194 (OpenVPN) 192.x.x.42 1194 (OpenVPN) Openvpn
WAN UDP * * WAN address 5060 - 5161 192.x.x.42 5060 - 5161 SIP IN
WAN UDP * * WAN address 10000 - 20000 192.x.x.42 10000 - 20000 SIP RTP IN
WAN TCP/UDP 162.x.x.25 * WAN address 22 (SSH) 192.x.x.42 22 (SSH) SSH
WAN TCP/UDP 162.x.x.25 * WAN address 5222 - 5223 192.x.x.42 5222 - 5223 Chat In

NAT settings look good.

Any luck with audio now that the remote extensions have been adjusted?

If you still having issues switch audio is there an rPort setting somewhere in the remote endpoint?

rport as in random port setting?

rPort is a setting in the endpoint that tells it to ignore the IP addresses in the SIP signalling.

Since your box is behind NAT, it will send it’s internal IP address to the endpoint. If you endpoint, replies to this internal 192.x.x.x address it won’t route. It needs to reply to the public WAN address of your router.

By setting NAT to yes for each remote extension in FreePBX this will be accomplished. Setting rPort in the endpoint is just an extra step in case NAT settings on FreePBX get messed up down the road. This may also be referred to as “symmetric NAT.”

So, did you have any luck with the remote extensions yet?

Also, make sure SIP ALG is turned off on the routers where the remote endpoints are located.

No. I lost the GUI to the phone server so can’t do much more. I will have to reboot the phone server when I can ssh into the backdoor.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.