I am running 3CX with PFSense in several installations. Are you using Advanved Outbound NAT with static mappings to your PBX? I usually need to do this for SIP (UDP:5060) stun (UDP:5090) and RTP (UDP:9000-9050) in order to make the 3CX firewall checker happy. On Feb 13, 2015 4:02 PM, "Tiernan OToole" <tier...@tiernanotoole.ie> wrote:
> Im using 3CX, and it seems their firewall rule checker is a bit weird... I > have managed to get some outgoing calls working by skipping the firewall > checker... Still trying to configure incoming calls... but any help would > be appreciated! > > Thanks. > > --Tiernan > > -----Original Message----- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve > Spencer > Sent: Friday 13 February 2015 20:44 > To: list@lists.pfsense.org > Subject: Re: [pfSense] Multi-WAN port forwarding > > What VOIP platform is it? We have successfully implemented firewall allow > rules for our Digium Switchvox PBX using PfSense. We might have similar > rule set requirements if that helps at all. > > On 02/13/2015 01:01 PM, Tiernan OToole wrote: > > Right... So after a bit of digging, I found the following from my VoIP > Server provider: > > > > http://www.3cx.com/blog/voip-howto/pfsense-firewall/ > > > > They walked me though setting up the firewall rules, and port > preservation, which worked to an extent... originally, no traffic was > hitting the required ports (5060, 5090 and 9000-9099) but now it is... Its > still getting blocked somewhere, but at least it’s a start! > > > > Now more digging! > > > > --Tiernan > > > > -----Original Message----- > > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jon > > Gerdes > > Sent: Friday 13 February 2015 13:57 > > To: list@lists.pfsense.org > > Subject: Re: [pfSense] Multi-WAN port forwarding > > > > > > On Thu, 2015-02-12 at 21:13 +0000, Tiernan OToole wrote: > >> Thanks for the tip Chris (Doh!) but tried setting it to UDP and still > no luck... > >> > >> --Tiernan > >> > >> -----Original Message----- > >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris > >> L > >> Sent: Thursday 12 February 2015 20:36 > >> To: pfSense Support and Discussion Mailing List > >> Subject: Re: [pfSense] Multi-WAN port forwarding > >> > >> SIP is UDP, not TCP. > >> > >>> On Feb 12, 2015, at 12:33 PM, Tiernan OToole <tier...@tiernanotoole.ie> > wrote: > >>> > >>> Morning all. > >>> > >>> I have a question I hope someone can help me with. > >>> > >>> I have my PFSense server with 3 WAN connections, load balanced and I > >>> need to start forwarding ports, specifically SIP ports. I have done > >>> port forwarding on port 80, and it works grand, but doing the same > >>> steps with 5060, not so much… > >>> > >>> The steps I took was: > >>> > >>> Firewall/NAT, Add, interface = WAN1, proto TCP, src addr and port > >>> are both *, dest = WAN1 address, dst port 5060, nat IP (internal ip > >>> of the voip box), nat ports 5060 > >>> > >>> Did this for each WAN connection and again for other ports… but the > VoIP firewall checker is still telling me the ports aint open… What am I > doing wrong? > >>> > >>> It works on port 80! Why not SIP?! > >>> > >>> Thanks. > >>> > >>> --Tiernan > > > > Start by making sure that traffic is actually hitting the rule. Enable > logging on the rule and/or run a packet capture on the pfSense box with the > interface set to the WAN link, proto UDP port 5060. > > > > You could also do a pcap on the LAN interface with the IP of the PBX > > to see both directions. Install Wireshark obn your PC to look deeply > > into the pcap (download button) > > > > Once you get SIP to work which is usually pretty easy, then you get to > diagnose why you get one way audio (RTP). Hopefully that wont happen. > > Symmetric RTP is your friend here ... > > > > Another thing to watch out for is SIP ALGs upstream of the pfSense and > making sure that your VoIP system knows its external IP address. > > > > Cheers > > Jon > > > > _______________________________________________ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > _______________________________________________ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > > > > -- > -- > Steven G. Spencer, Network Administrator KSC Corporate - The Kelly Supply > Family of Companies Office 308-382-8764 Ext. 1131 Mobile 402-765-8010 > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold
_______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
