[pfSense Support] Re: Asterisk and PfSense
Tortise wrote: Ugo Which ports are you NATting? 1-to-1 NAT. Allowing vi a rules : UDP 1 - 2 UDP 5060 - 5069 Which ports are setup for RTP in asterisk? rtpstart=1 rtpend=2 Kind regards David - Original Message - From: Ugo Bellavance [EMAIL PROTECTED] To: support@pfsense.com Sent: Wednesday, October 10, 2007 6:28 PM Subject: [pfSense Support] Asterisk and PfSense Hi, I have an asterisk server that is working mostly with SIP clients behind NAT. I'd like to put this asterisk server behind the PfSense to benefit from QoS and added security, packages, etc. However, I just tested and I can't make it work with more than 2 clients at the time (using 1-to-1 NAT). I've tried disabling static port. I've also tried to also disable scrubbing. I've tried setting the firewall setting to 'conservative'. The problem I'm getting is that once a second SIP client registers, it kind of kicks out the first one and so on. I've tried it without NAT, but I didn't really know how to do it, so I just gave the linux (asterisk) server the public IP address I wanted and made appropriate firewall rules. I couldn't connect using ssh, so I stopped fiddling around and wrote this message. What is recommended in my situation? Regards, Ugo Bellavance - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Re: Asterisk and PfSense
Chris Bagnall wrote: I have an asterisk server that is working mostly with SIP clients behind NAT. I'd like to put this asterisk server behind the PfSense to benefit from QoS and added security, packages, etc. However, I just tested and I can't make it work with more than 2 clients at the time (using 1-to-1 NAT). Interesting. We have quite a few pfsense + asterisk deployments out there in precisely this configuration and everything works fine. Weird. Maybe I'll write an howto when I succeed, as almost everything on pfsense + asterisk on google doesn't seem to be working. You've set up 1:1 NAT, that's fine. In pfSense, check that port 5060 is allowed (UDP) for SIP, and 1-2 are allowed (UDP) for RTP - assuming you haven't changed the port range in asterisk's rtp.conf Yes, I'm allowing UDP 5060 - 5069 (SIP UDP 1-2 (RTP) On the asterisk box, check your sip.conf file. You need the following: localnet = 10.0.0.0/8 localnet = 172.16.0.0/12 localnet = 192.168.0.0/16 localnet = 169.254.0.0/16 I missed that. externip = asterisk_true_external_ip I had this. Substitute your real external 1:1 NAT IP into externip. The localnet entries tell asterisk that SIP packets from any of those address ranges should have their claimed IP ignored and their apparent IP/port used instead. Oh, I thought externip was enough. In each sip.conf device section, make sure nat=yes is included. Yes, all there. Hopefully that should solve your problems. I'll try that tonight or tomorrow night. Thanks a lot! Ugo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Re: Asterisk and PfSense
Chris Bagnall wrote: I have an asterisk server that is working mostly with SIP clients behind NAT. I'd like to put this asterisk server behind the PfSense to benefit from QoS and added security, packages, etc. However, I just tested and I can't make it work with more than 2 clients at the time (using 1-to-1 NAT). Interesting. We have quite a few pfsense + asterisk deployments out there in precisely this configuration and everything works fine. You've set up 1:1 NAT, that's fine. In pfSense, check that port 5060 is allowed (UDP) for SIP, and 1-2 are allowed (UDP) for RTP - assuming you haven't changed the port range in asterisk's rtp.conf On the asterisk box, check your sip.conf file. You need the following: localnet = 10.0.0.0/8 localnet = 172.16.0.0/12 localnet = 192.168.0.0/16 localnet = 169.254.0.0/16 externip = asterisk_true_external_ip Substitute your real external 1:1 NAT IP into externip. The localnet entries tell asterisk that SIP packets from any of those address ranges should have their claimed IP ignored and their apparent IP/port used instead. In each sip.conf device section, make sure nat=yes is included. Hopefully that should solve your problems. Regards, Chris It looks like it is going to work. Will perform more test tomorrow, but it definitely looks good. Ugo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
