Re: [pfSense Support] rule not working correctly
Yep, I see that. My bad. Thanks! -Phil G On Sep 8, 2008, at 9:56 AM, Angelo Turetta <[EMAIL PROTECTED] > wrote: BSD Wiz wrote: yep, that is how i created the rule, on the WAN interface and so far so good. i've made about 20 calls and none of them failed so we're looking good... thanks! Oh, yes. That was the advice I gave you in my message 4 days ago, but you instead chose 1:1 NAT. :) Angelo. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] rule not working correctly
Lol, all that matters is that he's got it working!! ;) Chris Uthe Owner -Original Message- From: Angelo Turetta [mailto:[EMAIL PROTECTED] Sent: Monday, September 08, 2008 9:57 AM To: support@pfsense.com Subject: Re: [pfSense Support] rule not working correctly BSD Wiz wrote: > > yep, that is how i created the rule, on the WAN interface and so far so > good. i've made about 20 calls and none of them failed so we're looking > good... > > thanks! Oh, yes. That was the advice I gave you in my message 4 days ago, but you instead chose 1:1 NAT. :) Angelo. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
BSD Wiz wrote: yep, that is how i created the rule, on the WAN interface and so far so good. i've made about 20 calls and none of them failed so we're looking good... thanks! Oh, yes. That was the advice I gave you in my message 4 days ago, but you instead chose 1:1 NAT. :) Angelo. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
yep, that is how i created the rule, on the WAN interface and so far so good. i've made about 20 calls and none of them failed so we're looking good... thanks! -phil On Sep 6, 2008, at 7:20 PM, Bill Marquette wrote: On Sat, Sep 6, 2008 at 3:52 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: i should enable static nat on the interface that my voip router is on, which is my dmz correct? Nope, on your WAN interface. You'll put in a rule that is specific to your VOIP provider and check the 'static nat' box. That will force a static translation for anything destined to your provider. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
On Sat, Sep 6, 2008 at 3:52 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: > i should enable static nat on the interface that my voip router is on, which > is my dmz correct? Nope, on your WAN interface. You'll put in a rule that is specific to your VOIP provider and check the 'static nat' box. That will force a static translation for anything destined to your provider. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
On Sat, Sep 6, 2008 at 4:52 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: > i should enable static nat on the interface that my voip router is on, which > is my dmz correct? That is correct. Enable advanced outbound NAT, edit the entry and click the static port box. Save and clear the states related to the phone and reboot the phone. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
i should enable static nat on the interface that my voip router is on, which is my dmz correct? thanks, On Sep 6, 2008, at 3:35 PM, Scott Ullrich wrote: On Sat, Sep 6, 2008 at 4:23 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: after doing considerable research with tcpdump on my WAN interface and DMZ interface i see that the traffic is indeed passing but my phone is not ringing sometimes. i have no idea why this is happening but it appears that pfsense is doing it's job correctly. so, lingo sucks and i'm looking for recommendations on a new VoIP provider for my home. Try enabling static port on advanced outbound NAT or your LAN interface. The forum has a lot of information regarding this. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
On Sat, Sep 6, 2008 at 3:35 PM, Scott Ullrich <[EMAIL PROTECTED]> wrote: > On Sat, Sep 6, 2008 at 4:23 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: >> after doing considerable research with tcpdump on my WAN interface and DMZ >> interface i see that the traffic is indeed passing but my phone is not >> ringing sometimes. i have no idea why this is happening but it appears that >> pfsense is doing it's job correctly. >> >> >> so, lingo sucks and i'm looking for recommendations on a new VoIP provider >> for my home. > > Try enabling static port on advanced outbound NAT or your LAN interface. > > The forum has a lot of information regarding this. > Good point, give this a shot first. What's probably happening here is that pfSense will randomize the outbound port on new connections. Lingo might be coming back (after state has expired on the outbound connection) and trying to connect to a port your phone (PC?) isn't listening on any more. Using static nat will remove the randomization pfSense is adding to the mix and let Lingo see the real source port for the connection. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
On Sat, Sep 6, 2008 at 3:23 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: > after doing considerable research with tcpdump on my WAN interface and DMZ > interface i see that the traffic is indeed passing but my phone is not > ringing sometimes. i have no idea why this is happening but it appears that > pfsense is doing it's job correctly. > > > so, lingo sucks and i'm looking for recommendations on a new VoIP provider > for my home. I'm happy with Broadvoice. I believe they also operate a STUN server which should make life even easier (I personally direct all my traffic through my Asterisk box and have enough static IPs that I just 1:1 NAT and pass all UDP to the PBX). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
On Sat, Sep 6, 2008 at 4:23 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: > after doing considerable research with tcpdump on my WAN interface and DMZ > interface i see that the traffic is indeed passing but my phone is not > ringing sometimes. i have no idea why this is happening but it appears that > pfsense is doing it's job correctly. > > > so, lingo sucks and i'm looking for recommendations on a new VoIP provider > for my home. Try enabling static port on advanced outbound NAT or your LAN interface. The forum has a lot of information regarding this. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
after doing considerable research with tcpdump on my WAN interface and DMZ interface i see that the traffic is indeed passing but my phone is not ringing sometimes. i have no idea why this is happening but it appears that pfsense is doing it's job correctly. so, lingo sucks and i'm looking for recommendations on a new VoIP provider for my home. Thanks! -phil On Sep 5, 2008, at 10:43 PM, Bill Marquette wrote: I think you're dancing all around the solution :) You need an inbound NAT or port forward for UDP ports 1-65535 pointing to 10.0.0.1. Alternately, a 1:1 NAT using YOUR external IP, not the IP of the service (ie. 216.181.136.7 in your example below should be whatever your external IP is, not that of Lingo). The internal is still 10.0.0.1 (assuming that's your internal machine doing Lingo VOIP). --Bill On Fri, Sep 5, 2008 at 9:17 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: man O man still getting blocked, tried calling my VoIP phone from my cell phone and the traffic was blocked again by the default drop all rule. below is the log entry of the blocked traffic. WAN 216.181.136.7:5065 xx.xx.xx.xx:63792 this after allowing source 216.181.136.7 through my WAN interface destined for any port and also creating a 1:1 entry as follows: Interface External IP Internal IP Description WAN 216.181.136.7/3210.0.0.1/32 Allow Incoming VoIP WTF, shouldn't that be allowed through? thanks gents. -phil On Sep 5, 2008, at 8:12 AM, Paul Mansfield wrote: BSD Wiz wrote: ah, i don't have any 1:1 nat entries, or static routes for this firewall issue. so when the traffic hits the WAN interface perhaps it's not always finding it's way to the voip box in the dmz? i have added a 1:1 mapping as follows: Interface External IP Internal IP Description WAN216.181.136.7/32 10.0.0.1/32 VoIP Box where 10.0.0.1/32 is the ip of the DMZ interface. should that be sufficient? i can see why some of the traffic was not making it through since i only had a rule to allow traffic from 216.181.136.7 but no port forwarding, static routes or 1:1 nat entries. seems reasonable to me, you should know if it's working by testing. use tcpdump on firewall, on each interface in turn to see traffic flow... use "tcpdump -ln port XXX" to limit the amount of traffic you sniff. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
even when i port forward ports 1024-65535 to my lingo device it still occasionally blocks the traffic. i have the rule setup on my WAN interface and also on the nat/portforward. i wonder if it is something specific to the voip traffic and the way pfsense is handling it?? -phil On Sep 5, 2008, at 10:43 PM, Bill Marquette wrote: I think you're dancing all around the solution :) You need an inbound NAT or port forward for UDP ports 1-65535 pointing to 10.0.0.1. Alternately, a 1:1 NAT using YOUR external IP, not the IP of the service (ie. 216.181.136.7 in your example below should be whatever your external IP is, not that of Lingo). The internal is still 10.0.0.1 (assuming that's your internal machine doing Lingo VOIP). --Bill On Fri, Sep 5, 2008 at 9:17 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: man O man still getting blocked, tried calling my VoIP phone from my cell phone and the traffic was blocked again by the default drop all rule. below is the log entry of the blocked traffic. WAN 216.181.136.7:5065 xx.xx.xx.xx:63792 this after allowing source 216.181.136.7 through my WAN interface destined for any port and also creating a 1:1 entry as follows: Interface External IP Internal IP Description WAN 216.181.136.7/3210.0.0.1/32 Allow Incoming VoIP WTF, shouldn't that be allowed through? thanks gents. -phil On Sep 5, 2008, at 8:12 AM, Paul Mansfield wrote: BSD Wiz wrote: ah, i don't have any 1:1 nat entries, or static routes for this firewall issue. so when the traffic hits the WAN interface perhaps it's not always finding it's way to the voip box in the dmz? i have added a 1:1 mapping as follows: Interface External IP Internal IP Description WAN216.181.136.7/32 10.0.0.1/32 VoIP Box where 10.0.0.1/32 is the ip of the DMZ interface. should that be sufficient? i can see why some of the traffic was not making it through since i only had a rule to allow traffic from 216.181.136.7 but no port forwarding, static routes or 1:1 nat entries. seems reasonable to me, you should know if it's working by testing. use tcpdump on firewall, on each interface in turn to see traffic flow... use "tcpdump -ln port XXX" to limit the amount of traffic you sniff. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
yeah, seems like the port forward option is working as it should. i don't know why i didn't set it up this way to begin with. + as you already pointed out i had the 1:1 rule messed up.. thanks, -phil On Sep 5, 2008, at 10:43 PM, Bill Marquette wrote: I think you're dancing all around the solution :) You need an inbound NAT or port forward for UDP ports 1-65535 pointing to 10.0.0.1. Alternately, a 1:1 NAT using YOUR external IP, not the IP of the service (ie. 216.181.136.7 in your example below should be whatever your external IP is, not that of Lingo). The internal is still 10.0.0.1 (assuming that's your internal machine doing Lingo VOIP). --Bill On Fri, Sep 5, 2008 at 9:17 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: man O man still getting blocked, tried calling my VoIP phone from my cell phone and the traffic was blocked again by the default drop all rule. below is the log entry of the blocked traffic. WAN 216.181.136.7:5065 xx.xx.xx.xx:63792 this after allowing source 216.181.136.7 through my WAN interface destined for any port and also creating a 1:1 entry as follows: Interface External IP Internal IP Description WAN 216.181.136.7/3210.0.0.1/32 Allow Incoming VoIP WTF, shouldn't that be allowed through? thanks gents. -phil On Sep 5, 2008, at 8:12 AM, Paul Mansfield wrote: BSD Wiz wrote: ah, i don't have any 1:1 nat entries, or static routes for this firewall issue. so when the traffic hits the WAN interface perhaps it's not always finding it's way to the voip box in the dmz? i have added a 1:1 mapping as follows: Interface External IP Internal IP Description WAN216.181.136.7/32 10.0.0.1/32 VoIP Box where 10.0.0.1/32 is the ip of the DMZ interface. should that be sufficient? i can see why some of the traffic was not making it through since i only had a rule to allow traffic from 216.181.136.7 but no port forwarding, static routes or 1:1 nat entries. seems reasonable to me, you should know if it's working by testing. use tcpdump on firewall, on each interface in turn to see traffic flow... use "tcpdump -ln port XXX" to limit the amount of traffic you sniff. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
sounds good. i'm going to give the port forward option a shot. thanks, -phil On Sep 5, 2008, at 10:43 PM, Bill Marquette wrote: I think you're dancing all around the solution :) You need an inbound NAT or port forward for UDP ports 1-65535 pointing to 10.0.0.1. Alternately, a 1:1 NAT using YOUR external IP, not the IP of the service (ie. 216.181.136.7 in your example below should be whatever your external IP is, not that of Lingo). The internal is still 10.0.0.1 (assuming that's your internal machine doing Lingo VOIP). --Bill On Fri, Sep 5, 2008 at 9:17 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: man O man still getting blocked, tried calling my VoIP phone from my cell phone and the traffic was blocked again by the default drop all rule. below is the log entry of the blocked traffic. WAN 216.181.136.7:5065 xx.xx.xx.xx:63792 this after allowing source 216.181.136.7 through my WAN interface destined for any port and also creating a 1:1 entry as follows: Interface External IP Internal IP Description WAN 216.181.136.7/3210.0.0.1/32 Allow Incoming VoIP WTF, shouldn't that be allowed through? thanks gents. -phil On Sep 5, 2008, at 8:12 AM, Paul Mansfield wrote: BSD Wiz wrote: ah, i don't have any 1:1 nat entries, or static routes for this firewall issue. so when the traffic hits the WAN interface perhaps it's not always finding it's way to the voip box in the dmz? i have added a 1:1 mapping as follows: Interface External IP Internal IP Description WAN216.181.136.7/32 10.0.0.1/32 VoIP Box where 10.0.0.1/32 is the ip of the DMZ interface. should that be sufficient? i can see why some of the traffic was not making it through since i only had a rule to allow traffic from 216.181.136.7 but no port forwarding, static routes or 1:1 nat entries. seems reasonable to me, you should know if it's working by testing. use tcpdump on firewall, on each interface in turn to see traffic flow... use "tcpdump -ln port XXX" to limit the amount of traffic you sniff. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
I think you're dancing all around the solution :) You need an inbound NAT or port forward for UDP ports 1-65535 pointing to 10.0.0.1. Alternately, a 1:1 NAT using YOUR external IP, not the IP of the service (ie. 216.181.136.7 in your example below should be whatever your external IP is, not that of Lingo). The internal is still 10.0.0.1 (assuming that's your internal machine doing Lingo VOIP). --Bill On Fri, Sep 5, 2008 at 9:17 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: > man O man still getting blocked, > > tried calling my VoIP phone from my cell phone and the traffic was blocked > again by the default drop all rule. below is the log entry of the blocked > traffic. > > > WAN 216.181.136.7:5065 xx.xx.xx.xx:63792 > > > > this after allowing source 216.181.136.7 through my WAN interface destined > for any port and also creating a 1:1 entry as follows: > > Interface External IP Internal IPDescription > > > WAN 216.181.136.7/3210.0.0.1/32 Allow Incoming VoIP > > > > WTF, shouldn't that be allowed through? > > thanks gents. > > -phil > > On Sep 5, 2008, at 8:12 AM, Paul Mansfield wrote: > >> BSD Wiz wrote: >>> >>> ah, i don't have any 1:1 nat entries, or static routes for this firewall >>> issue. so when the traffic hits the WAN interface perhaps it's not >>> always finding it's way to the voip box in the dmz? >>> >>> i have added a 1:1 mapping as follows: >>> >>> Interface External IP Internal IP >>> Description >>> >>> WAN216.181.136.7/32 10.0.0.1/32 VoIP Box >>> >>> >>> >>> where 10.0.0.1/32 is the ip of the DMZ interface. >>> >>> should that be sufficient? >>> >>> i can see why some of the traffic was not making it through since i only >>> had a rule to allow traffic from 216.181.136.7 but no port forwarding, >>> static routes or 1:1 nat entries. >> >> seems reasonable to me, you should know if it's working by testing. use >> tcpdump on firewall, on each interface in turn to see traffic flow... >> use "tcpdump -ln port XXX" to limit the amount of traffic you sniff. >> >> >> - >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
Here is the raw logs of a call getting blocked. Sep 5 21:52:07 fw-bsd-1.gnet pf: 20. 251565 rule 122/0(match): block in on rl1: (tos 0x0, ttl 110, id 51208, offset 0, flags [DF], proto: UDP (17), length: 854) 216.181.136.7.5065 > 75.129.xx.xx.58562: UDP, length 826 Sep 5 21:52:08 fw-bsd-1.gnet pf: 498742 rule 122/0(match): block in on rl1: (tos 0x0, ttl 110, id 8503, offset 0, flags [DF], proto: UDP (17), length: 854) 216.181.136.7.5065 > 75.129.xx.xx.58562: UDP, length 826 Sep 5 21:52:09 fw-bsd-1.gnet pf: 999812 rule 122/0(match): block in on rl1: (tos 0x0, ttl 110, id 50193, offset 0, flags [DF], proto: UDP (17), length: 854) 216.181.136.7.5065 > 75.129.xx.xx.58562: UDP, length 826 Sep 5 21:52:11 fw-bsd-1.gnet pf: 2. 10 rule 122/0(match): block in on rl1: (tos 0x0, ttl 110, id 38161, offset 0, flags [DF], proto: UDP (17), length: 854) 216.181.136.7.5065 > 75.129.xx.xx.58562: UDP, length 826 Sep 5 21:52:15 fw-bsd-1.gnet pf: 4. 36 rule 122/0(match): block in on rl1: (tos 0x0, ttl 110, id 20736, offset 0, flags [DF], proto: UDP (17), length: 854) 216.181.136.7.5065 > 75.129.xx.xx.58562: UDP, length 826 Sep 5 21:52:23 fw-bsd-1.gnet pf: 8. 000728 rule 122/0(match): block in on rl1: (tos 0x0, ttl 110, id 16435, offset 0, flags [DF], proto: UDP (17), length: 854) 216.181.136.7.5065 > 75.129.xx.xx.58562: UDP, length 826 Sep 5 21:52:39 fw-bsd-1.gnet pf: 16. 004281 rule 122/0(match): block in on rl1: (tos 0x0, ttl 110, id 44642, offset 0, flags [DF], proto: UDP (17), length: 854) 216.181.136.7.5065 > 75.129.xx.xx.58562: UDP, length 826 Here is the rest of the info you requested: tcp 22 172.16.0.99 22 wan Allow Backups from PPGNetServ using SSH tcp 5001 172.16.0.99 5001 wan Allow iperf connections from GoDaddy Server 216.181.136.7 10.0.0.1 32 Allow Incoming VoIP wan And the rules wan tcp 172.16.0.99 22 NAT Allow Backups from PPGNetServ using SSH pass wan keep state udp 216.181.136.7 10.0.0.0/24 Allow VoIP Inbound pass wan keep state tcp 72.167.141.110 172.16.0.99 5001 Allow iperf connections from GoDaddy Server pass wan keep state tcp 172.16.0.1 443 WAN -> Allow Remote Admin of FW pass wan keep state tcp/udp 1194 Allow Incoming Remote VPN Road Warriors pass opt1 keep state udp 10.0.0.2 216.181.136.7 Allow VoIP Outbound pass opt1 keep state udp 216.181.136.7 opt1 Allow VoIP from Lingo pass opt1 keep state udp opt1 216.181.136.7 Allow VoIP to Lingo pass opt1 keep state udp 10001 DMZ -> Allow IPSEC Clients pass opt1 keep state udp
Re: [pfSense Support] rule not working correctly
On Fri, Sep 5, 2008 at 10:17 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: > man O man still getting blocked, > > tried calling my VoIP phone from my cell phone and the traffic was blocked > again by the default drop all rule. below is the log entry of the blocked > traffic. > > > WAN 216.181.136.7:5065 xx.xx.xx.xx:63792 > > > > this after allowing source 216.181.136.7 through my WAN interface destined > for any port and also creating a 1:1 entry as follows: > > Interface External IP Internal IPDescription > > > WAN 216.181.136.7/3210.0.0.1/32 Allow Incoming VoIP > > > > WTF, shouldn't that be allowed through? > What does the raw log look like that's blocking it? Also can you paste from status.php config.xml section everything from to and to ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
man O man still getting blocked, tried calling my VoIP phone from my cell phone and the traffic was blocked again by the default drop all rule. below is the log entry of the blocked traffic. WAN 216.181.136.7:5065 xx.xx.xx.xx:63792 this after allowing source 216.181.136.7 through my WAN interface destined for any port and also creating a 1:1 entry as follows: Interface External IP Internal IP Description WAN 216.181.136.7/3210.0.0.1/32 Allow Incoming VoIP WTF, shouldn't that be allowed through? thanks gents. -phil On Sep 5, 2008, at 8:12 AM, Paul Mansfield wrote: BSD Wiz wrote: ah, i don't have any 1:1 nat entries, or static routes for this firewall issue. so when the traffic hits the WAN interface perhaps it's not always finding it's way to the voip box in the dmz? i have added a 1:1 mapping as follows: Interface External IP Internal IP Description WAN216.181.136.7/32 10.0.0.1/32 VoIP Box where 10.0.0.1/32 is the ip of the DMZ interface. should that be sufficient? i can see why some of the traffic was not making it through since i only had a rule to allow traffic from 216.181.136.7 but no port forwarding, static routes or 1:1 nat entries. seems reasonable to me, you should know if it's working by testing. use tcpdump on firewall, on each interface in turn to see traffic flow... use "tcpdump -ln port XXX" to limit the amount of traffic you sniff. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
BSD Wiz wrote: > > ah, i don't have any 1:1 nat entries, or static routes for this firewall > issue. so when the traffic hits the WAN interface perhaps it's not > always finding it's way to the voip box in the dmz? > > i have added a 1:1 mapping as follows: > > Interface External IP Internal IP > Description > > WAN216.181.136.7/32 10.0.0.1/32 VoIP Box > > > > where 10.0.0.1/32 is the ip of the DMZ interface. > > should that be sufficient? > > i can see why some of the traffic was not making it through since i only > had a rule to allow traffic from 216.181.136.7 but no port forwarding, > static routes or 1:1 nat entries. seems reasonable to me, you should know if it's working by testing. use tcpdump on firewall, on each interface in turn to see traffic flow... use "tcpdump -ln port XXX" to limit the amount of traffic you sniff. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
ah, i don't have any 1:1 nat entries, or static routes for this firewall issue. so when the traffic hits the WAN interface perhaps it's not always finding it's way to the voip box in the dmz? i have added a 1:1 mapping as follows: Interface External IP Internal IP Description WAN216.181.136.7/32 10.0.0.1/32 VoIP Box where 10.0.0.1/32 is the ip of the DMZ interface. should that be sufficient? i can see why some of the traffic was not making it through since i only had a rule to allow traffic from 216.181.136.7 but no port forwarding, static routes or 1:1 nat entries. thanks, -phil On Sep 4, 2008, at 7:21 AM, Paul Mansfield wrote: BSD Wiz wrote: please allow me to pose this question again. i am trying to allow all traffic from a specific source ip into my DMZ(10.0.0.0/24) for my VoIP maybe I'm missing something, but the filter rule looks OK. does that external IP have a route to your DMZ, or have you put in a NAT rule to map the external port on firewall to server(s) in the DMZ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
Thanks guys. I'm going to try a few of these suggestions and I'll report back later today. -Phil G On Sep 4, 2008, at 11:00 AM, "Reza Ambler" <[EMAIL PROTECTED]> wrote: Phil, I had a significant amount of VoIP issues earlier this year and found a few ways to combat some of the issue you're describing here. First, you can try switching the phones into TCP mode or using a STUN server with them. Have you given siproxd a shot? Install it in your router and point your phones to siproxd on the router, it should help mitigate a lot of these issues you're having. Hope this helps, -Reza -Original Message- From: BSD Wiz [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2008 5:36 PM To: support@pfsense.com Subject: Re: [pfSense Support] rule not working correctly yes, it's causing problems. my phone won't ring when it get's blocked. that's exactly how i figured out it was getting blocked, people where telling me they were calling me but my phone never rang. i then went back and looked in the log files and noticed that the call was getting blocked. thanks, -phil On Sep 3, 2008, at 7:10 PM, Chris Buechler wrote: > On Wed, Sep 3, 2008 at 7:54 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: >> please allow me to pose this question again. i am trying to allow all >> traffic from a specific source ip into my DMZ(10.0.0.0/24) for my >> VoIP >> phone. the problem is that it's not always passing the traffic and >> some >> times it's getting blocked. >> >> i have created a rule on my WAN interface as follows: >> >> UDP 216.181.136.7 * 10.0.0.0/24 * * >> >> >> >> even with the above rule in place i'm seeing the following entry >> in my logs. >> it's important to note that it doesn't always get blocked, perhaps >> it has >> something to do with the high ports as mentioned on this list before? >> >> Sep 3 18:43:43 WAN 216.181.136.7:5065 >> xx.xx.xx.xx:52042 >> UDP >> >> >> when i click on the blocked log it says: The rule that triggered >> this >> action is: >> >> @118 block drop in log quick all label "Default deny rule" >> >> >> >> >> any suggestions? >> > > Is it causing problems, or are you seeing it and thinking it's a > problem? If there are no noticeable issues it's likely just normal out > of state traffic which will happen periodically. > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] rule not working correctly
Phil, I had a significant amount of VoIP issues earlier this year and found a few ways to combat some of the issue you're describing here. First, you can try switching the phones into TCP mode or using a STUN server with them. Have you given siproxd a shot? Install it in your router and point your phones to siproxd on the router, it should help mitigate a lot of these issues you're having. Hope this helps, -Reza -Original Message- From: BSD Wiz [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2008 5:36 PM To: support@pfsense.com Subject: Re: [pfSense Support] rule not working correctly yes, it's causing problems. my phone won't ring when it get's blocked. that's exactly how i figured out it was getting blocked, people where telling me they were calling me but my phone never rang. i then went back and looked in the log files and noticed that the call was getting blocked. thanks, -phil On Sep 3, 2008, at 7:10 PM, Chris Buechler wrote: > On Wed, Sep 3, 2008 at 7:54 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: >> please allow me to pose this question again. i am trying to allow all >> traffic from a specific source ip into my DMZ(10.0.0.0/24) for my >> VoIP >> phone. the problem is that it's not always passing the traffic and >> some >> times it's getting blocked. >> >> i have created a rule on my WAN interface as follows: >> >> UDP 216.181.136.7 * 10.0.0.0/24 * * >> >> >> >> even with the above rule in place i'm seeing the following entry >> in my logs. >> it's important to note that it doesn't always get blocked, perhaps >> it has >> something to do with the high ports as mentioned on this list before? >> >> Sep 3 18:43:43 WAN 216.181.136.7:5065 >> xx.xx.xx.xx:52042 >> UDP >> >> >> when i click on the blocked log it says: The rule that triggered >> this >> action is: >> >> @118 block drop in log quick all label "Default deny rule" >> >> >> >> >> any suggestions? >> > > Is it causing problems, or are you seeing it and thinking it's a > problem? If there are no noticeable issues it's likely just normal out > of state traffic which will happen periodically. > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
BSD Wiz wrote: > please allow me to pose this question again. i am trying to allow all > traffic from a specific source ip into my DMZ(10.0.0.0/24) for my VoIP maybe I'm missing something, but the filter rule looks OK. does that external IP have a route to your DMZ, or have you put in a NAT rule to map the external port on firewall to server(s) in the DMZ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
BSD Wiz wrote: yes, it's causing problems. my phone won't ring when it get's blocked. that's exactly how i figured out it was getting blocked, people where telling me they were calling me but my phone never rang. i then went back and looked in the log files and noticed that the call was getting blocked. I think your problem is not depending on firewall rules, but instead on outbound NAT. If you are not using 1:1, edit the Outbound NAT settings for your DMZ. You should use 'Manual outbound NAT rule generation', and check 'Static port' in the 'Translation' settings. My advice is that you create a custom outbound NAT for your VOIP UDP connections only, so that 'Static port' is used for as few connections as possible. Thist custom rule MUST come highier in the list than the default DMZ outbound NAT rule. Ciao, Angelo. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
that article must be ancient. those are not even close to the ports needed to accept incoming calls/voice. perfect example, my previous email showed that the following traffic was blocked: Sep 3 18:43:43 WAN 216.181.136.7:5065 xx.xx.xx.xx: 52042 UDP 216.181.136.7 is primus/lingo, and the port is not even listed on that page. regardless, if i tell the firewall to permit all UDP traffic from 216.181.136.7 it should pass the traffic. thanks, -phil On Sep 3, 2008, at 11:03 PM, Christopher B. Uthe wrote: Not to sound like a jerk, but have you checked it out very much? A quick search of lingo port forward hit this: http://portforward.com/english/routers/port_forwarding/Lingo/Primus- iAN- 02ex/Echolink.htm perhaps that's not your model number or something, but you might find that useful.. If you have multiple IP's a DMZ entry isn't horrid, but kinda overkill. I've always loved how Vonage doesn't need any special firewall rules to work. -Original Message- From: BSD Wiz [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2008 10:41 PM To: support@pfsense.com Subject: Re: [pfSense Support] rule not working correctly lingo... yeah, i wish i could only forward the specific ports needed but lingo support is terrible and they don't know jack... i tried to figure out what ports are being used but the range is HUGE! so i'm pretty much stuck putting it into my dmz and allowing all traffic from a single IP. -phil On Sep 3, 2008, at 10:24 PM, Christopher B. Uthe wrote: What kind of VOIP are you working with, can specific ports be used/configured? Better Idea to forward specific ports vs all traffic if you can do it. Chris -Original Message- From: BSD Wiz [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2008 7:36 PM To: support@pfsense.com Subject: Re: [pfSense Support] rule not working correctly yes, it's causing problems. my phone won't ring when it get's blocked. that's exactly how i figured out it was getting blocked, people where telling me they were calling me but my phone never rang. i then went back and looked in the log files and noticed that the call was getting blocked. thanks, -phil On Sep 3, 2008, at 7:10 PM, Chris Buechler wrote: On Wed, Sep 3, 2008 at 7:54 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: please allow me to pose this question again. i am trying to allow all traffic from a specific source ip into my DMZ(10.0.0.0/24) for my VoIP phone. the problem is that it's not always passing the traffic and some times it's getting blocked. i have created a rule on my WAN interface as follows: UDP 216.181.136.7 * 10.0.0.0/24 * * even with the above rule in place i'm seeing the following entry in my logs. it's important to note that it doesn't always get blocked, perhaps it has something to do with the high ports as mentioned on this list before? Sep 3 18:43:43 WAN 216.181.136.7:5065 xx.xx.xx.xx:52042 UDP when i click on the blocked log it says: The rule that triggered this action is: @118 block drop in log quick all label "Default deny rule" any suggestions? Is it causing problems, or are you seeing it and thinking it's a problem? If there are no noticeable issues it's likely just normal out of state traffic which will happen periodically. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] rule not working correctly
Not to sound like a jerk, but have you checked it out very much? A quick search of lingo port forward hit this: http://portforward.com/english/routers/port_forwarding/Lingo/Primus-iAN- 02ex/Echolink.htm perhaps that's not your model number or something, but you might find that useful.. If you have multiple IP's a DMZ entry isn't horrid, but kinda overkill. I've always loved how Vonage doesn't need any special firewall rules to work. -Original Message- From: BSD Wiz [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2008 10:41 PM To: support@pfsense.com Subject: Re: [pfSense Support] rule not working correctly lingo... yeah, i wish i could only forward the specific ports needed but lingo support is terrible and they don't know jack... i tried to figure out what ports are being used but the range is HUGE! so i'm pretty much stuck putting it into my dmz and allowing all traffic from a single IP. -phil On Sep 3, 2008, at 10:24 PM, Christopher B. Uthe wrote: > What kind of VOIP are you working with, can specific ports be > used/configured? Better Idea to forward specific ports vs all traffic > if you can do it. > >Chris > > > -Original Message- > From: BSD Wiz [mailto:[EMAIL PROTECTED] > Sent: Wednesday, September 03, 2008 7:36 PM > To: support@pfsense.com > Subject: Re: [pfSense Support] rule not working correctly > > yes, it's causing problems. my phone won't ring when it get's > blocked. that's exactly how i figured out it was getting blocked, > people where telling me they were calling me but my phone never rang. > i then went back and looked in the log files and noticed that the > call was getting blocked. > > > thanks, > > -phil > > > > On Sep 3, 2008, at 7:10 PM, Chris Buechler wrote: > >> On Wed, Sep 3, 2008 at 7:54 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: >>> please allow me to pose this question again. i am trying to allow >>> all >>> traffic from a specific source ip into my DMZ(10.0.0.0/24) for my >>> VoIP >>> phone. the problem is that it's not always passing the traffic and >>> some >>> times it's getting blocked. >>> >>> i have created a rule on my WAN interface as follows: >>> >>> UDP 216.181.136.7 * 10.0.0.0/24 * * >>> >>> >>> >>> even with the above rule in place i'm seeing the following entry >>> in my logs. >>> it's important to note that it doesn't always get blocked, perhaps >>> it has >>> something to do with the high ports as mentioned on this list >>> before? >>> >>> Sep 3 18:43:43 WAN 216.181.136.7:5065 >>> xx.xx.xx.xx:52042 >>> UDP >>> >>> >>> when i click on the blocked log it says: The rule that triggered >>> this >>> action is: >>> >>> @118 block drop in log quick all label "Default deny rule" >>> >>> >>> >>> >>> any suggestions? >>> >> >> Is it causing problems, or are you seeing it and thinking it's a >> problem? If there are no noticeable issues it's likely just normal >> out >> of state traffic which will happen periodically. >> >> - >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
lingo... yeah, i wish i could only forward the specific ports needed but lingo support is terrible and they don't know jack... i tried to figure out what ports are being used but the range is HUGE! so i'm pretty much stuck putting it into my dmz and allowing all traffic from a single IP. -phil On Sep 3, 2008, at 10:24 PM, Christopher B. Uthe wrote: What kind of VOIP are you working with, can specific ports be used/configured? Better Idea to forward specific ports vs all traffic if you can do it. Chris -Original Message- From: BSD Wiz [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2008 7:36 PM To: support@pfsense.com Subject: Re: [pfSense Support] rule not working correctly yes, it's causing problems. my phone won't ring when it get's blocked. that's exactly how i figured out it was getting blocked, people where telling me they were calling me but my phone never rang. i then went back and looked in the log files and noticed that the call was getting blocked. thanks, -phil On Sep 3, 2008, at 7:10 PM, Chris Buechler wrote: On Wed, Sep 3, 2008 at 7:54 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: please allow me to pose this question again. i am trying to allow all traffic from a specific source ip into my DMZ(10.0.0.0/24) for my VoIP phone. the problem is that it's not always passing the traffic and some times it's getting blocked. i have created a rule on my WAN interface as follows: UDP 216.181.136.7 * 10.0.0.0/24 * * even with the above rule in place i'm seeing the following entry in my logs. it's important to note that it doesn't always get blocked, perhaps it has something to do with the high ports as mentioned on this list before? Sep 3 18:43:43 WAN 216.181.136.7:5065 xx.xx.xx.xx:52042 UDP when i click on the blocked log it says: The rule that triggered this action is: @118 block drop in log quick all label "Default deny rule" any suggestions? Is it causing problems, or are you seeing it and thinking it's a problem? If there are no noticeable issues it's likely just normal out of state traffic which will happen periodically. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] rule not working correctly
What kind of VOIP are you working with, can specific ports be used/configured? Better Idea to forward specific ports vs all traffic if you can do it. Chris -Original Message- From: BSD Wiz [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2008 7:36 PM To: support@pfsense.com Subject: Re: [pfSense Support] rule not working correctly yes, it's causing problems. my phone won't ring when it get's blocked. that's exactly how i figured out it was getting blocked, people where telling me they were calling me but my phone never rang. i then went back and looked in the log files and noticed that the call was getting blocked. thanks, -phil On Sep 3, 2008, at 7:10 PM, Chris Buechler wrote: > On Wed, Sep 3, 2008 at 7:54 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: >> please allow me to pose this question again. i am trying to allow all >> traffic from a specific source ip into my DMZ(10.0.0.0/24) for my >> VoIP >> phone. the problem is that it's not always passing the traffic and >> some >> times it's getting blocked. >> >> i have created a rule on my WAN interface as follows: >> >> UDP 216.181.136.7 * 10.0.0.0/24 * * >> >> >> >> even with the above rule in place i'm seeing the following entry >> in my logs. >> it's important to note that it doesn't always get blocked, perhaps >> it has >> something to do with the high ports as mentioned on this list before? >> >> Sep 3 18:43:43 WAN 216.181.136.7:5065 >> xx.xx.xx.xx:52042 >> UDP >> >> >> when i click on the blocked log it says: The rule that triggered >> this >> action is: >> >> @118 block drop in log quick all label "Default deny rule" >> >> >> >> >> any suggestions? >> > > Is it causing problems, or are you seeing it and thinking it's a > problem? If there are no noticeable issues it's likely just normal out > of state traffic which will happen periodically. > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
yes, it's causing problems. my phone won't ring when it get's blocked. that's exactly how i figured out it was getting blocked, people where telling me they were calling me but my phone never rang. i then went back and looked in the log files and noticed that the call was getting blocked. thanks, -phil On Sep 3, 2008, at 7:10 PM, Chris Buechler wrote: On Wed, Sep 3, 2008 at 7:54 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: please allow me to pose this question again. i am trying to allow all traffic from a specific source ip into my DMZ(10.0.0.0/24) for my VoIP phone. the problem is that it's not always passing the traffic and some times it's getting blocked. i have created a rule on my WAN interface as follows: UDP 216.181.136.7 * 10.0.0.0/24 * * even with the above rule in place i'm seeing the following entry in my logs. it's important to note that it doesn't always get blocked, perhaps it has something to do with the high ports as mentioned on this list before? Sep 3 18:43:43 WAN 216.181.136.7:5065 xx.xx.xx.xx:52042 UDP when i click on the blocked log it says: The rule that triggered this action is: @118 block drop in log quick all label "Default deny rule" any suggestions? Is it causing problems, or are you seeing it and thinking it's a problem? If there are no noticeable issues it's likely just normal out of state traffic which will happen periodically. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
On Wed, Sep 3, 2008 at 7:54 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: > please allow me to pose this question again. i am trying to allow all > traffic from a specific source ip into my DMZ(10.0.0.0/24) for my VoIP > phone. the problem is that it's not always passing the traffic and some > times it's getting blocked. > > i have created a rule on my WAN interface as follows: > > UDP 216.181.136.7 * 10.0.0.0/24 * * > > > > even with the above rule in place i'm seeing the following entry in my logs. > it's important to note that it doesn't always get blocked, perhaps it has > something to do with the high ports as mentioned on this list before? > > Sep 3 18:43:43 WAN 216.181.136.7:5065 xx.xx.xx.xx:52042 > UDP > > > when i click on the blocked log it says: The rule that triggered this > action is: > > @118 block drop in log quick all label "Default deny rule" > > > > > any suggestions? > Is it causing problems, or are you seeing it and thinking it's a problem? If there are no noticeable issues it's likely just normal out of state traffic which will happen periodically. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]