VoIP under pfSense

Tuesday, July 13th, 2010

I used to have a Linksys WRT54GL at the edge of the network, running the Tomato firmware, and things were nice. Then I decided to switch to pfSense on a PC Engines ALIX 2C10 (see my earlier post), and …

Well, VoIP behaves very differently in this new regime, by which I mean SIP and RTP of course. I’ve spent far too long reading pages of badly-stated problems and non-helpful answers, and trying to get my head around just how badly NAT screws things up. And far too long changing settings trying to get improved behaviour …

Ultimately of course pfSense should behave the same way that Linux/Tomato does — things should just work without having to do any specific setup. But the timeout seems to be far more aggressive, and I think that was the real issue that started me down a long road …

I’ve been using a SIP proxy (siproxd), I’ve been NATting RTP & SIP down to a single device, I’ve been using STUN servers … The siproxd seemed to be working perfectly but at the same time there was an upstream problem that prevented me receiving calls on one of my accounts, so that solution got ripped out. The NATting worked fine but was only appropriate for one device at a time, so I started trying to move SIP to a different source port. At one stage I was seeing non-NATted traffic on my firewall’s external interface, which was rumoured to be a specific SIP (UDP port 5060) exclusion in the codebase … but I can’t replicate that any more!

Thanks to a fair bit of handholding from Chris MacGreggor at VentureVoIP, I’ve finished up with a very clean setup — no STUN, no mention of NAT on the phones, anything like that. I have decreased the Registration timeouts to 500 seconds (that’s just over 8 minutes), and put in a couple of rules matching the VoIP destination networks to increase the firewall state timeout to 1800 seconds (30 minutes). This seems to be working well …

For the record, I’ve got a number of SIP devices here :-

  • Snom 300
    • Inode Ltd account at VentureVoIP
    • Home account at VentureVoIP
    • Test account on 2talk
  • Linksys SPA3102 (used as an ATA)
    • Home account at VentureVoIP
  • Grandstream HT486, currently not configured
  • Nokia n900 mobile, currently not working
    • Inode Ltd account at VentureVoIP

So I still have a couple of steps left to take; the n900 thinks everyone is offline when it tries to call them, but then again I’ve never had this working yet so perhaps it’s not my changes that have caused this! And the old HT486 is just plugged backwards into the house phone wiring, but I no longer have any phones connected around the place (just a triplet of DECT phones connected to the Linksys SPA3102) so it’s not much of a priority.

But the basic lesson in migrating from a Linux-based working firewall into a BSD-based one seems to be “check the state table timeouts”!

Posted in Technology | 1 Comment »