pfSense would be one of the most Asterisk friendly firewall out there. Why?

1. It supports sipproxy which is good if you have a problem placing Asterisk on a live IP and need to secure it inside a private non internet routable IP (RFC 1918)
2. It support outright configuration for Traffic Shaping with Asterisk
3. Built-in SIP support

One problem or configuration hack you may encounter with a design similar like below where the SIP phones are connected behind pfSense which routes through an internal IP to the router which translates (NAT) to the internet.

Problem was, pfSense tried to NAT the external IP of the pfSense for all outbound connections to the Asterisk and this would eventually be NAT-ted to live IP on the router (RTR) i.e. double NAT.

SIP Phone –> NAT 192.168.3.1 –> NAT 161.142.2.17 –> Astervox/Asterisk

This caused the SIP desk phones to fail SIP registration 

Here’s how to fix: Go to your NAT settings, and turn on manual NAT. In this design, do not perform NAT, routing will do. Unless your pfSense has a live IP, NAT is fine. WARNING: Disabling autoNAT may break other NAT operations that you may have but should work fine if its like the above design, even for browsing etc.

Now, that will cause routing to happen instead of NAT to the router above which will then fix my SIP registration to Asterisk.

This entry was posted by Sanjay Willie on Saturday, August 22nd, 2009 at 7:11 pm and is filed under General. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.