Known Issues:

  1. VoIP configuration changes need to be made to prevent other VoIP-related issues.
  2. Response to WAN pings from our Call Quality Monitoring and Troubleshooting Servers needs to be allowed.

Resolution:

  1. Login to the firewall
  2. Click on Diagnostics > Edit File
    • Navigate to /etc/rc.php_ini_setup
    • Add the following entry: max_input_vars = 5000
      • If this entry is already present, then edit the value to that above.
  3. Click on Firewall > Alias > IP tab
    • Address Alias set 1.
    • Name: RTP_Blocks
    • Description: (optional)
    • Type: Networks
      • Please contact Intermedia to obtain the IPs that need to be whitelisted.
    • Address Alias set 2.
    • Name: Config_and_DNS_Servers
    • Description: (optional)
    • Type: Hosts
      • Please contact Intermedia to obtain the IPs that need to be whitelisted.
  1. Click on Firewall > Alias > Port tab
    • Port Alias Set 1.
    • Name: Communication_Ports
    • Description: (optional)
    • Type: Ports
      • Please contact Intermedia to obtain the ports that need to be whitelisted.
  2. Click on Firewall > Alias > All tab
    • Now we need to create an Alias Group for IP Alias’, this does not apply to the ports alias, as those were contained in a single alias group already.
    • With PFsense 2.0, were are allowed to use Alias names within an Alias to create a “Super Alias”, for lack of a better term.
    • Name: VoIP Addresses
    • Type: Leave this defaulted to hosts.
      • RTP Blocks
      • Configuration and DNS Servers
  3. Click on Firewall > WAN tab > click on the + icon to create 4 new WAN rules
    • Rule 1.
      • Action: Pass
      • Disabled: Leave this box unchecked
      • Interface: WAN
      • TCP/IP Version: IPv4
      • Protocol: ICMP
      • ICMP Type: any
      • Source > select the Type drop-down box > Single host or alias >
        1. Enter:  – <Add Network Information Provided by Intermedia>
      • Destination > select the Type drop-down box > select WAN address
      • Log: Leave this box unchecked
      • Description: Allow WAN pings from VoIP monitoring server
      • Click Save
      • On the next page, click Apply changes to allow the new rule to take effect.
    • Rule 2.
      • Action: Pass
      • Disabled: Leave this box unchecked
      • Interface: WAN
      • TCP/IP Version: IPv4
      • Protocol: ICMP
      • ICMP Type: any
      • Source > select the Type drop-down box > Single host or alias >
        1. Enter: – <Add Network Information Provided by Intermedia>
      • Destination > select the Type drop-down box > select WAN address
      • Log: Leave this box unchecked
      • Description: Allow WAN pings from VoIP monitoring server
      • Click Save
      • On the next page, click Apply changes to allow the new rule to take effect.
    • Rule 3.
      • Action: Pass
      • Disabled: Leave this box unchecked
      • Interface: WAN
      • TCP/IP Version: IPv4
      • Protocol: UDP
      • Source > select the Type drop-down box > Single host or alias > Enter: VoIP Addresses
      • Source Port Range:
        1. From: Communication_Ports
        2. To: Communication_Ports
      • Destination
        1. Type: LAN net
      • Destination Port Range
        1. From: Communication_Ports
        2. To: Communication_Ports
      • Log: Leave this box unchecked
      • Description: Inbound communication from VoIP Servers
      • Advanced Features:
        1. Diffserv Code Point: set to ‘EF.
      • Click Save
      • On the next page, click Apply changes to allow the new rule to take effect.
    • Rule 4.
      • Action: Pass
      • Disabled: Leave this box unchecked
      • Interface: WAN
      • TCP/IP Version: IPv4
      • Protocol: UDP
      • Source > select the Type drop-down box > LAN net
      • Source Port Range:
        1. From: Communication_Ports
        2. To: Communication_Ports
      • Destination > select the Type drop-down box > Single host or alias > Enter: VoIP Addresses
        1. From: Communication_Ports
        2. To: Communication_Ports
      • Log: Leave this box unchecked
      • Description: Outbound communication to VoIP Servers
      • Advanced Features:
        1. Diffserv Code Point: set to ‘EF.
      • Click Save
      • On the next page, click Apply changes to allow the new rule to take effect.

Additional comment of interest regarding the Intermedia Unite Desktop and possibly mobile application as it pertains to their RTP streams. There is a setting that if enabled, may cause RTP stream authentication issues.

System > Advanced > Firewall & Nat
Disable Firewall Scrub: Un-check
Description: Disables the PF scrubbing option which can sometimes interfere with NFS traffic.

Explanation: After extensive testing and troubleshooting it was found in a packet capture that when the above option is enabled it causes UDP packet fragmentation and for some phones (deskphone and softphone). This is especially an issue when TLS is used as it will force a re-transmission during authentication, thus rendering the RTP stream to become un-authentication.
The resulting behavior, the call will connect but no RTP will be sent or received.

The following items are depreciated and no longer necessary and should not be installed or implemented.
Regarding Siproxd, this package is not for HPBX platforms.

  1. You, your IT, or whoever setup the pfSense firewall will need to follow the steps below.  Your VoIP provider cannot make these changes for you.
    1. Follow the 4 VoIP configuration found at the site below:
    2. Next install the SIProxd package as explained at the site below:

Additional Resources: