Known Issues:

  1. VoIP configuration changes need to be made to prevent other VoIP-related issues.
  2. Response to WAN pings from our Call Quality Monitoring and Troubleshooting Servers needs to be allowed.

Resolution:

  1. Login to the firewall
  2. Click on Diagnostics > Edit File
    • Navigate to /etc/rc.php_ini_setup
    • Add the following entry: max_input_vars = 5000
      • If this entry is already present, then edit the value to that above.
  3. Click on Firewall > Alias > IP tab
    • Address Alias set 1.
    • Name: RTP_Blocks
    • Description: (optional)
    • Type: Networks
      • Please contact Intermedia to obtain the IPs that need to be whitelisted.
    • Address Alias set 2.
    • Name: Config_and_DNS_Servers
    • Description: (optional)
    • Type: Hosts
      • Please contact Intermedia to obtain the IPs that need to be whitelisted.
  1. Click on Firewall > Alias > Port tab
    • Port Alias Set 1.
    • Name: Communication_Ports
    • Description: (optional)
    • Type: Ports
      • Please contact Intermedia to obtain the ports that need to be whitelisted.
  2. Click on Firewall > Alias > All tab
    • Now we need to create an Alias Group for IP Alias’, this does not apply to the ports alias, as those were contained in a single alias group already.
    • With PFsense 2.0, were are allowed to use Alias names within an Alias to create a “Super Alias”, for lack of a better term.
    • Name: VoIP Addresses
    • Type: Leave this defaulted to hosts.
      • RTP Blocks
      • Configuration and DNS Servers
  3. Click on Firewall > WAN tab > click on the + icon to create 4 new WAN rules
    • Rule 1.
      • Action: Pass
      • Disabled: Leave this box unchecked
      • Interface: WAN
      • TCP/IP Version: IPv4
      • Protocol: ICMP
      • ICMP Type: any
      • Source > select the Type drop-down box > Single host or alias >
        1. Enter:  – <Add Network Information Provided by Intermedia>
      • Destination > select the Type drop-down box > select WAN address
      • Log: Leave this box unchecked
      • Description: Allow WAN pings from VoIP monitoring server
      • Click Save
      • On the next page, click Apply changes to allow the new rule to take effect.
    • Rule 2.
      • Action: Pass
      • Disabled: Leave this box unchecked
      • Interface: WAN
      • TCP/IP Version: IPv4
      • Protocol: ICMP
      • ICMP Type: any
      • Source > select the Type drop-down box > Single host or alias >
        1. Enter: – <Add Network Information Provided by Intermedia>
      • Destination > select the Type drop-down box > select WAN address
      • Log: Leave this box unchecked
      • Description: Allow WAN pings from VoIP monitoring server
      • Click Save
      • On the next page, click Apply changes to allow the new rule to take effect.
    • Rule 3.
      • Action: Pass
      • Disabled: Leave this box unchecked
      • Interface: WAN
      • TCP/IP Version: IPv4
      • Protocol: UDP
      • Source > select the Type drop-down box > Single host or alias > Enter: VoIP Addresses
      • Source Port Range:
        1. From: Communication_Ports
        2. To: Communication_Ports
      • Destination
        1. Type: LAN net
      • Destination Port Range
        1. From: Communication_Ports
        2. To: Communication_Ports
      • Log: Leave this box unchecked
      • Description: Inbound communication from VoIP Servers
      • Advanced Features:
        1. Diffserv Code Point: set to ‘EF.
      • Click Save
      • On the next page, click Apply changes to allow the new rule to take effect.
    • Rule 4.
      • Action: Pass
      • Disabled: Leave this box unchecked
      • Interface: WAN
      • TCP/IP Version: IPv4
      • Protocol: UDP
      • Source > select the Type drop-down box > LAN net
      • Source Port Range:
        1. From: Communication_Ports
        2. To: Communication_Ports
      • Destination > select the Type drop-down box > Single host or alias > Enter: VoIP Addresses
        1. From: Communication_Ports
        2. To: Communication_Ports
      • Log: Leave this box unchecked
      • Description: Outbound communication to VoIP Servers
      • Advanced Features:
        1. Diffserv Code Point: set to ‘EF.
      • Click Save
      • On the next page, click Apply changes to allow the new rule to take effect.
  4. Set Conservative state table optimization and UDP timeout = 300:
  • Navigate to System > Advanced > Firewall & Nat
  • Set "Firewall Optimization Options" to Conservative
  • Under the "State Timeouts" section set UDP First, UDP Single, and UDP Multiple to 300.

Additional comment of interest regarding the Intermedia Unite Desktop and possibly mobile application as it pertains to their RTP streams. There is a setting that if enabled, may cause RTP stream authentication issues.

System > Advanced > Firewall & Nat
Disable Firewall Scrub: Un-check
Description: Disables the PF scrubbing option which can sometimes interfere with NFS traffic.

Explanation: After extensive testing and troubleshooting it was found in a packet capture that when the above option is enabled it causes UDP packet fragmentation and for some phones (deskphone and softphone). This is especially an issue when TLS is used as it will force a re-transmission during authentication, thus rendering the RTP stream to become un-authentication.
The resulting behavior, the call will connect but no RTP will be sent or received.

Additional Resources: