pfSense Linux Firewalls

Known Issues:

1. VoIP configuration changes need to be made to prevent other VoIP-related issues.
2. Response to WAN pings from our Call Quality Monitoring and Troubleshooting Servers, 64.28.122.110 and 64.28.121.110 needs to be allowed.

Resolution:

1. Login to the firewall
2. Click on Diagnostics > Edit File
• Navigate to /etc/rc.php_ini_setup
• Add the following entry: max_input_vars = 5000
• If this entry is already present, then edit the value to that above.
3. Click on Firewall > Alias > IP tab
   HPBX 2.0:
• Address Alias set 1.
• Click on the button that looks like this:  to begin adding entries.
• Note: The “Name” field for aliases does have a 32 character limit and “spaces” are not allowed.
• Name: RTP_Blocks
• Description: (optional)
• Type: Networks
• 64.28.124.0/32 – RTP Server Block1
1. Use 62.28.114.0/32 for accounts prior to 5/6/15
• 64.28.123.0/32 – RTP Server Block2
1. Use 62.28.115.0/32 for accounts prior to 5/6/15
• Address Alias set 2.
• Name: Config_and_DNS_Servers
• Description: (optional)
• Type: Hosts
• 64.28.115.146 – Cloud Voice Config Server 1
• 64.28.112.148 – Cloud Voice Config Server 2
• 64.28.112.157 – Cloud Voice DNS Time Server 1
• 64.28.115.137 – Cloud Voice DNS Time Server 2
• 64.28.126.9 – Cloud Voice DNS Time Server 3
• 64.28.126.29 – Cloud Voice SVDNS Server
• 64.28.115.150 – Cloud Voice PTS Server
• 64.28.122.110 – Cloud Voice Ping Test Server 1
• 64.28.121.110 – Cloud Voice Ping Test Server 2
• 64.28.122.102 – Cloud Voice VoIP Test Server
• 64.28.119.10 – Cloud Voice SIP Register Server
1. Use 64.28.113.10 for accounts prior to 5/6/15

 HPBX 1.0:

• 206.225.167.64/18 – Cloud Voice RTP Server Block 1
• 62.28.124.0– Cloud Voice RTP Server Block 2
1. 199.193.202.64/19 - for accounts prior to 5/6/15
• 206.225.166.128/18 – Cloud Voice SIP Register Server
• Click on “Save” when finished adding the necessary addresses.
1. Click on Firewall > Alias > Port tab
• HPBX 2.0
• Port Alias Set 1.
• Name: Communication_Ports
• Description: (optional)
• Type: Ports
• 6578 – 6677 > Cloud Voice VoIP Test SIP Range
• 6060 – 6061 > Cloud Voice SIP Destination Ports
• 6100 – 6899 > Cloud Voice SIP Local Ports
• 30000 – 50000 > Cloud Voice RTP Audio Range
• HPBX 1.0
• 5060 -5061 > Cloud Voice SIP Destination Ports
• 35000 – 65000 > Cloud Voice RTP Audio Range
2. Click on Firewall > Alias > All tab
• Now we need to create an Alias Group for IP Alias’, this does not apply to the ports alias, as those were contained in a single alias group already.
• With PFsense 2.0, were are allowed to use Alias names within an Alias to create a “Super Alias”, for lack of a better term.
• Name: VoIP Addresses
• Type: Leave this defaulted to hosts.
• RTP Blocks
• Configuration and DNS Servers
3. Click on Firewall > WAN tab > click on the + icon to create 4 new WAN rules
• Rule 1.
• Action: Pass
• Disabled: Leave this box unchecked
• Interface: WAN
• TCP/IP Version: IPv4
• Protocol: ICMP
• ICMP Type: any
• Source > select the Type drop-down box > Single host or alias >
1. Enter:  – 64.28.122.110
• Destination > select the Type drop-down box > select WAN address
• Log: Leave this box unchecked
• Description: Allow WAN pings from VoIP monitoring server
• Click Save
• On the next page, click Apply changes to allow the new rule to take effect.
• Rule 2.
  • Action: Pass
  • Disabled: Leave this box unchecked
  • Interface: WAN
  • TCP/IP Version: IPv4
  • Protocol: ICMP
  • ICMP Type: any
  • Source > select the Type drop-down box > Single host or alias >
    1. Enter: – 64.28.121.110
  • Destination > select the Type drop-down box > select WAN address
  • Log: Leave this box unchecked
  • Description: Allow WAN pings from VoIP monitoring server
  • Click Save
  • On the next page, click Apply changes to allow the new rule to take effect.
• Rule 3.
• Action: Pass
• Disabled: Leave this box unchecked
• Interface: WAN
• TCP/IP Version: IPv4
• Protocol: UDP
• Source > select the Type drop-down box > Single host or alias > Enter: VoIP Addresses
• Source Port Range:
1. From: Communication_Ports
2. To: Communication_Ports
• Destination
1. Type: LAN net
• Destination Port Range
1. From: Communication_Ports
2. To: Communication_Ports
• Log: Leave this box unchecked
• Description: Inbound communication from VoIP Servers
• Advanced Features:
1. Diffserv Code Point: set to ‘af43.
• Click Save
• On the next page, click Apply changes to allow the new rule to take effect.
• Rule 4.
• Action: Pass
• Disabled: Leave this box unchecked
• Interface: WAN
• TCP/IP Version: IPv4
• Protocol: UDP
• Source > select the Type drop-down box > LAN net
• Source Port Range:
1. From: Communication_Ports
2. To: Communication_Ports
• Destination > select the Type drop-down box > Single host or alias > Enter: VoIP Addresses
1. From: Communication_Ports
2. To: Communication_Ports
• Log: Leave this box unchecked
• Description: Outbound communication to VoIP Servers
• Advanced Features:
1. Diffserv Code Point: set to ‘af43.
• Click Save
• On the next page, click Apply changes to allow the new rule to take effect.
4. You, your IT, or whoever setup the pfSense firewall will need to follow the steps below.  Your VoIP provider cannot make these changes for you.

1. Follow the 4 VoIP configuration found at the site below:
• https://doc.pfsense.org/index.php/VoIP_Configuration
2. Next install the SIProxd package as explained at the site below:
• https://doc.pfsense.org/index.php/Siproxd_package

Additional Resources:

1. Recommended Routers.
2. Recommended Switches.
3. Recommended LAN Configurations.
4. Network Ports and Protocols for HPBX phones.