pfSense Linux Firewalls
Known Issues:
- VoIP configuration changes need to be made to prevent other VoIP-related issues.
- Response to WAN pings from our Call Quality Monitoring and Troubleshooting Servers needs to be allowed.
Resolution:
- Login to the firewall
- Click on Diagnostics > Edit File
- Navigate to /etc/rc.php_ini_setup
- Add the following entry: max_input_vars = 5000
- If this entry is already present, then edit the value to that above.
- Click on Firewall > Alias > IP tab
- Address Alias set 1.
- Click on the button that looks like this: to begin adding entries.
- Note: The “Name” field for aliases does have a 32 character limit and “spaces” are not allowed.
- Name: RTP_Blocks
- Description: (optional)
- Type: Networks
- Please contact Intermedia to obtain the IPs that need to be whitelisted.
- Address Alias set 2.
- Name: Config_and_DNS_Servers
- Description: (optional)
- Type: Hosts
- Please contact Intermedia to obtain the IPs that need to be whitelisted.
- Click on Firewall > Alias > Port tab
- Port Alias Set 1.
- Name: Communication_Ports
- Description: (optional)
- Type: Ports
- Please contact Intermedia to obtain the ports that need to be whitelisted.
- Click on Firewall > Alias > All tab
- Now we need to create an Alias Group for IP Alias’, this does not apply to the ports alias, as those were contained in a single alias group already.
- With PFsense 2.0, were are allowed to use Alias names within an Alias to create a “Super Alias”, for lack of a better term.
- Name: VoIP Addresses
- Type: Leave this defaulted to hosts.
- RTP Blocks
- Configuration and DNS Servers
- Click on Firewall > WAN tab > click on the + icon to create 4 new WAN rules
- Rule 1.
- Action: Pass
- Disabled: Leave this box unchecked
- Interface: WAN
- TCP/IP Version: IPv4
- Protocol: ICMP
- ICMP Type: any
- Source > select the Type drop-down box > Single host or alias >
- Enter: – <Add Network Information Provided by Intermedia>
- Destination > select the Type drop-down box > select WAN address
- Log: Leave this box unchecked
- Description: Allow WAN pings from VoIP monitoring server
- Click Save
- On the next page, click Apply changes to allow the new rule to take effect.
- Rule 2.
- Action: Pass
- Disabled: Leave this box unchecked
- Interface: WAN
- TCP/IP Version: IPv4
- Protocol: ICMP
- ICMP Type: any
- Source > select the Type drop-down box > Single host or alias >
- Enter: – <Add Network Information Provided by Intermedia>
- Destination > select the Type drop-down box > select WAN address
- Log: Leave this box unchecked
- Description: Allow WAN pings from VoIP monitoring server
- Click Save
- On the next page, click Apply changes to allow the new rule to take effect.
- Rule 3.
- Action: Pass
- Disabled: Leave this box unchecked
- Interface: WAN
- TCP/IP Version: IPv4
- Protocol: UDP
- Source > select the Type drop-down box > Single host or alias > Enter: VoIP Addresses
- Source Port Range:
- From: Communication_Ports
- To: Communication_Ports
- Destination
- Type: LAN net
- Destination Port Range
- From: Communication_Ports
- To: Communication_Ports
- Log: Leave this box unchecked
- Description: Inbound communication from VoIP Servers
- Advanced Features:
- Diffserv Code Point: set to ‘af43.
- Click Save
- On the next page, click Apply changes to allow the new rule to take effect.
- Rule 4.
- Action: Pass
- Disabled: Leave this box unchecked
- Interface: WAN
- TCP/IP Version: IPv4
- Protocol: UDP
- Source > select the Type drop-down box > LAN net
- Source Port Range:
- From: Communication_Ports
- To: Communication_Ports
- Destination > select the Type drop-down box > Single host or alias > Enter: VoIP Addresses
- From: Communication_Ports
- To: Communication_Ports
- Log: Leave this box unchecked
- Description: Outbound communication to VoIP Servers
- Advanced Features:
- Diffserv Code Point: set to ‘af43.
- Click Save
- On the next page, click Apply changes to allow the new rule to take effect.
- You, your IT, or whoever setup the pfSense firewall will need to follow the steps below. Your VoIP provider cannot make these changes for you.
- Follow the 4 VoIP configuration found at the site below:
- Next install the SIProxd package as explained at the site below:
Additional Resources:
- Recommended Routers.
- Recommended Switches.
- Recommended LAN Configurations.
- Network Ports and Protocols for HPBX phones.