How to configure pfSense firewall for VoIP
pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more.
Configure Ports
Configure your SIP and RTP ports. SIP port is the default 5060 and RTP is between 10000 and 65335.
Configure the WAN IP Address
Asterisk Example - Also be sure to specify "externip" or "externhost" in sip.conf. externhost configured to a dyndns.org account that resolves to my WAN ip address.
Configure NAT
Asterisk Example - Make sure you have "nat=yes" and "canreinvite=yes" in sip.conf
Configure your local network
Make sure you have localnet setup to correspond with your local network in sip.conf. You can use the RFC1918 method or CIDR method.
localnet=192.168.1.0/24
Configure your SIP context
In your SIP provider's context in sip.conf, make sure you have "outboundproxy=192.168.1.1", replacing 192.168.1.1 with whatever your pfSense running siproxd ip address is.
[sipconvergence] type=peer user=phone host=SEE VOICEHOST CONTROL PANEL FOR DETAILS outboundproxy=192.168.1.1 fromdomain=SEE VOICEHOST CONTROL PANEL FOR DETAILS fromuser=<censored> secret=<censored> username=<censored> insecure=very context=ivr authname=<censored> canreinvite=yes
Please note that if you don't use a PBX like Aterisk and use a softphone to connect, you will use your pfSense ip address for the proxy instead of sip.sipconvergence.co.uk
Configure pfSense firewall/nat rules
RTP
Add a NAT rule for RTP. This is essential or you will have no audio or one way audio in your calls. Also change the NAT IP to whatever your Asterisk server is and change the description to something that makes sense for you.
Interface: WAN Protocol: UDP External port range: From: 10000 External port range: To: 65335 NAT IP: 192.168.1.50 Local Port: 10000 Description: Hosted PBX - RTP Enable Auto-add a firewall rule to permit traffic through this NAT rule
SIP
Add a NAT rule for SIP. This is essential or you won't be able to receive calls and you may have trouble registering with your SIP provider. Also change the NAT IP to whatever your Asterisk server is and change the description to something that makes sense for you.
Interface: WAN Protocol: UDP External port range: From: 5060 External port range: To: 5060 NAT IP: 192.168.1.50 Local Port: 6000 Description: Hosted PBX - SIP Enable Auto-add a firewall rule to permit traffic through this NAT rule
The SIP Proxy siproxd
Install siproxd
Go to the pfSense web UI and going to System -> Packages. Hit the "+" button to the right of siproxd and let pfSense install the SIP proxy.
Configure siproxd
Go back to the main pfSense web UI page then go to Services -> siproxd. It may be under Services -> SIP Proxy as well. siproxd configured, be sure to change your "Outbound Proxy Hostname" to the hostname or IP (IP in my case) to your sip provider. Options not specified, leave blank or default.
Inbound Interface: LAN Outbound Interface: WAN Enable RTP Proxy: Enable RTP Port Range (lower): 7070 RTP Port Range (upper): 7080 Outbound Proxy Hostname: xx.xx.xx.xx
Summary
Basically when you make a call your asterisk box will talk to the SIP proxy, the SIP proxy will then talk to your VoIP provider. When you receive a call your VoIP provider will talk directly with your asterisk box (this is important for setting "externip" or "externhost" in sip.conf).
QoS (Traffic Shaping) Traffic shaping can be enabled to allow n simultaneous 64kbps calls to happen and guarantee bandwidth. Please refer to http://doc.pfsense.org/index.php/Traffic_Shaping_Guide for traffic shaping help.
