PfSense VoIP Configuration

How to configure pfSense firewall for VoIP

pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more.


Configure Ports

Configure your SIP and RTP ports. SIP port is the default 5060 and RTP is between 10000 and 65335.

Configure the WAN IP Address

Asterisk Example - Also be sure to specify "externip" or "externhost" in sip.conf. externhost configured to a dyndns.org account that resolves to my WAN ip address.

Configure NAT

Asterisk Example - Make sure you have "nat=yes" and "canreinvite=yes" in sip.conf

Configure your local network

Make sure you have localnet setup to correspond with your local network in sip.conf. You can use the RFC1918 method or CIDR method.

localnet=192.168.1.0/24

Configure your SIP context

In your SIP provider's context in sip.conf, make sure you have "outboundproxy=192.168.1.1", replacing 192.168.1.1 with whatever your pfSense running siproxd ip address is.

[sipconvergence]
type=peer
user=phone
host=sip.sipconvergence.co.uk
outboundproxy=192.168.1.1
fromdomain=sip.sipconvergence.co.uk
fromuser=<censored>
secret=<censored>
username=<censored>
insecure=very
context=ivr
authname=<censored>
canreinvite=yes

Please note that if you don't use a PBX like Aterisk and use a softphone to connect, you will use your pfSense ip address for the proxy instead of sip.sipconvergence.co.uk

Configure pfSense firewall/nat rules

RTP

Add a NAT rule for RTP. This is essential or you will have no audio or one way audio in your calls. Also change the NAT IP to whatever your Asterisk server is and change the description to something that makes sense for you.

Interface: WAN
Protocol: UDP
External port range: From: 10000
External port range: To: 65335
NAT IP: 192.168.1.50
Local Port: 10000
Description: Hosted PBX - RTP
Enable Auto-add a firewall rule to permit traffic through this NAT rule

SIP

Add a NAT rule for SIP. This is essential or you won't be able to receive calls and you may have trouble registering with your SIP provider. Also change the NAT IP to whatever your Asterisk server is and change the description to something that makes sense for you.

Interface: WAN
Protocol: UDP
External port range: From: 5060
External port range: To: 5060
NAT IP: 192.168.1.50
Local Port: 6000
Description: Hosted PBX - SIP
Enable Auto-add a firewall rule to permit traffic through this NAT rule

The SIP Proxy siproxd

Install siproxd

Go to the pfSense web UI and going to System -> Packages. Hit the "+" button to the right of siproxd and let pfSense install the SIP proxy.

Configure siproxd

Go back to the main pfSense web UI page then go to Services -> siproxd. It may be under Services -> SIP Proxy as well. siproxd configured, be sure to change your "Outbound Proxy Hostname" to the hostname or IP (IP in my case) to your sip provider. Options not specified, leave blank or default.

Inbound Interface: LAN
Outbound Interface: WAN
Enable RTP Proxy: Enable
RTP Port Range (lower): 7070
RTP Port Range (upper): 7080
Outbound Proxy Hostname: xx.xx.xx.xx

Summary

Basically when you make a call your asterisk box will talk to the SIP proxy, the SIP proxy will then talk to your VoIP provider. When you receive a call your VoIP provider will talk directly with your asterisk box (this is important for setting "externip" or "externhost" in sip.conf).

QoS (Traffic Shaping) Traffic shaping can be enabled to allow n simultaneous 64kbps calls to happen and guarantee bandwidth. Please refer to http://doc.pfsense.org/index.php/Traffic_Shaping_Guide for traffic shaping help.

Videos

Call Encryption - TLS/SRTP walkthrough
Embedded thumbnail for Call Encryption - TLS/SRTP walkthrough
Hosted Directory LDAP - Lightweight Directory Access Protocol
Embedded thumbnail for Hosted Directory LDAP - Lightweight Directory Access Protocol
Cloud PBX Explainer
Embedded thumbnail for Cloud PBX Explainer
Zoiper Softphone Configuration
Embedded thumbnail for Zoiper Softphone Configuration
Call Conferencing
Embedded thumbnail for Call Conferencing
Receptionist Console
Embedded thumbnail for Receptionist Console

Search Help Portal

Get in touch

VoiceHost Limited
Norfolk Tower
Surrey Street
Norwich
NR1 3PA

UK Freephone 0800 2 545454

International +44 1603904090

support [at] voicehost.co.uk

Connect With Us

Download the iOS App from the Apple App Store

Get the Android app from the Google Play store