0

I have problems with a pfsense-box routing iax-traffic (UDP port 4569). Our company has a central office and eight branch-offices. At the branch-offices we use pfsense as firewall and VPN endpoints (openVPN). At seven offices this works fine, but at one I have an issue.

Branch:

  • Telephone network 192.168.74.0/24
  • Asterisk-server 192.168.74.4

central-office:

  • Telephone network 192.168.24.0/24
  • Asterisk-server 192.168.24.4

My pfsense at the branch-office:

  • em1 192.168.74.1
  • ovpnc1 192.168.251.70
  • em4 93.83.xxx.yyy Internet

The network looks like

Asterisk-server branch
192.168.74.4
     |
     |
192.168.74.1
pfsense branch  - - - Internet

192.168.251.70 ovpnc1
         |
         |
192.168.251.71
router at central
192.168.24.1
     |
     |
192.168.24.4
Asterisk-server central

I need a iax-connection between the two Asterisk-servers. Iax uses UDP port 4569. ICMP- connections between the servers work. I can get time from server 192.168.24.4, using NTP (UDP port 123). I can traceroute from one server to the other using traceroute -U -p 4569 192.168....

But I don't get a iax-connection.

Every 20s the servers try to connect. I can see packets from the central-office at the VPN-Interface at the branch, but they don't get routed. Packets from the branch-server reach interface em1, but are not routed to ovpnc1, but to em4 (masqueraded to address 93.83.xxx.yyy)!

**My routing table:**
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            93.83.252.93       UGS         0  2273458    em4
10.10.3.0/24       192.168.251.71     UGS         0        0 ovpnc1
93.83.252.92/30    link#5             U           0    85179    em4
93.83.252.94       link#5             UHS         0        0    lo0
127.0.0.1          link#7             UH          0      552    lo0
192.168.0.0/16     192.168.251.71     UGS         1   166089 ovpnc1
192.168.24.0/24    192.168.251.71     UGS         0     2556 ovpnc1
192.168.70.0/24    link#6             U           0 154097906    em5
192.168.70.1       link#6             UHS         0        0    lo0
192.168.71.0/24    link#1             U           0 512824632    em0
192.168.71.1       link#1             UHS         0        0    lo0
192.168.72.0/24    link#3             U           0        0    em2
192.168.72.1       link#3             UHS         0        0    lo0
192.168.74.0/24    link#2             U           0    20264    em1
192.168.74.1       link#2             UHS         0        0    lo0
192.168.251.70     link#11            UHS         0        4    lo0
192.168.251.71     link#11            UH          0        3 ovpnc1

My firewall-rules

I am not allowed to post pictures so I have to tell you, that I have a rule to allow TCP and UDP-traffic from any port any to the Asterisk-server at central-office with dport 4569 on the telephony-interface em1.

On the VPN-Interface ovpnc1 I have a rule all udp-traffic from Asterisk at central to Asterisk at branch on any port.

All other traffic through the tunnel works fine.

So, the pfsense-box at the branch does not route iax-traffic correctly :-((

I have no idea and would be very glad to get some help.

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
karls0
  • 9
  • 2

2 Answers2

1

I found some very strange things going on with IAX2 and PFsense. I've got the latest PFsense (2.2.1 Mar 13 2015) and this has been consistent with all my experiences prior, as well:

PFsense appears to be NOT applying NAT rules to IAX2 packets. If I set up a packet dump on pppoe0 (going to my DSL carrier) I see packets coming from 192.168.1.168 port 4569, which is the inside IP address behind my NAT. No other hosts are sending packets that aren't getting NAT'ed, and I have no special rules or exceptions for IAX2 traffic (I installed from "factory default" to make sure, and ran "tcpdump -n -i pppoe0 net 192.168.1.0/24" to validate.)

The fix: on PFsense if I go into "Diagnostics -> States" and then search for "4569" in the states table - I find several entries. I delete them. Presto! IAX2 starts working. It is very confusing. I have to do this every time PFsense reboots.

John Todd
  • 11
  • 2
  • Hi John, today it happened again (no reboot) and I tried your solution on the running system - it worked perfectly. Afterwards, I also found out, that there is a tab "Reset States". Maybe this would help too, but it would disconnect all other open connections too :-(( Still the cause should be known! – karls0 Sep 30 '15 at 12:02
0

Rebooting pfsense solved the problem, but it is no good feeling, if you don´t know if your phone will work :-((

I am still interrested in ideas and suggestions of the cause of my problem!

Regards, Karl

karls0
  • 9
  • 2