the myIT blog

pfSense and sipXbridge

Most firewalls randomize ports (rewrite the source port) of outbound traffic. This is problematic for some protocols (like PPTP, IPSEC and SIP).   sipXbridge needs static port NAT, or symmetric signalling in order to work properly. This means when sipXbridge makes an media connection at port 30001, it must be sent out on port 30001 (not rewritten by the firewall), and also come back on the same port. This is done by choosing "Firewall>NAT>Outbound" and selecting "Manual (AON)". I've tried to make it easy by providing a sample setup which can be edited in a word process or (like Wordpad) and uploading to the system. A friend of mine helped me to get this implemented, and so I thought I'd share.

After doing a basic install of pfSense,  login to the webgui and go to "Diagnostics>Backup and Restore". Do a backup and open the config.xml in wordpad or other basic text editor. Then grab this file and do a find/replace to match your settings ( IP addresses, etc.). After that, restore the new config file to your system.

Find and replace commands:

  1. Domain name - mydomain.com with your domain name like example.com
  2. DNS - Change 198.6.1.2 and 198.6.1.5 to some of your own liking that will work with your ISP.
  3. pfSense Webgui - I have it set for https on port 10443, change it to something you want, but remember stay away from: 80,8443, 5060-5080, 30000-31000.
  4. LAN IP - I have pfsense here on 192.168.2.1, I also have sipXecs at 192.168.2.10. Change these as needed to suit your needs, don't forget to match your mask.

I think if you properly do a find/replace on your IP's/mask/gw's it should be fairly straightforward.

After restoring, you should go to the CLI and reset the password, which will be "pfsense", then go to SYSTEM>PACKAGES>INSTALLED and remove any that are there.

This pfSense config does not include vlans or traffic shaping, and is a basic config. More complex use cases might be coming later, but that's it for now. Hope to post a complete step-by-step how-to on the sipx-wiki.

Here's a basic step-by-step guide to getting pfSense installed:

If you need a VMWARE image, go www.pfsense.org and grab the vmware image. In the meantime, if you are installing on an standalone PC, use this ISO image. After installing the VMWARE Image, you should remove any installed packages and install the VMTOOLS package (to get timesync correct, and set you correct timezone (ex: America/New_York).

http://files.pfsense.org/mirror/downloads/pfSense-1.2.3-RC3-LiveCD-Installer.iso.gz

First step, install a Video card, Keyboard, a CD-ROM drive, an IDE hard Disk drive, 128MB of ram or more and at least two Network interfaces in your target machine. Do not install any unnecessary hardware like a modem because Pfsense cannot use it.

The hardware setup for the installation tested was Pentium Pro 200, 128MB EDO ram, Floppy 1.4MB, Trident VGA, 4 Realtek 8139D PCI cards, ATAPI CD_ROM 24X, 2 IDE 1GB drives. As you can see it was quite an old system but it all still worked quite well. Pfsense was also installed on a DELL Dimension 4100 800MHz without any problems.

Next, take the downloaded ISO file and burn the CD as an ISO (not a file copy).

Set up your BIOS to boot from the CD and then insert the CD into the drive. Reboot the machine and watch the FreeBSD 6.2 operating system boot up your machine. Do not worry if you cannot catch everything that is scrolling by because you can see all of it when the boot is complete by pressing the Scroll LOCK on your keyboard and using the Page UP/DN keys. The boot process should stop and ask you to configure the network interfaces. If you managed to make that far the rest of the installation, most likely, will be successful.

Answer no to the first prompt asking to setup Virtual Interface/Lan by typing n.

Now it will ask you to select the LAN interface. This is the interface that you will attach to an Ethernet switch if more than one computer will be accessing the pfsense to get to the internet. To select this interface use the automatic procedure by disconnecting all interface cables from all the network interfaces of the pfsense. Follow the instructions on the screen and then attach the computer via an Ethernet cable to the LAN port. Mark this interface as the LAN interface.

Next it will ask you to select the WAN port. If you have not set up your DSL/CABLE modem/routers yet select an interface by specifying the name of the interface as shown on the display. This interface can be changed later on.

Pfsense will start to load and configure itself. With a little luck, you will pass the point where pfsense configures the WAN interface. This is where the interrupts are tested and if your hardware is set up properly, or if you have a newer computer, it will breeze through and arrive at the Pfsense Console Setup page. Here you will install pfsense to your hard disk by entering 99. If you do not make it to this page you have a hardware compatibility problem with the FreeBSD operating system.

Installation is pretty painless, tell it to format and make a new partition if you want everything cleaned off, and once complete you'll see FreeBSD loading. The loading will take some time .

At the CLI you will have an option to set the LAN IP address, go ahead and make sure you can connect to that IP with a web browser from a PC on the LAN. Now run through the wizard and set a password, etc. In Diagnostics, go to grab a backup (config.xml) and start putting your password, ip/mask/gateways and domain name into the one posted here and do the restore.

Remember to use a port for pfSense to connect to (the example we've provided is 10443 as https) and connect to it after the restore has occurred.

Coming Up - Setting Up Example siptrunk with ITSP Bandwidth.com via sipXbridge! Soon afterwards, traffic shaping for sipXecs and pfSense!

<?xml version="1.0"?>
<pfsense>
<version>3.0</version>
<lastchange/>
<theme>nervecenter</theme>
<system>
<optimization>normal</optimization>
<hostname>voicefw</hostname>
<domain>mydomain.com</domain>
<username>admin</username>
<passwordREPLACE_WITH_YOUR_pfSense_password_from_your_backup_config_file</password>
<timezone>America/New_York</timezone>
<time-update-interval/>
<timeservers>0.pfsense.pool.ntp.org</timeservers>
<webgui>
<protocol>https</protocol>
<certificate/>
<private-key/>
<port>10443</port>
</webgui>
<disablenatreflection>yes</disablenatreflection>
<ssh>
<authorizedkeys/>
<port/>
</ssh>
<enablesshd>yes</enablesshd>
<maximumstates/>
<shapertype/>
<dnsserver>71.242.0.12</dnsserver>
<dnsserver>198.6.1.5</dnsserver>
<dnsallowoverride/>
</system>
<interfaces>
<lan>
<if>bge0</if>
<ipaddr>192.168.2.9</ipaddr>
<subnet>24</subnet>
<media/>
<mediaopt/>
<bandwidth>100</bandwidth>
<bandwidthtype>Mb</bandwidthtype>
</lan>
<wan>
<if>xl0</if>
<mtu/>
<blockpriv>on</blockpriv>
<blockbogons>on</blockbogons>
<media/>
<mediaopt/>
<bandwidth>100</bandwidth>
<bandwidthtype>Mb</bandwidthtype>
<disableftpproxy/>
<ipaddr>4.5.6.7</ipaddr>
<subnet>29</subnet>
<gateway>4.5.6.1</gateway>
<spoofmac/>
<dhcphostname/>
</wan>
</interfaces>
<staticroutes/>
<pppoe>
<username/>
<password/>
<provider/>
</pppoe>
<pptp>
<username/>
<password/>
<local/>
<subnet/>
<remote/>
<timeout/>
</pptp>
<bigpond>
<username/>
<password/>
<authserver/>
<authdomain/>
<minheartbeatinterval/>
</bigpond>
<dyndns>
<type>dyndns</type>
<username/>
<password/>
<host/>
<mx/>
</dyndns>
<dhcpd>
<lan>
<range>
<from>192.168.2.10</from>
<to>192.168.2.245</to>
</range>
</lan>
</dhcpd>
<pptpd>
<mode/>
<redir/>
<localip/>
<remoteip/>
</pptpd>
<ovpn/>
<dnsmasq>
<enable/>
</dnsmasq>
<snmpd>
<syslocation/>
<syscontact/>
<rocommunity>public</rocommunity>
</snmpd>
<diag>
<ipv6nat/>
</diag>
<bridge/>
<syslog/>
<nat>
<ipsecpassthru/>
<advancedoutbound>
<rule>
<source>
<network>192.168.2.0/24</network>
</source>
<sourceport/>
<descr>Auto created rule for LAN</descr>
<target/>
<interface>wan</interface>
<staticnatport/>
<destination>
<any/>
</destination>
<natport/>
<dstport/>
</rule>
<enable/>
</advancedoutbound>
<rule>
<protocol>udp</protocol>
<external-port>5060</external-port>
<target>192.168.2.10</target>
<local-port>5060</local-port>
<interface>wan</interface>
<descr>sipx signalling</descr>
</rule>
<rule>
<protocol>tcp</protocol>
<external-port>5060</external-port>
<target>192.168.2.10</target>
<local-port>5060</local-port>
<interface>wan</interface>
<descr>sipx signalling</descr>
</rule>
<rule>
<protocol>udp</protocol>
<external-port>5080</external-port>
<target>192.168.2.10</target>
<local-port>5080</local-port>
<interface>wan</interface>
<descr>itsp signalling receive from bw.com</descr>
</rule>
<rule>
<protocol>udp</protocol>
<external-port>30000-31000</external-port>
<target>192.168.2.10</target>
<local-port>30000</local-port>
<interface>wan</interface>
<descr>sipx media</descr>
</rule>
<rule>
<protocol>tcp</protocol>
<external-port>80</external-port>
<target>192.168.2.10</target>
<local-port>80</local-port>
<interface>wan</interface>
<descr>http to sipx</descr>
</rule>
<rule>
<protocol>tcp</protocol>
<external-port>8443</external-port>
<target>192.168.2.10</target>
<local-port>8443</local-port>
<interface>wan</interface>
<descr>https redirect to sipx</descr>
</rule>
<rule>
<protocol>tcp</protocol>
<external-port>10443</external-port>
<target>192.168.2.9</target>
<local-port>10443</local-port>
<interface>wan</interface>
<descr>voicefw redirect for remote mgmt</descr>
</rule>
</nat>
<filter>
<rule>
<type>pass</type>
<interface>wan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>udp</protocol>
<source>
<any/>
</source>
<destination>
<address>192.168.2.10</address>
<port>5060</port>
</destination>
<descr>NAT sipx siganlling</descr>
</rule>
<rule>
<type>pass</type>
<interface>wan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>192.168.2.10</address>
<port>5060</port>
</destination>
<descr>NAT sipx signalling</descr>
</rule>
<rule>
<type>pass</type>
<interface>wan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>udp</protocol>
<source>
<any/>
</source>
<destination>
<address>192.168.2.10</address>
<port>5080</port>
</destination>
<descr>NAT sipx siganlling</descr>
</rule>
<rule>
<type>pass</type>
<interface>wan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>udp</protocol>
<source>
<any/>
</source>
<destination>
<address>192.168.2.10</address>
<port>30000-31000</port>
</destination>
<descr>NAT sipx media</descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>192.168.2.10</address>
<port>80</port>
</destination>
<descr>NAT http to sipx</descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>192.168.2.10</address>
<port>8443</port>
</destination>
<descr>NAT https redirect to sipx</descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>192.168.2.9</address>
<port>10443</port>
</destination>
<descr>NAT voicefw redirect for remote mgmt</descr>
</rule>
<rule>
<type>pass</type>
<descr>Default LAN -&gt; any</descr>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
</rule>
</filter>
<ipsec>
<preferredoldsa/>
</ipsec>
<aliases/>
<proxyarp/>
<cron>
<item>
<minute>0</minute>
<hour>*</hour>
<mday>*</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/bin/nice -n20 newsyslog</command>
</item>
<item>
<minute>1,31</minute>
<hour>0-5</hour>
<mday>*</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/bin/nice -n20 adjkerntz -a</command>
</item>
<item>
<minute>1</minute>
<hour>3</hour>
<mday>1</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh</command>
</item>
<item>
<minute>*/60</minute>
<hour>*</hour>
<mday>*</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout</command>
</item>
<item>
<minute>1</minute>
<hour>1</hour>
<mday>*</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/bin/nice -n20 /etc/rc.dyndns.update</command>
</item>
<item>
<minute>*/60</minute>
<hour>*</hour>
<mday>*</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot</command>
</item>
<item>
<minute>*/60</minute>
<hour>*</hour>
<mday>*</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c</command>
</item>
<item>
<minute>*/5</minute>
<hour>*</hour>
<mday>*</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/local/bin/checkreload.sh</command>
</item>
<item>
<minute>*/5</minute>
<hour>*</hour>
<mday>*</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/etc/ping_hosts.sh</command>
</item>
<item>
<minute>*/140</minute>
<hour>*</hour>
<mday>*</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/local/sbin/reset_slbd.sh</command>
</item>
</cron>
<wol/>
<installedpackages>
<package>
<name>siproxd</name>
<website>http://siproxd.sourceforge.net/</website>
<descr>Proxy for handling NAT of multiple SIP devices to a single public IP.</descr>
<category>Services</category>
<config_file>http://www.pfsense.com/packages/config/siproxd.xml</config_file>
<depends_on_package_base_url>http://files.pfsense.org/packages/7/All/</depends_on_package_base_url>
<depends_on_package>siproxd-0.7.0_1.tbz</depends_on_package>
<pkginfolink>http://doc.pfsense.org/index.php/Siproxd_package</pkginfolink>
<version>0.7.2</version>
<status>Beta</status>
<required_version>1.2.1</required_version>
<configurationfile>siproxd.xml</configurationfile>
</package>
<package>
<name>nmap</name>
<maintainer>billm@pfsense.org</maintainer>
<descr>NMap is a utility for network exploration or security auditing. It supports ping scanning (determine which hosts are up), many port scanning techniques (determine what services the hosts are offering), version detection (determine what application/service is runing on a port), and TCP/IP fingerprinting (remote host OS or device identification). It also offers flexible target and port specification, decoy/stealth scanning, SunRPC scanning, and more. Most Unix and Windows platforms are supported in both GUI and command line modes. Several popular handheld devices are also supported, including the Sharp Zaurus and the iPAQ.</descr>
<category>Security</category>
<depends_on_package_base_url>http://files.pfsense.org/packages/7/All/</depends_on_package_base_url>
<depends_on_package>nmap-4.76.tbz</depends_on_package>
<config_file>http://www.pfsense.com/packages/config/nmap/nmap.xml</config_file>
<version>4.76</version>
<status>Stable</status>
<pkginfolink>http://doc.pfsense.org/index.php/Nmap_package</pkginfolink>
<required_version>1.2.1</required_version>
<configurationfile>nmap.xml</configurationfile>
</package>
<menu>
<name>siproxd</name>
<tooltiptext>Modify siproxd users and settings.</tooltiptext>
<section>Services</section>
<url>/pkg_edit.php?xml=siproxd.xml&amp;id=0</url>
</menu>
<menu>
<name>NMap</name>
<tooltiptext>NMap is a utility for network exploration or security auditing. It supports ping scanning (determine which hosts are up), many port scanning techniques (determine what services the hosts are offering), version detection (determine what application/service is runing on a port), and TCP/IP fingerprinting (remote host OS or device identification). It also offers flexible target and port specification, decoy/stealth scanning, SunRPC scanning, and more. Most Unix and Windows platforms are supported in both GUI and command line modes. Several popular handheld devices are also supported, including the Sharp Zaurus and the iPAQ.</tooltiptext>
<section>Diagnostics</section>
<configfile>nmap.xml</configfile>
</menu>
<service>
<name>siproxd</name>
<rcfile>siproxd.sh</rcfile>
<executable>siproxd</executable>
</service>
</installedpackages>
<revision>
<description>No shaper items picked, unsetting shaper configuration</description>
<time>1256159252</time>
</revision>
<rrd>
<enable/>
</rrd>
<ezshaper>
<step2>
<inside_int>lan</inside_int>
<download>7100</download>
<outside_int>wan</outside_int>
<upload>768</upload>
</step2>
<step3>
<provider>Asterisk</provider>
<address/>
<bandwidth>32</bandwidth>
</step3>
<step4>
<address/>
<bandwidthup/>
<bandwidthdown/>
</step4>
<step5>
<bandwidthup/>
<bandwidthdown/>
</step5>
<step7>
<msrdp/>
<vnc/>
<appleremotedesktop/>
<pcanywhere/>
<irc/>
<jabber/>
<icq/>
<aolinstantmessenger/>
<msnmessenger/>
<teamspeak/>
<pptp/>
<ipsec/>
<streamingmp3/>
<rtsp/>
<http/>
<smtp/>
<pop3/>
<imap/>
<lotusnotes/>
<dns/>
<icmp/>
<smb/>
<snmp/>
<mysqlserver/>
<nntp/>
<cvsup/>
</step7>
</ezshaper>
<shaper>
</shaper>
</pfsense>
In