OPNsense Forum
Archive => 20.7 Legacy Series => Topic started by: maclinuxfree on October 11, 2020, 11:04:36 pm
-
Hello,
how can I disable SIP / ALG ??
I migrated from pfSense to OPNsense and my 3CX is not connecting to my SIP-Provider anymore.
I switches back to pfSense and everything is working fine (SIP ALG not detected)
Please help or I have to go back to pfSense...sadly
Thank you
-
Is there an option to disable SIP ALG in modules.conf? Or a different kernel? Can´t believe, that I come so far and now have to turn back to pfSense.
-
There is neither sip alg in pf nor in opn.
You need to give some details, nat screenshots
-
Hello thanks for your reply. This is a customer of mine and he needs his PBX...so he´s back to pfSense for now.
I have to build a test scenario and giving feedback. I think this is only related to 3CX.
-
I think its some kind of default which is enabled in PF and disabled in OPN, so maybe a missing rule or similar.
-
There is no such thing in pfsense.
Its NAT related.
-
Ok I narrowed it down.
Tried it on a different site and it is working. But it is not working with a PPPOE(Modem). So my next step is change the PPPOE to a Fritzbox and check again.
-
Could it be this issue?
https://github.com/opnsense/core/issues/3596
-
I do have 3CX running behind opnsense and PPPoE WAN and without using any hidden settings.
Unfortunately I do not have a link to an all inclusive instruction and I cannot find the time to post all my setting in detail. But Some hints for you.
firewall - NAT - port forwarding:
- WAN TCP/UDP 5060 --> 3CX IP
- WAN TCP 5061 --> 3CX IP
- WAN TCP/UDP 5090 --> 3CX IP
- WAN TCP 5001 --> 3CX IP
- WAN UDP 9000 - 10999 --> 3CX IP
firewall - NAT - outbound
- WAN 3CX IP * * * interface address * yes
firewall - rules - WAN
- TCP/UDP * * 3CX IP 5060 * *
- TCP * * 3CX IP 5061 * *
- TCP/UDP * * 3CX IP 5090 * *
- TCP * * 3CX IP 5001 * *
- UDP * * 3CX IP 9000 - 10999 * *
firewall - rules - DMZ (zone where 3CX is located)
TCP/UDC 3CX IP * * * * *
-
I don't believe there's any SIP ALG enabled by default. If you want that functionality you'd need to load and configure os-siproxd plugin.
-
Your rules are wrong.
I do have 3CX running behind opnsense and PPPoE WAN and without using any hidden settings.
Unfortunately I do not have a link to an all inclusive instruction and I cannot find the time to post all my setting in detail. But Some hints for you.
firewall - NAT - port forwarding:
- WAN TCP/UDP 5060 --> 3CX IP
- WAN TCP 5061 --> 3CX IP
- WAN TCP/UDP 5090 --> 3CX IP
- WAN TCP 5001 --> 3CX IP
- WAN UDP 9000 - 10999 --> 3CX IP
firewall - NAT - outbound
- WAN 3CX IP * * * interface address * yes
firewall - rules - WAN
- TCP/UDP * * 3CX IP 5060 * *
- TCP * * 3CX IP 5061 * *
- TCP/UDP * * 3CX IP 5090 * *
- TCP * * 3CX IP 5001 * *
- UDP * * 3CX IP 9000 - 10999 * *
firewall - rules - DMZ (zone where 3CX is located)
TCP/UDC 3CX IP * * * * *
-
Your rules are wrong.
What is wrong?
Can you please be specific?
-
I thought SIP Alg was a linux kernel thing not a BSD thing. In linux there are two modules, nf_conntrack_sip and nf_nat_sip, nf_conntack_sip works wonders if you blacklist nf_nat_sip, the latter is the SIP Alg which only really works if the ATA and Firewall/Router are the same device.
I have personally looked through BSD's kernel modules and see nothing like those. For one thing it PFtables versus Netfilter tables in Linux.
This is the first time I have heard of SIP ALG being used as a name for anything in BSD. It threw me off guard.
-
There is no such thing in pfsense.
Its NAT related.
It threw me off too. Sip ALG is based on a single Netfilter NAT module (nf_nat_sip) in the Linux Kernel, I have never seen anything like that in BSD. Why PFSense called it that I do not know. It's nat related as you say.