Messages

Hello,

I've tried several configurations and it doesn't work (hybrid mode, creating manual rules for RTP). I'm really stuck...

Any ideas ?

Thanks

Here is the capture concerning a call test : https://ibb.co/qFrmcwRQ

Yes the policy allowing the outbound LAN.

Firewall > Rules > LANSERVERS :
https://ibb.co/RpngVLVV

I think I understand the problem but I don't know how to solve it...

Log Files : In destination I see the local IP address of my phone and not the public IP of the internet connection where the phone is located...

Yes I tried to do this configuration but it does not work:

Firewall > NAT > Outbound :

Hybrid outbound NAT rule generation is checked
https://ibb.co/m5Mh3J1b

Firewall > Rules > WAN :
https://ibb.co/zV79gnVD

On Asterisk I configured the WAN IP address of the OPNsense precisely to avoid having a problem. This does not work either...

I'm surprised it doesn't work normally with OPNsense because I don't use STUN/ICE. No problem with other commercial FWs to make VOIP work.

Hello,

I'm having trouble getting voice communication (nothing in either direction) to work with an IP PBX (Asterisk) using OPNsense 25.7.1_1-amd64.

I have the following rule in WAN: IPv4 UDP * * WAN address 10000 - 20000 * *
Same thing when modifying the WAN rule: IPv4 UDP * * VOIP_SVR 10000 - 20000 * *
I have the following rule in NAT: WAN UDP * * WAN address 10000 - 20000 VOIP_SVR 10000 - 20000

I can register a phone using port 5060 without any problems.
WAN rule: IPv4 TCP/UDP * * VOIP_SVR 5060 (SIP) * *
NAT rule: WAN TCP/UDP * * * 5060 (SIP) VOIP_SVR 5060 (SIP)

Thank you for your help

Bonjour,

Je n'arrive pas à faire fonctionner la voix (rien dans les 2 sens) vers un IPBX en utilisant un OPNsense 25.7.1_1-amd64.

J'ai la règle suivante dans WAN :     IPv4 UDP    *    *    WAN adresse    10000 - 20000    *    *
Idem en modifiant la règle WAN :      IPv4 UDP    *    *    VOIP_SVR    10000 - 20000    *    *       
J'ai la règle suivante dans NAT :     WAN    UDP    *    *    WAN adresse    10000 - 20000    VOIP_SVR      10000 - 20000

Je peux enregistrer sans problème un téléphone en utilisant le port 5060.
WAN : IPv4 TCP/UDP    *    *    VOIP_SVR     5060 (SIP)    *    *
NAT : WAN    TCP/UDP    *    *    *    5060 (SIP)    VOIP_SVR      5060 (SIP)

Quelqu'un arrive à me dire ce que j'ai oublié dans la configuration ?

Merci !

Completely agree regarding the use of SIP when traveling to countries blocked via the GEOIP rule...

1. This is simple to achieve but it will be more complicated in some networks to use VoIP because the port will certainly be filtered/closed as it is non-standard.
2. IPV6 is not deployed everywhere so it will not work 100%
3. Yes, the VOIP server integrates this.

In conclusion, OPNSense will not be useful to me for this part.

Yes, that's already the case; the server integrates this protection.

The idea of moving this protection to the firewall will make it easier to load the VOIP server.
Given that the firewall is at the front of the internet, I'm wondering if it's not possible to add this task to it in addition to GEOIP.

Hi meyergru,

That's one approach, but it's going to pose a problem for me.

For example, if you have someone with a mobile phone and a SIP application, they can make calls from different ASNs...

Hello,

I'm planning to implement an OPNSense front-end for a VoIP server. I'm already using GEOIP country restrictions (GeoLite2-Country-CSV - Maxmind).

I'd now like to try to effectively block VoIP scans and targeted attacks. Is this possible ?

Do you have any feedback on this approach ?

Thank you for your replies.