SIP / ALG

[maclinuxfree]

Hello,

how can I disable SIP / ALG ??

I migrated from pfSense to OPNsense and my 3CX is not connecting to my SIP-Provider anymore.
I switches back to pfSense and everything is working fine (SIP ALG not detected)

Please help or I have to go back to pfSense...sadly

Thank you

[maclinuxfree]

Is there an option to disable SIP ALG in modules.conf? Or a different kernel? Can´t believe, that I come so far and now have to turn back to pfSense.

[mimugmail]

There is neither sip alg in pf nor in opn.
You need to give some details, nat screenshots

[maclinuxfree]

Hello thanks for your reply. This is a customer  of mine and he needs his PBX...so he´s back to pfSense for now.
I have to build a test scenario and giving feedback. I think this is only related to 3CX.

[mimugmail]

I think its some kind of default which is enabled in PF and disabled in OPN, so maybe a missing rule or similar.

[Supermule]

There is no such thing in pfsense.

Its NAT related.

[maclinuxfree]

Ok I narrowed it down.

Tried it on a different site and it is working. But it is not working with a PPPOE(Modem). So my next step is change the PPPOE to a Fritzbox and check again.

[maclinuxfree]

Could it be this issue?

https://github.com/opnsense/core/issues/3596

[Tubs]

I do have 3CX running behind opnsense and PPPoE WAN and without using any hidden settings.

Unfortunately I do not have a link to an all inclusive instruction and I cannot find the time to post all my setting in detail. But Some hints for you.

firewall - NAT - port forwarding:
- WAN    TCP/UDP  5060 --> 3CX IP
- WAN    TCP          5061 --> 3CX IP
- WAN    TCP/UDP   5090 --> 3CX IP
- WAN    TCP          5001 --> 3CX IP
- WAN    UDP          9000 - 10999 --> 3CX IP

firewall - NAT - outbound
- WAN    3CX IP  *  *  * interface address *  yes

firewall - rules - WAN
- TCP/UDP  *  * 3CX IP    5060 * *
- TCP         *  * 3CX IP    5061 * *
- TCP/UDP  *  * 3CX IP    5090 * *
- TCP         *  * 3CX IP    5001 * *
- UDP        *  * 3CX IP    9000 - 10999 * *

firewall - rules - DMZ (zone where 3CX is located)
TCP/UDC  3CX IP  *  *  *  *  *

[Brano]

I don't believe there's any SIP ALG enabled by default. If you want that functionality you'd need to load and configure os-siproxd plugin.

[Supermule]

Your rules are wrong.

I do have 3CX running behind opnsense and PPPoE WAN and without using any hidden settings.

Unfortunately I do not have a link to an all inclusive instruction and I cannot find the time to post all my setting in detail. But Some hints for you.

firewall - NAT - port forwarding:
- WAN    TCP/UDP  5060 --> 3CX IP
- WAN    TCP          5061 --> 3CX IP
- WAN    TCP/UDP   5090 --> 3CX IP
- WAN    TCP          5001 --> 3CX IP
- WAN    UDP          9000 - 10999 --> 3CX IP

firewall - NAT - outbound
- WAN    3CX IP  *  *  * interface address *  yes

firewall - rules - WAN
- TCP/UDP  *  * 3CX IP    5060 * *
- TCP         *  * 3CX IP    5061 * *
- TCP/UDP  *  * 3CX IP    5090 * *
- TCP         *  * 3CX IP    5001 * *
- UDP        *  * 3CX IP    9000 - 10999 * *

firewall - rules - DMZ (zone where 3CX is located)
TCP/UDC  3CX IP  *  *  *  *  *

[Tubs]

Your rules are wrong.

What is wrong?
Can you please be specific?

[Davesworld]

I thought SIP Alg was a linux kernel thing not a BSD thing. In linux there are two modules, nf_conntrack_sip and nf_nat_sip, nf_conntack_sip works wonders if you blacklist nf_nat_sip, the latter is the SIP Alg which only really works if the ATA and Firewall/Router are the same device.

I have personally looked through BSD's kernel modules and see nothing like those. For one thing it PFtables versus Netfilter tables in Linux.

This is the first time I have heard of SIP ALG being used as a name for anything in BSD. It threw me off guard.

[Davesworld]

There is no such thing in pfsense.

Its NAT related.

It threw me off too. Sip ALG is based on a single Netfilter NAT module (nf_nat_sip) in the Linux Kernel, I have never seen anything like that in BSD. Why PFSense called it that I do not know. It's nat related as you say.