Project

General

Profile

Actions

Bug #7175

closed

SIP MESSAGE UDP packets not passed despite rules & pcaps showing otherwise

Added by Sean Pappalardo about 7 years ago. Updated over 4 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
01/30/2017
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.2
Affected Architecture:

Description

I have two pfSense boxes in failover configuration both running NanoBSD 2.3.2-RELEASE (amd64) and a VoIP server on the LAN behind them that works correctly with regular SIP traffic on UDP 5060. This server also uses special SIP MESSAGE packets to auto-configure phones and these are not being passed in either direction. Packet captures on the pfSense box on both WAN and LAN interfaces show the packets traversing but a capture on the server does not show them being received at all. The only thing between the pfSense boxes and the VoIP server is a layer 2 switch.

I found that if I switch the phone to use TCP for this auto-configuration, the initial packets from the phone DO make it to the server, but then the server's MESSAGE replies do not traverse pfSense as they continue to use UDP. (The server's 202/Accepted TCP packet does get to the phone though.)

Again, regular SIP traffic that uses the same UDP port (5060) passes fine between the same two devices, so it appears pfSense is confused by or intentionally internally blocking these SIP MESSAGE packets. (The initial ones just contain TLS certificates.)

Using an alternate port (5062) has the same results.

Actions #1

Updated by Roland Kletzing almost 6 years ago

i have a similar issue, if i do failover from one pfsense box to the other, sip traffic is not being passed in both directions anymore - the phones start to work again if i reset the appropriate states on the firewall (voip-server:5060 <-> sip-phone-ip:src-port )

apparently, it seems to be related to policy routing. as the appropriate rule for voip overwrites the default-route for that subnet (which is a rule/policy based routing entry) so normal routing can take place for that - it appears that after failover, the packets for the destination dont go the normal route but the default route which is defined via policy routing. so that means that the policy-routing "overwrite" doesn't work after failover

Actions #2

Updated by Jim Pingle over 4 years ago

  • Category set to Rules / NAT
  • Status changed from New to Not a Bug

This is almost certainly a problem with your configuration or environment.

For assistance in solving problems, please post on the Netgate Forum or the pfSense Subreddit .

See Reporting Issues with pfSense Software for more information.

Actions

Also available in: Atom PDF