pfSense

I have two pfSense boxes in failover configuration both running NanoBSD 2.3.2-RELEASE (amd64) and a VoIP server on the LAN behind them that works correctly with regular SIP traffic on UDP 5060. This server also uses special SIP MESSAGE packets to auto-configure phones and these are not being passed in either direction. Packet captures on the pfSense box on both WAN and LAN interfaces show the packets traversing but a capture on the server does not show them being received at all. The only thing between the pfSense boxes and the VoIP server is a layer 2 switch.

I found that if I switch the phone to use TCP for this auto-configuration, the initial packets from the phone DO make it to the server, but then the server's MESSAGE replies do not traverse pfSense as they continue to use UDP. (The server's 202/Accepted TCP packet does get to the phone though.)

Again, regular SIP traffic that uses the same UDP port (5060) passes fine between the same two devices, so it appears pfSense is confused by or intentionally internally blocking these SIP MESSAGE packets. (The initial ones just contain TLS certificates.)

Using an alternate port (5062) has the same results.