FreePXB & pfSense Firewall

FreePXB Behind pfSense Firewall Configuration Settings

Creating a FreePBX server for a project I was working on end up having some quick wins and some hard fought ones. While I got the initial FreePBX server up and running pretty quickly, I did experience some issues related to the pfSense firewall configuration settings, which this article covers.

My main two issues were I was unable to call other extensions intermittently, and issues where incoming calls (Non PXB Users) failed to connect to the FreePBX and returned a Trunk Connection Error to the caller. Surprisingly I never experienced any issues making  (SIP Extensions To Outside Callers) outbound calls to phones off system.

Below are the settings that worked for my set up scenario which was a basic One Inbound IP Address, then NAT out to different internal (Behind Firewall) servers based on their service ports, with FreePBX used as my VOIP system. These setting deal strictly with the SIP set-up and do not cover allowing SSH access or the ability for users to access any of FreePBX web UI’s.

For my environment I access these port 22,80,81,443 via a secure VPN server that bypass my need for firewall rules. If you want to use the same method and need to create a VPN server on pfSense, you can use Open VPN Remote Access Server these instructions.

pfSense Firewall Optimization Settings

Path: System → Advanced → Firewall & Nat → Firewall Optimization Options

The Firewall Optimization Options will try to avoid dropping any legitimate connections coming into FreePBX via pfSense, I found after research that setting this to Conservative was the best setting. In some heavily used pfSense firewalls systems, some people saw some increased memory usage and CPU utilization, for my system I did not experience any increases that affected performance.

Firewall Advanced

  • Firewall Optimization = Conservative

FreePPX pfSense Firewall Optimization Settings

pfSense State Timeouts

Path: System → Advanced → Firewall & Nat → State Timeouts

The State Timeout change helped address some issues with some FreePBX SIP messaging problems and the occasional problem where some extensions or callers could not hear the other party. This change also helped the incoming call issue from the trunk provider connection to the FreePBX, addtionally some people found this helped with VoIP services retaining registration after a certain period had elapsed.

Timeout Settings

  • UDP First = 300
  • UDP Single = 150
  • UDP Multiple = 900

FreePPX pfSense State Timeout Settings

pfSense Manual Outbound NAT Rule Generation

Path: Firewall → NAT → Outbound → Outbound Nat Mode

To help address some NAT issues affecting packets  [ Internet → pfSense → FreePBX  → pfSense → Internet ]  being dropped between pfSense & FreePBX I created a Manual Outbound Mode Rule (AON) rule that helped resolve some packet loss problems I saw during testing.  

Step One:

Path: Firewall → NAT → Outbound → Outbound Nat Mode

Set the Outbound Nat Mode from Automatic to Manual which will then allow you to create a AON rule.

Ourbound Mode

  • Manual Outbound NAT Rule Generation = Checked

FreePPX pfSense Outbound NAT Mode Settings

Step Two:

Path: Firewall → NAT → Outbound → Outbound Nat Mode → Add New → Outbound NAT

Now we create Outbound NAT rule that will force a Static Port for the translations.

Outbound NAT

  • Interface = WAN
  • Protocol = ANY
  • Source = ANY
  • Destination = ANY
  • Static Port = Checked

FreePPX pfSense Outbound NAT Settings

FreePBX RTP NAT Rule

Firewall → NAT → Port Forward → Add New → UDP

When a new FreePBX instance is created it’s default RPT setting have a UDP range of 10000 – 20000, you can verify these setting of your installation by going to the following FreePBX screen area of:

Path: Admin → Config Editor → rtp_additional.conf

[general]
 rtpstart=10000
 rtpend=20000
 rtpchecksums=yes
 strictrtp=yes

Knowing these UDP ports I created the following UPD NAT rule, you will need to change the Redirect target IP to the IP address of your FreePBX Instance.

UDP  – NAT Rule Settings

  • Interface = WAN
  • Protocol = UDP
  • Destination = WAN Address
  • Destination Port Range
    • Other  Custom Low = 10000
    • Other  Custom High = 20000
  • Redirect target IP = Your Internal FreePBX IP Address
  • Redirect Target Port
    • Other
    • Custom = 20000
  • Description = Description Of You Rule

FreePPX pfSense UDP Settings

FreePBX SIP NAT Rule

Firewall → NAT → Port Forward → Add New → UDP

Once you have the UDP rule created your next step is to create the SIP UDP/TCP rule that uses ports 5060 & 5061, these are the default setting. Also do not forget to change the Redirect target IP to the IP address of your FreePBX Instance.

TCP /UDP  – NAT Rule Settings

  • Interface = WAN
  • Protocol = TCP/UDP
  • Destination = WAN Address
  • Destination Port Range
    • SIP (Other)  = 5060 (SIP)
    • Other  Custom High = 5061
  • Redirect target IP = Your Internal FreePBX IP Address
  • Redirect Target Port
    • 5060 (SIP)
  • Description = Description Of You Rule

FreePPX pfSense TCP UDP Setting

You can verify these port setting of your installation by going to the following FreePBX screen area of:

Path: Admin → Config Editor → sip_general_additional.conf

 accept_outofcall_message=yes
 auth_message_requests=no
 outofcall_message_context=dpma_message_context
 faxdetect=no
 vmexten=*97
 useragent=FPBX-14.0.1.24(14.7.4)
 disallow=all
 allow=ulaw
 allow=alaw
 allow=gsm
 allow=g726
 allow=g722
 context=from-sip-external
 callerid=Unknown
 notifyringing=yes
 notifyhold=yes
 tos_sip=cs3
 tos_audio=ef
 tos_video=af41
 alwaysauthreject=yes
 limitonpeers=yes
 context=from-sip-external
 callerid=Unknown
 tcpenable=no
 callevents=yes
 bindport=5160
 jbenable=no
 checkmwi=10
 maxexpiry=3600
 minexpiry=60
 srvlookup=no
 allowguest=yes
 notifyhold=yes
 rtptimeout=30
 canreinvite=no
 rtpkeepalive=0
 videosupport=no
 defaultexpiry=120
 notifyringing=yes
 maxcallbitrate=384
 rtpholdtimeout=300
 g726nonstandard=no
 registertimeout=20
 registerattempts=0
 nat=force_rport,comedia
 ALLOW_SIP_ANON=no
 tlsbindaddr=[::]:5161
 externip=000.000.000.000
 localnet=000.000.000.000/24
 language=en

Final Thoughts & Disclaimer

Unfortunately in the modern world where people tend to sue for the slightest reason and to cover myself from those that might, I need to say:

Your results and system(s) set-up may vary from those I have listed above, and are provided “As-Is” as an example only, without warranty or guarantee of operation.  I highly recommend you always review/research all changes to setting you may make, considering any possible security and performance implications they may possibly introduce.

And to those that are not litigation happy 🙂

This article is the result of many hours of testing, reading fragmented articles and posts from across the internet, and a lot of heading scratching wondering why things weren’t working 🙁

I hope it helps you configure and deploy your FreePBX easier and quicker then I experienced – Good Luck!

Additional Resources:

Below are a few links to reference material that may help you understand some of the changes I made:

While I did not experience any further issues after making my changes listed above, during my research I did see some people also needed to use the pfSense Siproxd package to get their various PBX systems working correctly, these appeared to be older system.