[asterisk-users] Dead Air on PF firewall

[NOC ph]

Hi Mich,

I added the following line for the RTP its still the same, I can hear 
ring but no voice when answer from the other side. Any more ideas?

ext_if = "bce0"
int_if = "bce1"
altitude = "172.16.1.0/24"

#### machines ####
vbox = "172.16.1.1"
vbox1 = "172.16.1.2"
uci = "172.16.1.4"
voices = "203.172.x.x"
ipc = "203.172.x.x"

#### default deny ####
set block-policy return
set loginterface $ext_if
set skip on lo
scrub in

#### nat ####
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr on $ext_if proto { udp tcp } from any to $ext_if port 5060 -> $vbox1
rdr on $ext_if proto { udp tcp } from any to $ext_if port 10000:20000 -> 
$vbox1
rdr on $ext_if proto tcp from any to $ext_if port 5100 -> $uci
rdr on $ext_if proto tcp from any to $ext_if port 443 -> $vbox

#### filtering section ####
pass out on { $int_if, ext_if } inet proto { udp tcp } from any to any 
port 10000:20000
pass out on { $int_if, ext_if } inet proto { udp tcp } from any to any 
port 5060
pass in on $ext_if inet proto { tcp udp } from $ipc to any port 5060
pass in on $ext_if inet proto tcp from $ipc to any port 1500 keep state
pass in on $ext_if inet proto udp from any to any port 10000:20000 keep 
state
pass in on bce0 proto tcp from $ipc to any port ssh flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick on bce1


Michiel van Baak wrote:
> On 07:00, Mon 10 Mar 08, NOC ph wrote:
>> Hi All,
>>
>> I have an asterisk box on my DMZ, and I'm using a PF for my firewall, I 
>> can make a call but some reasons I have a dead air.
>>
>> Any Ideas? below are my rules...
>>
>> ext_if = "bce0"
>> int_if = "bce1"
>> altitude = "172.16.1.0/24"
>>
>> #### machines ####
>> vbox = "172.16.1.1"
>> uci = "172.16.1.4"
>> voices = "203.172.x.1"
>> ipc = "203.172.x.2"
>>
>> #### default deny ####
>> set block-policy return
>> set loginterface $ext_if
>> set skip on lo
>> scrub in
>>
>> #### nat ####
>> nat on $ext_if from !($ext_if) -> ($ext_if:0)
> 
>> nat on $ext_if inet proto { udp tcp } from $vbox to any port 5060 -> 
>> $ext_if port 5060
>> nat on $ext_if inet proto tcp from $uci to any port 1500 -> $ext_if port 
>> 1500
> 
> Why those two rules ? The first nat rule already takes care
> of that
> 
>> rdr on $ext_if proto { udp tcp } from any to $ext_if port 5060 -> $vbox 
>> port 5060
>> rdr on $ext_if proto udp from any to $ext_if port 5100 -> $vbox port 5100
> 
> you have to forward the rtp ports as well
> rdr on $ext_if proto udp from any to $ext_if port
> 10000:20000 -> $vbox
> 
>> #### filtering section ####
>> pass out on { $int_if, ext_if } inet proto { udp tcp } from $altitude to any
>> pass in on $ext_if inet proto { tcp udp } from $ipc to any port 5060
>> pass in on $ext_if inet proto tcp from $ipc to any port 1500 flags S/SA 
>> keep state
> 
> And you should allow the rtp ports as well
> pass in on $ext_if inet proto udp from any to any port
> 10000:20000 keep state
> 
>> pass in on bce0 proto tcp from $ipc to any port ssh flags S/SA keep state
>> pass in inet proto icmp all icmp-type echoreq keep state
>> pass in quick on bce1
>>
> 
> For reference, here are my pf rules for my internal pbx:
> 
> ##########
> # Macros #
> ##########
> ext_if           = "rl0"
> ext_ip           = "82.95.XXX.XXX"
> int_if           = "wb0"
> int_net          = "192.168.2.0/24"
> voip_server      = "192.168.2.4"
> voip_ports       = "{ 4569, 5060, 10000:20000 }"
> 
> ####################################
> # NAT rules: "rdr", "nat", "binat" #
> ####################################
> nat on $ext_if from $int_if:network to any -> $ext_ip
> # asterisk server
> rdr on $ext_if proto udp from any to any port $voip_ports ->
> $voip_server
> 
> #############
> # Filtering #
> #############
> # voip always goes in the priority class
> pass out quick on $ext_if inet proto udp from any to any
> port $voip_ports keep state queue q_pri
> pass in quick on $ext_if inet proto udp from any to any port
> $voip_ports keep state queue q_pri
> 
> Also, make sure in asterisk sip.conf you have the externip
> and localnet config parameters set.
>