Configuring NAT for VoIP Phones

The default settings for pfSense® software may not be optimal for certain VoIP environments. The default settings handle the majority of scenarios, but depending on the specifics of a particular VoIP configuration, changes may be necessary to make successful VoIP calls.

The following sections guide through common settings which can help local handsets to work with a remote PBX.

See also

If the PBX is local and trying to communicate with a remote SIP trunk, see Configuring NAT for a VoIP PBX instead.

Disable source port rewriting

By default, pfSense software rewrites the source port on all outbound traffic. This is necessary for proper NAT in some environments, such as having multiple SIP phones behind a single public IP address which all register to a single external PBX. With some providers, rewriting the source port of RTP can cause one way audio. In that case, setup manual outbound NAT and Static Port on all UDP traffic potentially with the exclusion of UDP 5060.

Performing static port NAT on UDP 5060 traffic by default is not desirable because it breaks more scenarios than it helps in current environments. However, in cases where a PBX requires static port on UDP 5060, configuring outbound NAT to perform static port NAT for udp/5060 will allow it to function. This can be done using Hybrid outbound NAT and a phone-specific rule or by using manual outbound NAT.

Set Conservative state table optimization

The default UDP timeouts in PF are too low for some VoIP services. If phones work most of the time, but randomly disconnect, set Firewall Optimization Options to Conservative under System > Advanced, Firewall/NAT tab.

A keep-alive or re-registration timer on the phone set for 20-30 seconds can also help, and is often a better solution.

Use the siproxd package

The Siproxd package is only a good fit for deployments with local phones and a remote PBX where phones cannot register or make calls with rewritten source ports. In this very specific circumstance, the siproxd package enables multiple phones to connect to a single outside server with a static source port of 5060.

Warning

Do not use siproxd if the PBX is local. Only use this package if the upstream PBX strictly requires all phones to have a source port of 5060.

Disable scrub

Certain very rare circumstances may require disabling scrubbing under System > Advanced, Firewall/NAT tab. In most cases this should be left at the default setting (unchecked). Only change this setting when necessary. Some phones send malformed packets that will be silently dropped without scrub active. For example, unfragmented packets which claim to be fragmented.