All posts All posts by this author Paper color Change page color Announcements

NATed Vicidial/Asterisk NAT configuration for clients NATed behind pfSense

There are some misconceptions about vicidial and pfsense compatibility. Some people on vicidial forum claim that pfsense and vicidial doesn't work together, but I haven't found that to be true in this particular setup i did for my client.

Before you try to apply this information in your asterisk/vicidial/pfsense environment let me describe my clients environment. It's very possible that your setup is different and my settings won't work with yours unless you have a similar setup.

Network environment

The network is in essence a symmetric NAT. Pfsense rewrites outgoing source port for phones and EC2 server sends traffic to that rewritten source port, ignoring the rport set in SIP headers by the phone.

  1. Asterisk/Vicidial is behind NAT, in an amazon EC2 server. UDP Port 5060 is automatically forwarded from public IP of EC2 to private NATed IP of EC2 instance. We didn't have to do anything in AWS networking.

  2. Multiple softphones and hardphones are behind a NAT in pfsense in callcenter. Pfsense applies NAT for all phones. No ports are forwarded manually, and no static ports need to be set.

  3. Phones register directly to public IP of asterisk server.

Settings that works

All you have to do is set nat=yes in '/etc/asterisk/sip.conf' and everything should work, no one way audio and no dropped calls. Don't set 'nat=yes,force_rport', that will not work.

In Pfsense System->Advanced->Firewall/NAT->Firewall Optimization Options set the value as conservative but this is not mandatory.

So why a lengthy blogpost? Because of so many conflicting information across around the net, people try a lot of different settings in vici asterisk and pfsense and it's not clear exactly which settings work and which not. So this is my documentation for myself and others.