ClearFoundation

Is it possible to define different firewall rules for the LAN-interface and the WAN-interface ??

I have defined that incoming traffic from the LAN (to the WAN) is allowed, so connections (and traffic) initiated from the LAN is allowed.

However I'm facing the problem that VoIP is without audio or one-way audio... firewall problem thus.

I'm opening a range of UDP-ports for the RTP-traffic but what I actually want is that on the WAN-interface the behaviour is kept that connections initiated from the LAN are allowed. So outgoing calls open up UDP-ports and with "NAT keep alive"-packets from the VoipServer the NAT-ting is preserved.

So on the WAN I want : allow outgoing traffic (initiated from LAN)
On the LAN-interface I want all ports open for internal traffic (like an internal VoIP-call)

Problem occurs now that incoming calls from the PSTN that are directed to the ClearOS-server (which is also Asterisk-server) via a Grandstream HT503 gateway (LAN client) cause one-way audio due to the UDP-range on the firewall.

This is local traffic ! But I need to open up UDP-ports (and thus also on the WAN). I don't want that.

Maybe my question isn't clear enough ?

It comes down to this : if I open up ports on the firewall, are these ports opened on the WAN and the LAN interface ???

Can I open up port 33000 only on the LAN-interface, and not on the WAN-interface ??

By default the firewall is configured to allow all outgoing traffic from the LAN, and block all incoming traffic on the WAN. All LAN interfaces can see each other unless specified as a HotLAN. I.e. simple NAT is the default behaviour

Opening an incoming port opens it on the WAN. I'm not quite sure why you feel the need top apply a firewall rule to LAN traffic, however you can use the advanced firewall module if you want to create more specific types of rules

Dear Tim,

I'm having firewall troubles (I think) with VoIP-traffic.

Traffic comes from a PSTN-gateway to the ClearOS-server (LAN-traffic) and then is send to a IP-phone (LAN-traffic).

Traffic also comes from a local analogue telephone to an Analogue Telephony Adapter (ATA) and to the ClearOS-server (and then to the internet).

There is one-way-audio, meaning a firewall problem with the audio-stream going from the local phone to the internet.

Opening ports on the firewall seemed to have helped... for some time. After some time there is one-way audio again.

There is no traffic coming from the WAN, and thus coming in to the LAN from the internet. All traffic is local, and sometimes send to the internet (ITSP).

I'm trying to find out why opening ports seems to help, although not always...

Hi, I have no direct experience of using PSTN gateways and VoIP so maybe others can chip in
There is no traffic coming from the WAN, and thus coming in to the LAN from the internet. All traffic is local, and sometimes send to the internet (ITSP).This doesn't make sense to me - but maybe due to my inexperience with your setup. Is your LAN interface connected to a network which has internet (i.e external access?)

What is your ClearOS config? in terms of network interfaces, network configs? is it your gateway or standalone? we need a little more info on the actual network setup to understand how traffic is flowing.

This is a pure guess but maybe using UPnP help with your firewall problems, as it sounds like you do have traffic going between the 'external' and 'internal' interfaces which require a returning port to be opened. I'm guessing this port varies quite a lot too which is why you may have had some success manually opening a few yourself

I have quite a bit of experience in this area.

It sounds like you have already opened a range for RTP and SIP traffic on your firewall. Typically this is 10000-20000 for RTP and 5060 for SIP which are the two protocols you likely use.

If your one way audio problem is intermittent, you probably have intrusion protection/detection enabled on your server. Oftentimes for some reason unknown to me, the intrusion prevention module will latch onto your VOIP provider's IP address and block all traffic from them. It took me a while to figure this out but it had happened multiple times on our network.

If this does not resolve your problem, please PM me and I'll try and troubleshoot it for you. I'm a little annoyed that a VOIP section still hasn't been put up. I had asked that this be done and had positive feedback from an admin but still no section... I'll save our conversation and post the problem and solution in an FAQ once they get around to putting it up.

Thanks,
Preston Mitchell

Hi Preston, we have been facing similar issues with IP Phones. We have two networks setup - 1.x and 2.x. The 1.x network consists of the Nortel BCM and other networking equipment and the 25.x is only for user machines and IP phones. The audio problem is intermittent and we dont have intrusion detection/prevention enabled on clearos. The ports for RTP, SIP have been enabled on the Firewall. Can you please let me know if there is anything else i need to be looking at?

Thanks.
Ebenezer

I am having audio issues with SIP, VOIP.

My main office has a VOIP system that I have had for over a year now, and SIP/NAT has worked through other routers very well.
I have just now put it behind a ClearOS box and I have all the RTP rules, SIP rules, ports forwarded, yes, UDP.... I also tried a 1:1 NAT from my external IP to my internal PBX IP.
Intrusion Detection and Prevention are turned off, and I get NO audio on remote phones.
The VOIP system works wonderfully as an internal system, calls in and out just fine.
Setting up the remote phones has made me almost bald now...
I, with the others stated here, wish there was a VOIP section. I have been a silent observer/user of ClearOS since ClarkConnect, and love the system and only barely moved my VOIP system behind it, thinking all the preparations were made.
I got a response from a developer quoted below for the benefit of all:
****************************************************************************

Try enabling the H323 support (which is disabled by default). The following command will do it:

/sbin/modprobe ip_nat_h323

If that works, add the above line to the /etc/rc.d/rc.firewall.local file. This will ensure that H323 support is enabled on boot.
****************************************************************************

Sorry to say, I did that and I STILL HAVE NO REMOTE AUDIO, EITHER IN OR OUT!!! The phones authenticate just fine, they can place calls, receive calls, but no audio if originated from outside firewall.

***** If the call is originated from an external source (cell phone) or from the inside of the firewall (desk phone) then there is one way audio coming from the cell phone or main office desk phone, but not going back into the firewall.


Please PM me and I will still keep it public for the benefit of all to learn, and maybe its just too plain, too simple, so right under my nose that I cannot see it.

Any input helps!!! Thanks.

Zigg,

I recently got the admins to add a VOIP section in the forums, so first off, move your post there.

There are a few caveats with remote extentions. What pbx are you using? Iplex, freepbx, custom asterisk? There are numerous settings within asterisk which pertain to remote extentions specifically.

Thanks,
Preston