The Pfsense opensource firewall is frequently used in network deployments for small and medium enterprises. This document uses the following network topology to illustrate Sipxcom and Pfsense basic configurations for connectivity with an Internet Telephony Service Provider (ITSP). The following assumptions are used in this setup:
The following steps are used to create a SIP trunk in Sipxcom (each number in the above diagram corresponds to a step number):
When setting up Pfsense, the following Firewall->NAT->Outbound manual outbound NAT rule should of been already defined (assumption 1 in the Introduction). This rule translates private addresses in the 192.168.55.xx subnet to the public IP address assigned to the Pfsense WAN interface (and vice-versa).
If the SIP trunk from the ITSP is a static trunk with no registration parameters, then ascertain that the ITSP sends SIP signaling to the public IP address of Pfsense using port 5080 and not port 5060. For both registered and non-registered trunks, Sipxbridge will ping the ITSP address every 20 seconds, as specified in the Devices->SIP Trunk SBCs->sipXbridge-1 Signaling keep-alive interval setting - this keeps the 5080 firewall port open to receive incoming calls from the ITSP. The Pfsense Diagnostics->Show States command is useful in troubleshooting the firewall states, and which ports are open.
Sometimes an ITSP has two or more 'edge servers' for redundancy and load-sharing, with each edge server having the ability to issue incoming external calls to Sipxcom (e.g. see following diagram).
The ITSP edge server with IP address 188.8.131.52 is defined in the SIP trunk - the 20 second heartbeat from Sipxbridge keeps firewall state alive to allow incoming invites from this ITSP edge server. However, a Pfsense NAT->Port Forwarding rule must be defined to allow Invites from the 184.108.40.206 to be forwarded to to Sipxcom - the rule is defined here:
A Pfsense NAT port forward rule must be defined for every ITSP server beyond the primary server defined in the SIP trunk gateway when an ITSP has multiple edge servers that can issue SIP invites to Sipxcom.