Poll: pfSense and VOIP

Status
Not open for further replies.
@bcmike ! The inbound-bypass-media switch noted in the other thread appears to have provided a solution (workaround?) for the issue :) I gather from the Freeswitch confluence that this is not an optimal configuration, does this success point to any particular environmental variables that I can address to turn the switch off again?

I've had to set it up on a separate profile though, as it broke the voice for the devices on the same subnet as the PBX.
 
Last edited:
tdcockers said:
Hmm, OK. TCP it is... I would assume that packet sizes are only going to get bigger rather than smaller in the near future.

Haven't had a lot of time the last couple of days to figure out the pfSense quirks, but I did have the chance to put the phone behind a Unifi stack (USG/Switch) and inbound audio traversed that just fine; I guess my option of last resort will be to swap out pfSense for a USG in front of the PBX. Not a great option, I quite like pfSense after fiddling with it for a few years.
Click to expand...
pfSense and FusionPBX usually mix pretty nicely, and pfSense makes for a good prosumer router.

We did rip pfSense out of every customer site 3 years ago, due to the following issues:

- pfSense expects your always available with a keyboard & screen to reconfigure it should a network interface disappear. It will not bring up any network interfaces if something changes (unlike most other router software). This repeatedly bit us :c

- Upgrades failed half the time, meaning we'd have to go out to the customer site and reinstall the pfSense box

- Sometimes, boxes become convinced they have an Intel NIC, demanding firmware for that NIC and taking 4+ hours to boot. Providing the firmware file did not help the boot process, as the box did not have any Intel NICs...

- PHP is run as root, not necessarily the worst, but something to control privilege escalation would ease my mind

- Backup LTE was unreliably working, and the logging for when it went down was inconsistent

A mix of OpenWRTed routers (Archer C7's mostly) and Unifi USGs replaced the pfSense boxes, which eliminated nearly all of our calls about network issues. We've yet to have a device brick while updating, power usage is $20 a month less at each customer site, and I am able to quickly upgrade our clients routers using Unifi & OpenWISP2, making for a safe, PCI-DSS compliant environment for our clients.
 
We've used Ubiquity edge routers with some success. We've found that you have to disable off loading or weird things happen when you start doing high pps. Also some adjustments need to done to the contrack timers if you're doing VoIP.
 
bcmike said:
We've used Ubiquity edge routers with some success. We've found that you have to disable off loading or weird things happen when you start doing high pps. Also some adjustments need to done to the contrack timers if you're doing VoIP.
Click to expand...
The EdgeRouter's lack of (fully fleshed out) remote manageability is a bit of a turn off for me, compared to OpenWISP & Ubiquiti's Unifi suite. Makes debugging issues a fair bit harder :c
 
Last edited:
The bypass media should definitely not be touched, it shouldn't be needed and will certainly cause some problems.
 
  • Like
Reactions: Dan
bcmike said:
We've used Ubiquity edge routers with some success. We've found that you have to disable off loading or weird things happen when you start doing high pps. Also some adjustments need to done to the contrack timers if you're doing VoIP.
Click to expand...
Could you shed some light on the default settings you tweak when using edge routers?
 
Hi these are the settings we usually change:

system / conntrack / modules / sip / disable : Disable SIP connection tracking
system / offload / ipv4 : Settings for IPv4 hardware offload - Forwarding diasable PPPOE disable Vlan disable

Contrack timers may need to be adjusted as needed.
 
bcmike said:
Hi these are the settings we usually change:

system / conntrack / modules / sip / disable : Disable SIP connection tracking
system / offload / ipv4 : Settings for IPv4 hardware offload - Forwarding diasable PPPOE disable Vlan disable

Contrack timers may need to be adjusted as needed.
Click to expand...

i am still new to this and started looking at this specifically because i believe it is related to an issue my customer is having

I ran the following:
set system conntrack modules sip disable

then they started having a BLF issue which made no sense to me at all so then i have to put it back on right away to avoid issues. I am going to repro this today in my lab but this happened to me twice for two diff customers

as for the IPV4 offload I ran a show and got the following

IPSec offload module: not loaded

HWNAT offload module: not loaded

Traffic Analysis :
export : disabled
dpi : disabled
version : 1.564

For the stream and other timeout is there a way to see if this is an issue? should i just set them to 300 or would their be negative side effects to that
 
Status
Not open for further replies.
Top Bottom