08 Oct Sangoma Zulu 3 and NAT on pfSense firewall
General NAT settings
Where
FreePBX 14
Media Transport Settings
Setting details
General SIP Settings → Media Transport Settings → STUN Server Address
Comment
Without setting a STUN server address the RTP stream would not flow with neither 1:1 nor 1:Many NAT
1:1 NAT (1 to 1 NAT)
Where
pfSense
Firewall
Setting details
Firewall → NAT → 1:1
Firewall → Rules → WAN
Comment
IP become dedicated and cannot be re-used if you are hosting multiple PBXs
1:Many NAT
Where
pfSense
Firewall
Setting details
Firewall → NAT → Outbound
Firewall → Port Forward
The UDP rule is based on the RTP Port Ranges being set as follows on the PBX
Comment
Static port
It looks like media stream on Zulu 3 require a static port setting in order to work correctly. However be aware that there may be security risks associated with this setting:
“By default, pfSense rewrites the source port on all outgoing packets. Many operating systems do a poor job of source port randomization, if they do it at all. This makes IP spoofing easier, and makes it possible to fingerprint hosts behind the firewall from their outbound traffic. Rewriting the source port eliminates these potential (but unlikely) security vulnerabilities. Source port randomization also allows NAT to overload connections properly when multiple local clients need to reach the same remote server IP address and port simultaneously.”
Source: https://docs.netgate.com/pfsense/en/latest/nat/static-port.html
These are some of the settings we made to resolve our no audio connectivity issues with Zulu 3 and pfSense firewall. We hope this helps.
If this isn’t your issue and you still have No/One Way Audio, you can find more help here: https://wiki.freepbx.org/pages/viewpage.action?pageId=110003971
If you would like to hire us for your project or you need help with Zulu or pfSense please contact us.
