Sangoma Zulu 3 and NAT on pfSense firewall

Zulu NoAudio

Sangoma Zulu 3 and NAT on pfSense firewall

General NAT settings

Where

FreePBX 14
Media Transport Settings

Setting details

General SIP Settings → Media Transport Settings → STUN Server Address

Comment

Without setting a STUN server address the RTP stream would not flow with neither 1:1 nor 1:Many NAT

1:1 NAT (1 to 1 NAT)

Where

pfSense
Firewall

Setting details

Firewall → NAT → 1:1

Firewall → Rules → WAN

Comment

IP become dedicated and cannot be re-used if you are hosting multiple PBXs

1:Many NAT

Where

pfSense
Firewall

Setting details

Firewall → NAT → Outbound

Firewall → Port Forward

The UDP rule is based on the RTP Port Ranges being set as follows on the PBX

Comment

Static port

It looks like media stream on Zulu 3 require a static port setting in order to work correctly. However be aware that there may be security risks associated with this setting:

“By default, pfSense rewrites the source port on all outgoing packets. Many operating systems do a poor job of source port randomization, if they do it at all. This makes IP spoofing easier, and makes it possible to fingerprint hosts behind the firewall from their outbound traffic. Rewriting the source port eliminates these potential (but unlikely) security vulnerabilities. Source port randomization also allows NAT to overload connections properly when multiple local clients need to reach the same remote server IP address and port simultaneously.”
Source: https://docs.netgate.com/pfsense/en/latest/nat/static-port.html

These are some of the settings we made to resolve our no audio connectivity issues with Zulu 3 and pfSense firewall. We hope this helps.
If this isn’t your issue and you still have No/One Way Audio, you can find more help here: https://wiki.freepbx.org/pages/viewpage.action?pageId=110003971

If you would like to hire us for your project or you need help with Zulu or pfSense please contact us.

Need help with pfSense and FreePBX? Contact Us