Pfsense and FreePBX RTP Issues

History, I have a SIP hosting provider that I use for my FreePBX setup. Upon original setup I was using an Asus with Merilin software and doing port forwarding and all was well. I decided to go Pfsense and get rid of Asus.

Fast forward I can’t get the audio (RTP) to work with my hosting provider on PFsense. The only way I can get it to work is to open up the source ip for RTP to the entire internet on my WAN Rule and Nat Rule. But when I switch the source back to my SIP provider audio breaks again.

I have done a pftop and provided to my SIP hosting provider to show that its connecting to other IPs tor it to work and was told no one else is having this problem.

So leaves me with 2 questions:

  1. Anyone know a way around this or experienced something similar?
  2. Is my SIP secure having the SIP (5060) only talk to my provider which is working and let RTP just be open?

Rules are as followed:

Working: (192.168.x.x = FreePBX)

Port Forward: Interface (WAN) -> protocol (udp) -> source address () -> source ports () _> Dest Address (WAN address) -> Destination ports (10000:20000) -> Nat IP (192.168.x.x) -> NAT Ports (10000:20000) descritpion Full RTP Test

WAN Rule: Protocol (IPv4 UDP) -> Source () -> port () destination (192.168.x.x) port (10000:20000) -> Que (none) -> description (NAT Full RtP Test)

Freepbx cross post :

I am anal about having something broken and this is making me lose 5 minutes of sleep a day lol, any help again greatly appreciated.


I have my PFSense open the same way. Depending on your VOIP provider you will need to open all the RTP ports and have them forwarded to your PBX server. Normally, only your signaling can be locked down to just the IPs your trunk providers uses. This is due to trunk providers not proxing the voice traffic thru their servers. VOIP works the best when the RTP packets can be sent directly from pbx to pbx. I use Flowroute and I have my RTP ports open and restricted to UDP traffic only, but my SIP signalling to Flowroute is only open to Flowroute’s IP addresses. Hope this helps!


Not sure why your current provider does not, but we have been using Vitelity & VoipMS who both fully support proper NAT without any forwards.

So your saying don’t restrict the RTP just the SIP 5060 right?

I will contact them for prices Tom thanks!

Yes. Restrict port 5060 to only your trunk provider. Open your RTP ports to everyone. There is not much you can do with open RTP ports to a PBX. For me, I open the TLS port to everyone as well do I dont need to VPN into my network to make phone calls. FreePBX firewall is good to protect against unsavory people. Plus they get 3 chances and then that IP address is locked out for a while. The best protection is to have long complex unique passwords for each phone, and limit where you can call with your trunk provider, also set a limit on how much can be spent each day. This will keep from getting a huge phone bill if someone actually got in. Hope all this answers your questions!

Thanks so much Robmil will do that as well :slight_smile: