I have a Netgate SG-2100 with my incoming wan connection directly connected and my public IP assigned directly to its WAN interface. I have each of it’s 4 ports configured for their own dedicated vlan, including port 4 which is my voip vlan.
However I hookup my Polycom phone to it and I am not receiving a DHCP address, nor is it syncing time with NTP. I tried condifuring the phone to have a Static IP but it still does not get NTP nor is it connecting to any SIP lines (I have a cloud hosted FreePBX server its supposed to connect to), nor can I access its web interface from my computer (on port 1, my trusted vlan). It worked flawlessly before setting up the SG2100 on my ISP router.
I have no floating rules. Here’s a screenshot of my voip vlan rules.
DHCP is the least of my problems. I gave it a static IP for now. The fact that it is not connecting to NTP or my PBX or that I cannot connect to the web admin is the real issue and presumably would be firewall related.
Given that your device isn’t getting DHCP, I suspect that you didn’t configure the switch ports correctly. Statically assigning an IP wouldn’t yield results because of this.
Check you have configured the switch ports / vlans correctly as per video posted above
Have you configured voip vlan (port4) to have a dhcp server - if so if I read your firewall rules you are not allow dhcp to the firewall
As a test, you could always modify the last rule and remove pbx as the destination - this will open up everything on the voip-lan to check everything is working.
Reconsider your top rule, it doesn’t make any sense. You could move it to the TRUSTED_LAN interface with two aliases PhoneAdminHosts & Phones as Source & Destination for example.
Generally, these rules are being applied on the input side from the firewall’s point of view. There can be exceptions, such as with floating rules, but keep things simple for now. Have a read through these docs.
On which vlan is your PBX? If it’s also in VOIP_LAN your last rule Allow traffic to PBX is also ineffective here. If it is in another VLAN you’re fine.
Make sure the DHCP server is configured and enabled on the VOIP_LAN interface. You don’t need any DHCP specific rules, pfSense handles that.
It makes perfect sense. Any device on my trusted lan (ie my computer) can connect into the voip lan, to access the phone’s web management interface.
As mentioned the PBX is cloud (internet) based so it needs a rule to allow it. I mean the current configuration is unnecessary because all internet traffic is being allowed but that’s more just a temp rule to resolve the problem I was having. The goal is to be as restrictive as possible.
DHCP is working now. I assume it was due to the block rule that is currently disabled, which was intended block any connections to pfsense other than what was explicitly allowed, again to be as restrictive as possible.
The remaining problem is figuring out what rule changes are needed to only specifically allow the minimum needed so that I can re-enable to restriction to unneeded services on pfsense and to remove the allow all internet traffic rule.
Then move it to the TRUSTED_LAN interface and change the source and destination to their relevant net’s, not address’:
Source: TRUSTED_LAN address to TRUSTED_LAN net
Destination: VOIP_LAN address to VOIP_LAN net
Although you likely don’t need it at all, if your TRUSTED_LAN has an Allow All rule.
Well then you need that rule, I’ll rephrase: If it is in another VLAN or the cloud you’re fine.
I think you’re right about the block rule interfering with DHCP on that interface. But remember that pfSense will deny by default. So you don’t need that block rule. Just create the allow rules you require.
You can then also drop or disable that unlabeled Allow All rule and your hosts on the VOIP_LAN will then only be allowed to the specified rules, including a “hidden” pfSense one for DHCP.
