PFSense Firewall Settings for VoIP

The default settings for the PF Sense firewall are not compatible OnSIP. This is especially true when you have multiple phones behind one network connecting to multiple VoIP gateways.

Check the PFSense Troubleshooting guide for general VoIP settings here:

If you are using VoIP, you may need settings other than the defaults in some circumstances. The default settings handle the majority of scenarios, but depending on the specifics of your usage, you may need to change configuration settings for things to work. If your VoIP deployment is not working properly, try the following:

  • Disable source port rewriting - by default, pfSense rewrites the source port on all outbound traffic. This is necessary for proper NAT in some circumstances such as having multiple SIP phones behind a single public IP registering to a single external PBX. With a minority of providers, rewriting the source port of RTP can cause one way audio. In that case, you want to use manual outbound NAT and Static Port on all UDP traffic potentially with the exclusion of UDP 5060.
  • Set Conservative state table optimization - pf's default UDP timeouts are too low for some VoIP services. If your phones mostly work, but randomly disconnect, set "Firewall Optimization Options" to Conservative under System -> Advanced. Note this only works on 1.2.3-RC1 and newer as pf itself never increases UDP timeouts, our code changed to do this.
  • Use the siproxd package - for deployments where rewriting the source port breaks the ability to connect because the service will not work with rewritten source ports, the siproxd package enables multiple phones to connect to a single outside server.
  • In very rare circumstances, scrubbing needs to be disabled under System > Advanced.

Pay special attention to increasing the UDP port timeout and the installation of the siproxd package. Start with that, any only make one change at a time until you have both stable phones (they keep registration for at least 3 hours) and on all calls, there is two way audio. It is important to test extension to extension calls in both directions and both placing and receiving inbound calls from the PSTN (Public Switched Telephone Network, e.g. land line phones and cell phones.)


pfsense by default only allows one sip registration to be active at a time on a protected LAN. The siproxd extension allows multiple phones to coexist happily, but it is a little confusing to set up. Here is what works the best from my testing:
Firewall: Rules: WAN = none for SIP or RTP

Firewall: NAT: Port Forward = none

Firewall: NAT: Outbound = Manual Outbound NAT, using default rule with NO Static Port mapping

Reboot the pfsense machine

UPDATE: siproxd is not necessary for multiple sip registrations to work! The above should be adequate.

Install the siproxd package from the System:Package Manager page on the pfsense admin page.

Services: siproxd: Settings = Inbound to LAN, Outbound to WAN, Port to 5060. Expedited Forwarding on.

Reboot the pfsense machine



Download the 2017 Business Phone Guide

Was this article helpful?
0 out of 1 found this helpful