Support / Voice / Firewall / pfSense

Configure pfSense for SIP traffic.

pfSense doesn't ship a SIP ALG by default, but the underlying FreeBSD kernel still has a SIP conntrack helper that misbehaves on some configurations. Two settings need attention.

1. Disable the SIP conntrack helper

  1. Open System → Advanced → Firewall & NAT.
  2. Find Disable Auto-added VPN rules (no action required — for context).
  3. Scroll to Firewall Optimization Options and confirm Static port is the chosen setting if you also see it here, or set it via outbound NAT (next section).
  4. If your install loads the FreeBSD libalias SIP module, edit /boot/loader.conf.local and add: 
    net.inet.ip.alias.sip.enable=0
    Reboot pfSense.

2. Static-port outbound NAT for SIP and RTP

Outbound NAT on pfSense randomizes source ports by default. SIP endpoints expect their source port to be preserved (so re-INVITE replies land on the right socket). Force static port for SIP and RTP source ranges:

  1. Open Firewall → NAT → Outbound.
  2. Switch to Hybrid Outbound NAT rule generation if not already.
  3. Add a new mapping above the auto-generated rules:
    • Interface: WAN
    • Protocol: UDP
    • Source: your LAN subnet
    • Source port: 5060
    • Destination: any
    • Translation: WAN address, Static port: yes
  4. Add a second rule with the same shape for the RTP UDP port range your devices use (commonly 10000-20000).
  5. Save and apply.

3. Raise UDP timeouts so SIP registration survives

pfSense's default UDP state timeouts are aggressive. Single (uni-directional) UDP states time out in 60 seconds; multiple UDP states in 60 seconds. SIP REGISTER intervals are typically 3600 seconds, so the firewall will close the NAT mapping between registrations unless you raise the timeouts or shorten the REGISTER interval.

  1. Open System → Advanced → Firewall & NAT.
  2. Scroll to Firewall Optimization Options. Switch to conservative if not already (this raises default UDP timeouts).
  3. Open System → Advanced → State Timeouts (you may need to enable Firewall Adv → State Timeouts first).
  4. Set:
    • UDP First: 60
    • UDP Single: 600
    • UDP Multiple: 600
  5. Save and apply.

Alternative: keep pfSense defaults and configure each SIP device to send a NAT keepalive every 30 seconds (OPTIONS ping or REGISTER refresh).

Verify

Place a test call. Confirm two-way audio. If you see state limit table full in Status → System Logs → Firewall, increase Firewall Maximum States under System → Advanced → Firewall & NAT.