So I've been a pfsense user for about 2 years. I'm in the process of moving so I bought a little Routerboard (RB951G-2HND) and it seems to work pretty well. Unfortunately I was thrown in the fire without my firesuit (ordered from Amazon). Now I'm trying to get this working good enough to use my SIP phone so I can at least get work done, then I'm going to go back and read up on this in more detail and try to become the pro I want to be. It's a fun router to use, but its confusing if you don't know what you are jumping into.
So here's what I'm trying to do so I can at least use this enough that I won't lose my job while trying to figure this new toy out.
I have a Cisco 7960 SIP phone. I connect to work via their external IP (w.o.r.k). I also have my external home IP (h.o.m.e). On pfsense I plug it in and "it just works". I didn't have to do any port forwarding or anything that I can remember, and a little Google searching seems to confirm this. I did add a rule to forward all ports from w.o.r.k to my phone's IP because I just don't trust the admin to not change a setting someday that might break things. I need my phone to work virtually 100% of the time. So here I am at my "second home" with this Routerboard and I can make outgoing calls, but incoming calls go straight to my voicemail. I figured this out when I missed several meetings because people didn't call me after I emailed them and told them to call me back. Whoops!
So what I was trying to do was forward all traffic that arrives from w.o.r.k to h.o.m.e and forward it to my internal phone's IP. I set it statically to 192.168.88.2. I went through the phone and all the settings seems to be set right. I even connected the phone directly to the internet and it works properly. So I'm 99% sure my problem is a firewall rule or NAT translation that I need to fix. I've done about 3 hour's worth of Googling and I see examples of how to forward specific ports and specific protocols, but I want to forward by incoming IP. I'm trying to do it this way because, based on what I've been told from my asterisk server admin (they are learning this trial-by-fire too) the asterisk server needs to be able to ping my phone and talk on various ports. Obviously port 5060 is the most important, but I figure if I forward all ports and all protocols from IP w.o.r.k then I should be covered.
So under firewall / NAT I added the following:
<bunch of stuff>
add action=dst-nat chain=dstnat dst-address=w.o.r.k to-address=\192.168.88.2
Now based on what I'm reading, the routerboard responds to pings normally via... some rule. I want to block all pings from all external IPs by default (for security reasons, no need to let people KNOW for certainty a device is attached at that IP), then I want ping from w.o.r.k to go through and be forwarded to the phone (I figure this should be included in the NAT forwarding rule, so no additional work should be necessary). Unfortunately, in my testing I've learned that even if I disable the default firewall filter rule 0, pings still get replied to. I tried to forward the pings to my phone's internal IP, but pings from the internet still get answered when the phone is unplugged (wth!?). Then I disabled the rule completely, and pings still kept responding (wth!?).
So am I just crazy or what am I doing wrong?
Right now I've somehow really fubared this stuff and my phone can't make any calls, outgoing or incoming. So I'm about to wipe out my added rules because I clearly am not making the situation any better.
Thanks for any help or ideas you can provide.