SIP telephony behind a pfSense firewall

Background:
When we got the fibre connection, I decided to use Bahnhof as our service provider. They enable a SIP phone connection at no extra cost, but they don’t support using third-party SIP boxes; you have to use their combined router/wifi AP/SIP converter (a box by Tilgin), which they manage for you.
Naturally, since I’m tinkering a bit, using a third-party router I can’t manage in front of my network would be unacceptable. The next best thing, then, is to put the Tilgin router behind the pfSense box and use it only for SIP.

Setup:
Bahnhof demands opening the following ports for SIP telephony to work:
69 – UDP
5060 – 5080 TCP + UDP
9000 – 14000 UDP
50000 – 60000 UDP

I set up a DHCP reservation for the Tilgin box, gave it an alias in pfSense, and NATed the ports specified above to it.
Second, I connected the WAN port of the Tilgin box to my network, and saw that it started up fine, and I could both call out and receive calls using a phone connected to the router. All fine, right?
Not quite. After a few hours, incoming calls stopped working. A couple of minutes with my search engine provided the following page: https://www.netgate.com/docs/pfsense/nat/configuring-nat-for-voip-phones.html.
The required fix was the first one suggested; to enable hybrid outbound NAT and static ports for UDP traffic from the Tilgin box.

Two steps forward and one step back

I’m happy to report that oxcrag.net has been upgraded from a crappy ADSL line to a fibre based connection, which has improved uplink speed for the server tremendously.

Unfortunately, it looks as though newer technology doesn’t always imply that everything gets better: Unlike what the representative for the fibre project stated, there’s no sign of IPv6 on this network with my chosen provider, Bahnhof. Indeed a mail to their support was answered with the short statement that they do not currently have an agreement with Telia – the network owner – for IPv6 over the current service solution “Öppen Fiber”. If I would want to pay Telias exorbitant fees, I could probably keep using their IPv6rd tunnel, but I don’t see the point in haggling or ISP-hopping. On the other hand, IPv6 tunnel services from other service providers break geographically limited content like Netflix. What I think of that practice is probably subject to a rant by itself, but suffice to say Netflix thinks I’m a pirate when I use the Swedish gateway of Hurricane Electric’s IPv6 tunneling service.

Long story short, what’s called “Telia Öppen Fiber” in Sweden is only “open” in a very Orwellian sense, and so I’ve lost the convenience of IPv6 addressing for my machines – at least for the foreseeable future.

Closed is open. Worse is better. Old is new.