Cannot get grandstream Desk phones to work

Dear Forum users,

I am new to free Pbx, I have been trying to set it up for my office which has 4 users. - Its a simple yet easy install and I have managed to get Zoiper Softphone with Iax working no problem. The softphone app MizuDroid with Sip works no problem. the incoming two lines with the VoIP service provider using sip are working with no problem. Ivr is working, I can call the system and the IVr will pick up and direct the calls. The internal Softphone users can call each other with no problems. ( a few fine tweaks are still needed to make it fully functional, but so far all is good)

I have also purchased the System Admin Advanced module and Endpoint Manager to make this entire installation as easy as can be.

However, I have hit a snag with grandstream desk phones. I have been at it for two weeks and I am at wits end. My issue is relating to the IP desk phones that we use in the office. The desk phones are Grandstream Gx-1625.

They will not connect at all. - With the advent of Covid, we are all working out of the office and sometimes in the office. - The Zoiper softphone app works great on iax protocol. So that’s not the issue. The issue is when we go into the office and we cannot use the desk phones as I cannot get it to connect. They do not support IAX. Only sip and Vpn connections which I figured I can enable,

My configuration is as follows:
Freepbx running in a Virtual container on our server in Datacentre - Assigned public ip (41.x.x.x) and with an internal nated ip of 192.168.2.154 - we control the Firewall running Openwrt which sits between the Metal server and the internet. - All the clients/users remote in from their own internet connections which are all Dnat or behind some sort of firewall and have. None of the clients have fixed Ipaddress including our office connection. Ip are Dynamically assigned.

Client ====> ISP (Mobile/Fibre) =====>Internet ===> OpenWrt Firewall ===> FreePbx
Clients are assigned Ip address by providers, OpenWrt has Fixed the assigned IP addresses, Freepbx has natted Ipaddress. I have added port forwarding on the PBX Firewall and Opened necessary ports including Ports on the office firewall. I have also moved the ports to higher ports range in order to secure the server on the public domain. In other words, I have moved ports to the following:
Chan_sip to Tcp/Udp port 50600
TLS Chan_sip to port 50611
Chan_pjsip to to port 51600
TLS Chan_pjsip to port 51611
Iax is still on port 4569
Rtp ports opened range 10000 to 10160.

All the phones are able to register and get a confirmed registration - however, I get no audio or sometimes only one-way audio when connecting.

Please can someone explain to me how I can use SIP or someway of automating the provisioning of the office desk phone devices so that when a user is connected or attempts to connect their phone is provisioned with the correct settings, its exhausting and challenging to get grand stream phones to work with SIP and manual configurations ?.

I am hitting a brick wall with sip configurations on the desk phones and thus any help and advice will be appreciated.

Regards

By default Asterisk uses RTP ports 10000-20000. I would recommend forwarding those ports in your firewall as this could be the reason why you sometimes have no audio.

Let me start with I am a noob myself. Although I have 40 years in telcom (traditional PBX systems), I have been setting up VoIP (freepbx) for only about 3 years and only know the components I use on a regular basis and still learning every day. All of my PBX’s run distro FreePBX with no modification outside of features setup in the GUI.

I use almost exclusively greandstream devices myself with remote phones (i.e. PBX is hosted->firewall->internet->my-firewall->phone). You don’t indicate if you are using pjsip or chan_sip (or sip) on the problematic devices. From the symptom’s it sound to me like you are using chan_sip and you did not turn on NAT in the advanced tab for the extension. I have had this problem myself many times. Under advanced tab change the NAT Mode option to YES (Forced) and that will likely fix your audio issue (especially if its the audio only works one way), another symptom is phones that register and after a while appear to stop communicating (in EPM) after a minute or two (maybe longer depending on your registration timeout) and otherwise show up as “unreachable”.

I know as we move forward the goal is to move toward pjsip (the new standard) and I hear that in 16 sip is off by default but I have had nothing but trouble with pjsip and specifically lack of “NAT” option and certain ISP carriers with ALG (assuming using the default ports). An initial test using non-standard ports didnt have this issue so I am moving that way anyway.

The new intrusion detection is much better but unless you have “responsive firewall” enabled you will have to specifically add your remote phones public IP to the whitelist in “connectivity->firewall->networks”. Many of my client phones were behind dynamic IP ISP connections so I had to enable “connectivity->firewall->responsive firewall”. This presents a certain amount of risk so I have my intrusion detection set ridiculously short for detection and lock out IP’s for ridiculously long period (i.e.sysadmin->intrusion detection->intrusion detection". Failed login 2 tries in 5 minutes will basically lock out forever. My ban list is really really long. My static IP users are in the whitelist and occasionally (1-2 times a year) get banned (I say this is a bug since they are ON THE WHITELIST and trusted in “networks”!). I opened a bug report and the response was “this was fixed in a future release” and although it happens a lot less these days, still happens occasionally. (notably after module updates and a reboot so I update at night and remove the ban after a few minutes)

I saw a suggestion on forwarding ports. I wanted to note that except in the case of clients using a sonic wall firewall, I have never had to forward any ports to get remote phones working. My clients with sonicwall firewalls all had to set the IP of my PBX as trusted (with fairly large port blocks) before it would work reliably. I have many customers setup with netgear and cisco without any special configs or issues. Customers with call issues are almost exclusively sonicwall clients. The netgear and cisco are using standard (automatic) “nat translation” rules without issue.

nat= is really two different options for working round peers with broken NAT. The yes and no options that set both of them together have been deprecated since around Asterisk 1.6 or 1.8. Both exist in chan_pjsip, as first class options, rather than sub-options, although the name for comedia equivalent is slightly plainer English, so you need to read the documentation.

There are also options corresponding to the real NAT settings (for public signalling and media addresses) and a workaround one for bad incoming contact addresses.

?? Didn’t follow this. If you are implying there are nat settings in the pjsip I couldnt find them in the GUI (I have found options in base edit for the templates on my phone). I dont know anything about what happens behind the scenes but I know on chan_sip for every version of FreePBX I have used back to 13, setting the NAT under advanced to “YES FORCED” has solved my audio issue (and unreachable issue). If there is a setting under PJSIP I would appreciate indicating exactly where that may be.

Specifically, any time I have a Verizon FiOS client running a specific brand of Verizon router (they have 2, one works, one doesn’t) I am unable to use PJSIP on the default ports. This typically is only an issue for Verizon FiOS 1Gbps subscribers. To the contrary, as a Verizon wholesale provider, I have Verizon FTTi ONT’s that connect to routers I supply and have never had an issue even at the 1Gbps service (but this config doesn’t support TV).

(off topic) I have also had issues with comcast (cable modem) customers where everything works fine for months and then all of a sudden no matter what I do one of the phones will not work on that network. I install a new phone and its fine, move the old phone to any other customer (different network) and its fine. Almost like the MAC of the phone is stuck in some cache on the router. Tried everything, finally I just give up and install a new phone and recycle the old one into my inventory. Has happened several times now in the last 2 years.

THANKS. I never associated the rport to NAT directly, just missed it. Scanned the page looking for NAT.

Yes, I checked and my pjsip’s were set to yes but still didn’t help. Maybe the ISP is blocking the pjsip ports and not the sip ports? Like I said, when I did a quick test using non-standard pjsip ports I was able to get a pjsip phone on a Verizon 1G FiOS to work but I didn’t have it setup for very long and do any real testing. I am hoping the port change is the fix because I was already looking to get off the standard ports to reduce the hacking attempts as well. Win-win.

Hi NortelVoip

I have Finally go the grandstream phone to work partially - forwarded the ports, did a *60 speaking clock test and it worked now *43 for the echo test, but I have no outgoing mic audio from the handset to the FREEPBX server.

Hi David

thank you for the reply.

I am using Chan_PJSIP , - I have managed to get the phones to register and I can hear incoming audio, but my voice (outgoing audio is not working ) - when I run the echo test, I cannot hear my voice. I think its got to do with the fact that the outgoing messages from the client device is not routing correctly.

to me that definitely sounds like a NAT issue. You can try chan_sip just to be sure (under advanced click "switch to Chan_sip), save the changes, then go back into advanced and find NAT change to YES (FORCED), then in EPM, delete the extension and re-add it. On the phone you will need to reprovision so that it switches to the correct port numbers. Personally with the grandstream it seems like it works better if you factory reset, enter the PBX IP again and click provision. Also, what version firmware is the phone running? I have found 1.0.11.10 to be the most stable with freepbx 14/15. Havent tried 16 yet. If you have firmware updates enabled and pick the latest version in EPM I find the phone will reboot and attempt to update and after a really long time (like over an hour) may or may not ever finish the firmware update so I always do it directly on the phone and turn off firmware management in EPM for the extension.

Just my personal experience with FreePBXand Grandstream. FYI, PJSIP is the goal. Chan_sip is just a test to see if you are hitting the same issue I did (spent many hours diagnosing). If it works then you know its definitely a pjsip thing. I try to be as specific as possible, I hate when people say “oh just change the flux capacitor setting to 3” then I spend a whole day to locate the setting 5 menus deep on some random screen :slight_smile:

If that works then your issue is the same that I have with pjsip which I have not been able to get working unless I change the default port numbers for pjsip (has to do with something the ISP is doing).

What firewall is at your phone location
what firmware version is on the phone (click center button->status->system info scroll down to PROG.
What version of PBX

edit: Just noticed you are already on non-standard ports… Just a random suggestion, try lower port numbers (like change to 6000 range instead of 5000 range as a test. Doesnt make sense but I also had issues when I added a digit to the end and was trying ports in the 50k range on my non-standard port tests.

It will not work on Chan_sip. Call drops and dont get any traffic, I have now gone on to the default ports and trying to get it to work with the legacy ports. This must be the most complicated IT thing I have ever tried to do myself.
I think the routers on both sides are preventing the UDP packets.
I am using the OPENWRT Firewall on both routers, at my client side and at the server side.
I am using phone GXP-1625 with Firmware 1.0.4.99
PBX is 15.0.17.64

So Now I am on regluar standard ports and absolutely no audio.
AA.AA.AA.AA = myclient IP ( Fixed IP = side of the WAN port at the client) = > NAT => Phone =>192.168.1.28
ZZ.ZZ.ZZ.ZZ = myserver IP (Fixed IP = Side of the WAN port at the Server) => NAT => Server +>192.168.2.154

I have attached a Log above. I am at wits end with this.