CGNAT Starlink & FlowRoute RTP Issues

Hello all,

I have been beating my head against the wall on this one for a number of days now. I have recently moved onto Starlink for my ISP and as a result I am behind Carrier Grade NAT, which means no public IP and no forwarding option for RTP streams. I am trying to find a solution to allow my flowroute trunk audio to pass in this situation.

Currently freepbx seems to place my Starlink IP as the address, and as such the traffic just ends up being blocked. Calls outbound and inbound go through, and I can see the link data show up in the asterisk server and in the logs on FreePBX, it’s just the RTP stream and all the audio that is missing. No audio either direction right now. I would post a pastebin with the logs but I guess I can’t add links as a new user…

Current PBX Version:
16.0.26
Asterisk 19

Here is what I have tried so far:
Internal network settings are configured to allow RTP traffic to forward to my pbx (not that this matters much with CGNAT). I have also disabled the SIP ALG and H323 ALG in my UNIFI network.

I tested using OpenRelay as a media TURN & STUN server, but these settings haven’t changed the RTP routing at all. Call connection continues to use the Starlink IP. Perhaps I missed something?

I have tried cloudflare tunnels to put a FQDN on my PBX, but as it just resolves to a cloudflare IP and doesn’t carry any special header to route to me, thus, I get the same issue as I have on Starlink.

I opened a ticket with FlowRoute, but they weren’t much help other than letting me know I was pointing at the wrong IP and needed NAT settings.

FlowRoute does not offer IAX trunks, but I am wondering if that is the route I should take, or is there an easy way to setup a relay server for the RTP traffic? I have looked into doing a VPS with pfsense and wireguard as well as a commercial VPN with public static IP… Not sure which path to take.

What is the best way to get the audio stream, and are there any guides or tips to the configuration since I have been scouring the web and cannot find anything that matches exactly to what I am trying to do.

Any help will be greatly appreciated!!!

One idea would be to run your FreePBX server on a VPS.

Your phones on the Starlink connection should work because Asterisk will handle the NAT situation with symmetric RTP. It will send RTP back to your phone over the same path opened by the phone sending RTP to Asterisk.

You might need to register your phones to FreePBX using TCP or TLS, which will keep a socket connected for SIP.

Unfortunately I am trying to keep the actual PBX on my local network since it has connections into a homeassistant deployment and I will at some point be adding a SIP to analog adapter for some other systems I want to integrate.

As is often the way with IT issues, within 1 hour of finally posting this I have arrived on a working solution!!!

For anyone else out there going through this here is a rundown:

Asterisk SIP Settings > General:
Allow Anonymous, Allow SIP guest = No
NAT Settings: leave external address blank, fill in all local networks
RTP settings start 10000 end 20000
RTP checksums Yes
Strict RTP: NO

Media Transport Settings & WebRTC Settings:
STUN server: BLANK
Server Address: turn:openrelay.metered.ca:80
TURN UN: openrelayproject
TURN PW: openrelayproject

CHAN_PJSIP Settings:
Allow Transport reload: No
UDP = ALL yes
UDP Listen on 5060

Under Connectivity > Trunks: Setup flowroute trunk as their documentation dictates…
Under advanced:
Match (permit) = 147.75.60.160/28,34.210.91.112/28,147.75.65.192/28,34.226.36.32/28,34.210.91.112/28, 34.210.91.112/28,34.210.91.127/28
Support Path = YES
RTP Symmetric = YES
FORCE Rport = Yes

Feel free to message me or contact me if anyone else is going through this issue!

I forgot to mention, under extension there were a few settings:
Enable ICE Support = YES
RTP Symmetric = YES
Rewrite Contact = YES
Force rport = YES
Direct Media = YES
Allow Non-Encrypted Media (Opportunistic SRTP) = NO
Refer Blind Progress = YES

I am having the same issues with my Asterisk and Starlink. I have duplicated your settings above, but still have one-way audio on incoming calls.

I suspect I have something wrong in NAT settings under SIP Legacy Settings. I currently have NAT set to YES and IP Configuration set to Static IP. Is this correct?

Thanks.

Possibly; the OP originally had no audio at all. Are you also using FlowRoute? Which side can’t hear?

I believe that these settings only affect chan_sip behavior. Since there is likely no reason for you to be using chan_sip, just leave them at defaults.

If you have only VoIP trunks on your PBX, I strongly recommend running it in the cloud, as noted by @billsimon . Things that are difficult-to-impossible when behind CGNAT include remote extensions, trunks using IP authentication, and remote management (both SSH and GUI). You’ll also gain the usual advantages of cloud PBX: When your power or internet is out, the system continues to function, sending calls to mobile phones or SIP apps. If the hardware fails, the cloud provider takes care of it. If the software fails, you can easily restore from a snapshot or backup.

OTOH, if you have local trunks (POTS, cellular gateway, etc.), your PBX should be on site. Instead of FlowRoute, I would try trunking providers who should be CGNAT friendly. Examples: VoIP.ms offers IAX2 trunks; Callcentric should also work as they do symmetric RTP. You can test both at no cost. Although you can’t make real outbound calls without payment, they have test numbers which will verify bidirectional audio.