FreePBX FreePBX behind Sophos UTM firewall

Just installed FreePBX 14.0.1.1
My issue is I can make outbound call but can’t hear the other party talking
When I call into the PBX it receives the call but does not route it to the phone

Need a hint as to where to start looking for the cause of the problem

Only rules I have added to the firewall was to let the internal network talk to the SIP provider.

You need UDP ports 10000-20000 open and forwarded to the PBX. These need to be available from anywhere, not just your provider.

Sophos Tip: Remember that there is NO UPnP on the Sophos. You have to allow everything in AND out. So make sure the PBX has 5060 out and 10000-20000 UDP out as well as NAT’d inbound back to the PBX as well. Lock down your 5060 to only your SIP providers IP address if you arent going to use the Built-in firewall in PBXact.

UPnP is an actual thing. FreePBX nor Asterisk implements it. It has nothing to do with this. As well, the default Sophos configuration allows all TCP/UDP outbound:

https://community.sophos.com/kb/en-us/16608

TCP:

Outgoing TCP
Name = Allow outgoing TCP
Enabled = true
High Priority = false
Ignore Checksum = false
Default Rule = true

Where the protocol is TCP
and the direction is Outbound
Allow it

UDP:

Outgoing UDP
Name = Allow outgoing UDP
Enabled = true
High Priority = false
Ignore Checksum = false
Default Rule = true

Where the protocol is UDP
and the direction is Outbound
Allow it
and stateful inspection

The only worrying thing here is stateful inspection for UDP. Be sure all SIP inspection/ALGs/SIP helpers are off.

@Cullenl I apologize wrong terminology. I did not mean UPnP, thats an application layer integration for Routers. I should have said they are blocked by default.

I am a Sophos Engineer, the default config DOES NOT allow for all traffic outbound. It allows only for HTTP, HTTPS, DNS, Email, and a couple other ports, that’s if you even check the boxes during setup. It has been this way for a long time. Regardless of what the article you linked says… Once you login you have to set it up for the first time and that is a requirement, I have setup hundreds of them over the past 5 years. Please Trust me.

On a normal router the outbound port will just open for the RTP stream to allow the connection. Oh a Sophos its blocked by default unless you put an Any - Any - Any rule in. (Not Recommended for security reasons)

Also the Sophos UTM does not have stateful inspection of UDP traffic on ports 10000-20000 for this reason. They are programmed to know its for SIP use, which is what makes these attractive in VoIP environments unlike Sonicwall’s

Lastly the SIP Helpers if used properly work very well. When configured wrong can cause issues. Personally I dont use them however as I let the Responsive Firewall take over.

Just got settled in and reading through the posts.
recap of posts:
I need to do the following

  • UDP ports 5060 and 10000-20000 open outbound and nat’d back to the PBX
  • SIP inspection/ALGs/SIP helpers are off.
    Logging into Sophos
    Post results shortly

All of that is correct. Note that for security reasons, UDP port 5060 should be open only from those addresses you trust, such as your carrier. UDP ports 10000-2000 can safely be opened to anyone.
If anything fails, reply with the following:

From Linux shell:
asterisk -rvvvvvvvvv
sip set debug on OR pjsip set logger on, whichever is appropriate

exit

Copy all resulting scrollback to pastebin.com, share that link here.

I will work on this tonight and let you know what happens

I started by creating service definition to allow ports 10000:20000 outbound and
another one for 5060

Name: FreePBX 10:20
Type of definition: UDP
Destination Port: 10000:20000
Source port: 1:65535

Name: FreePBX 5060
Type of definition: UDP
Destination port: 5060
Source port: 5060

New rules:
Source: Any
Services: FreePBX 10:20
Destinations: Any

Source: Internal Network
Services: FreePBX 5060
Destinations: PBX1 and PBX2
Theses are the carrier addresses

L:ink pastebin.com/9Ed3u8uJ

I had to leave the Https off in front of pastbin as a new user I can’t paste links

There’s nothing in that capture. Again, do exactly as I say:

asterisk -rvvvvvvvvv
pjsip set logger on
<Reproduce issue> 
exit

Copy everything from the asterisk -rvvvvvvvvv onward. Do not skip anything or try to shorten it. What you pasted was worthless because the problem was not present.

That was the entire log

pastebin.com/kwvzNzD6

New log file

Can you give some input on this

This still isn’t what I asked for. If you need immediate help, join us on IRC. #freepbx on freenode. I believe this is possible using the online support option in the ‘admin’ menu.

OK. Will do. Thanks