FreePBX plus Acrobits GroundWire via DDNS No audio

Good evening,

Looking for some assistance if someone can help me abit.

I have a freepbx installation and i am trying to register a softphone Groundwire and not sure what i could be doing wrong.

I am getting no audio both ways but the call comes through which means that the extension does get registered or maybe i think it does.

I am using a Mikrotik Router with a basic firewall.
I have created no-ip ddns.
I have forwarded 5060, 10000-20000 udp to the IP of the FreePBX
On the softphone i put as domain the no-ip
On the FreePBX i have added said domain to External SIP settings.
Under Extensions i use them as PJSIP and have RTP, REWRITE, AND FORCE options enabled.

Phone registers but no audio although it can dial and ring

Any help would be much appreciated as i am struggling

Thank you

Confirm that your ISP gives you a public IPv4 address and that the Mikrotik has that address on its WAN interface (probably ether1).

Confirm that your Groundwire network connection is not on the PBX LAN (it is offsite or connected via mobile data).

In Asterisk SIP Settings, General tab, confirm that External Address is your public IPv4 and Local Networks is correctly set, e.g. / 24. Unless you have some special requirement, I suggest leaving the external settings on the chan_pjsip tab blank.

From Groundwire, make a test call to *43 (echo test). If that works, provide details of what kinds of calls don’t work. If the echo test fails, at the Asterisk command prompt type
pjsip set logger on
call *43 again, paste the Asterisk log for the call at and post the link here.

I forgot to mention, if you change any addresses in Asterisk SIP Settings, after Submit and Apply Config, you must restart (not just reload) Asterisk.

Have you set the sip ‘service port’ in the mikrotik firewall?

1 Like

Oops, I missed that. IMO you should avoid using UDP port 5060 for SIP (too many attempted attacks), but if you are using it, make sure that ‘sip’ in IP → Firewall → Service Ports is disabled, so the SIP ALG doesn’t cause you trouble.

I have not used 5000-5999 nor UDP for a very long time, allowing ‘direct media’ in the mikrotik mostly will help not hinder so you don’t need to forward 10000-19999 , (using 20000 is just bad math).

I don’t understand. If you’re doing SIP over TLS, the Mikrotik can’t see the contents so how could it do direct media?

The SDP session is a separate connection negotiated by the SIP session but it is ‘associated’ and in clear text if you don’t encrypt it. I can’t fully explain how but IWFM, perhaps the OP can ‘give it a spin’.

Good evening,

Using direct-media was off on the Tik side as was the service port.

Enabling it did remedy the problem but with the FreePBX firewall disabled.

If the firewall is enabled i lose registration as there is no way to whitelist my mobile data ip’s?

I can’t change my UDP 5060 as i have SIP trunks and the provider is a pain to ask for a change to a different port.

From your point of view this approach is not the best i gather so i can try the SIP over TLS scenario that dicko suggests, homework homework but what about the firewall?
Anyway to overcome this problem, i don’t want to disable it.

Thank you and have a good night.

If you are using the FreePBX firewall module you should enable the Responsive Firewall as that is supposed to handle your mobile connections

Wow. Assuming that you connect to the provider over the public internet:
If you are using registration, the change in port should be automatic. If you are using IP authentication (the provider sends calls to a SIP URI that you specify), then indeed you must make a matching change at their end, but I have never heard of a provider supporting IP auth that didn’t have a portal to configure your account, where you could make the change yourself. Of course, if you are really in that situation you would also need to open a ticket to change to TLS. Who is this?

OTOH, if your provider is also your ISP and they supply an on-site SBC (or similar gateway), where they assign an IP address and port for you to use, then IMO you should use a separate NIC (or at least a separate LAN IP address) for that connection. Use port 5060 for it, but have a separate transport for your extensions (both internal and external), which can use a different port.

1 Like

Good morning,

My provider is my ISP, meaning they provide a router with telephony on it so we request the sip credentials from them and enter on the pbx while we disable the onboard ones for it to register.

Trying to change my UDP port other than 5060 breaks the trunk.

What if i keep the UDP as it is and try to enable TLS for the extensions?

That will work fine. You can also use SIP over TCP if you don’t need encryption and don’t want the hassle of setting up and renewing certificates. You may also find TCP useful for troubleshooting (view unencrypted SIP with tcpdump, Wireshark, etc.) Of course, for a production system, TLS is more secure and the current standard.

Good morning it seems i am still having issues with the voice not coming through.

I have captured a *43 log and i think it is a nat issue i am seeing a in the trace

Asterisk is sending in the SDP (and also in Contact) in the 200 OK, where it should be sending its public IP address. However, I don’t understand how that could be.

Please post the content of

If the hostname for external locally resolves to, then it would put that value in.

Hi Stewart, thanks for your time

attached pjsip.transports.conf

I believe that @jcolp diagnosed the problem correctly. Check the file
and if it contains your domain name as a name for, remove it.

If that’s not your issue, try putting the numeric IPv4 address as your External Address, instead of the domain name.

Good afternoon Stewart and @jcolp.

Changed my hostname to something other than my ddns and i seem to be ok now.

I am facing another issue but i will continue it here since we had this discussion about TLS.

So i enabled TLS for an extension and it works, registers and i have incoming calls with audio and everything but i am not allowed to call out from my extension internal or external calls.
I get the 488 Not Acceptable Here
If i disable SRTP in the extension settings i can call out.

I am pasting the error captured for any pointers.

Thank you in advance

How it should work (but maybe it isn’t working correctly):

If the device is configured to send only SDP that doesn’t request encryption, then if Media Encryption for the extension is on and Allow Non-Encrypted Media is No, then the call will fail. With other extension settings, the call will be unencrypted.

If the device is configured to send only SDP that requests encryption, then if if Media Encryption for the extension is on, the call will be encrypted. With Media Encryption off, the call will fail.

If the device is configured to send both types of SDP, then if if Media Encryption for the extension is on, the call will be encrypted. If Media Encryption is off, the call will be unencrypted.