FreePBX policy based routing for trunk over separate connection

Hello Everyone

I’ve been trying to get some policy based routing going on a FreePBX system for many days now with little success.

this is the setup I’ve got:


eth0 : gw: (my LAN with hard/soft phones and PCs; gets full internet access trough nat/firewall from main internet connection; fast but high ping)

eth1 : gw: (my VOIP LAN with nothing other than FreePBX; gets full internet access trough nat/firewall from dedicated voip internet connection; slow but low ping)


server: sip(dot)myprovider(dot)com:5060
username: myphonenumber
password: mypassword
rtp servers: can be any public ip that the SIP provider wants to use i can’t go by a block of ip’s; they are really random


iptables -t mangle -N ASTERISKMARK
iptables -t mangle -A ASTERISKMARK -d -j RETURN
iptables -t mangle -A ASTERISKMARK -d -j RETURN
iptables -t mangle -A ASTERISKMARK -d -j RETURN
iptables -t mangle -A ASTERISKMARK -d -j RETURN
iptables -t mangle -A ASTERISKMARK -j MARK --set-mark 12
iptables -t mangle -A OUTPUT -m cgroup --cgroup 12 -p udp --dport 1024:65535 -j ASTERISKMARK
iptables -t nat -A POSTROUTING -m mark --mark 12 --out-interface eth1 -j MASQUERADE

asterisk process gets automatically added to cgroup with id 12


marked packtes then go to an other table than default by this setting


fwmark 12 lookup asterisk


here you can see that table “asterisk” and part of the main table

[[email protected] ~]# ip route show table all
default via dev eth1 table asterisk
default via dev eth0
default via dev eth1 metric 255
-----shortened here for simplicity -------


Most of the traffic obeys my rules and goes out trough eth1 with the correct source and dest. address especially the rtp stream works fine. But some of the sip signaling packets go out eth1 with the ip address of eth0. Outbound calls work inbound don’t and rtp works both ways. Sometimes everything stops working and sometimes everything goes trough the right interface with the right source ip and inbound works fine too.

any help or pointing in the right direction would be greatly appreciated.


Why arent your phones on the VoIP network with the PBX?

Also you should post actual debugs from Asterisk showing failed inbound and the traffic the is being tagged with the wrong ips.

Thanks Tom for your reply

The phones are not on the VOIP network because they have automatic update and other stuff on them which has to go out the “fast” internet connection and should not go trough the VOIP internet connection and slow it down. And there are also a couple of soft phones on some PC’s which would be a nightmare to get on to a separate network.

I’ll post logs of the packet’s going out with the wrong ip shortly and also some debugs of failed calls.

Uhm. OK. So then why are you doing all of this at the PBX level? Makes no sense.

OK, i get that my explanations might not be the best. So I’ll try again:

I used to do the policy based routing on a MikroTik firewall/router used in this setup. I told the router to route for destination IP to the SIP server and to the RTP servers for which IP addresses i had to take a good guess at what range they used. This was great while it lasted, about a month in to using it this way all of a sudden some calls had super shitty voice and terrible lag others didn’t. Some RTP streams where taking the wrong internet connection because the SIP provider decided to spin up some new servers in a completely different IP range and thus it was not PBRing them correctly anymore. And i can’t get the SIP provider to give me any clear info on what IP range they use for their RTP servers, trust me I tried.

Now the only criteria i have to do PBR on are the ports used for SIP and the RTP stream i.e. from 1024 - 65535 and the protocol which is udp in both cases. If I do this on the firewall any other thing on the main network using udp and those ports will run trough the VOIP Internet connection which is not ok. I could also use the PBX’s IP as another criteria but then anything which uses udp and those ports on the FreePBX other than asterisk would also get routed the wrong way.

So this is why i want to do it on the box itself because then i can actually use the process (in this case asterisk) as a criteria and only do PBR on packets originating from asterisk.

I hope this makes a bit more sense now…

Then I’m really confused by what you are trying to do. I use Mikrotik’s all the time for my voice solutions and I have them doing voice/data/management vlans over multiple ISPs for some users. In those cases I either am doing voice over one ISP and data over the other ISP or I’m doing a balancing/failover setup for them. I have never needed to do anything at the PBX level to make this work. This can all be done in the Mikrotik.

I also setup queues for prioritizing the voice traffic over the data traffic in cases where they have limited bandwidth allocation.

“In those cases I either am doing voice over one ISP and data over the other ISP” Ok that’s pretty much what I wanted to do, so I guess I failed at setting up the Mikrotik. So my question then is, how would you go about splitting voice traffic from data traffic i.e. sending it out to the other ISP on the Mikrotik, not by using the PBX’s local IP address and not by using the IP address of the SIP provider.

That is covered in the Mikrotik wiki. This can be done in a variety of ways depending on how you want to do it. Like I said, I use VLANs to handle the traffic and tag/untag it at switches, etc when needed. Based on the VLANs and/or the ports they are using on the Mikrotik I can mark the packets as they leave/enter the router and use either the interface, subnet or packet marks to route out the proper WAN with the proper source masquerade to use the public IP of the WAN I selected.

In some cases it is the same WAN interface that has a public subnet on it so I just use the proper IP from the subnet I want traffic to source from.

Ok yes so i got that far but now let’s say that i have VLAN A routed to WAN interface A and I have a VLAN B routed to WAN interface B. Now i have my FreePBX box on VLAN B and now it wants to auto update or lets say i want to install a new module or get something other than voice done on the FreePBX box. This will go out the VLAN B and then out the WAN interface B and if this is a very slow dsl connection with about 1 Mbit’s that’s just not ideal if i have a fast 30 Mbit’s connection on WAN interface A for such stuff.

You currently have two NICs on freepbx right? If so, and if you want to use a specific one of those to connect to your VoIP provider, just create a static route on freepbx for the IP of your provider tied to the specific NIC. I have it configured that way on my FreePBX and it has been working as expected for more than 5 years.

Yes that would be great but the IP of the RTP servers from my provider are not the same as the registering server and they change constantly, this will never work reliably unless the provider would tell me which subnet they use but they don’t tell me and they constantly change. So I end up with no voice on my calls.

I see. The other quick solution is to define the NIC that connects to your provider as the default gateway. I know that it would force all non-local traffic out that interface but the amount of non-local traffic generated at the freepbx server is very small.

Yes now the other problem is that this slow internet connection only for VOIP is actually set up the way that it will block any other traffic and only accept VOIP traffic so the FreePBX box is going to be offline completely and this way the time wont be correct on voicemail and the updates wont run and its just not good enough.

Given the constraints you have to work with, consider an SBC to proxy your SIP traffic.

1 Like

Again, this can all be achieved in the Mikrotik router. This does not have to be some reinvention of the wheel doing it on the PBX.

The inability to get a working config on the Mikrotik to support the desired network layout is not a FreePBX problem and not a problem that should be solved by doing this individually on devices.

You can try or come on to IRC and join ##mikrotik you can get the proper help you need. I don’t want to do this here because you’ll need to provide configs and the thread is no way related to FreePBX.

That’s kind of what im looking for, what would you recommend to be used? I don’t think that my MikroTik can act as an SBC even tough it supports SIP ALG because they don’t seem to be the same thing. I know of FreeBlox which would require a secondary server which could be solved with virtualization.

But is this really necessary or could the approach I took above not just solve this issue by pretty much going back to the source of the problem (i.e. packets coming out of asterisk with no clear distinction) and to separate from there completely. Or am I just over simplifying things and that’s why it’s not working because SIP does not like to be messed with so “rough” like my attempt did?

How about this, let’s start with some basics and see if we can just tackle this here and quickly.

  1. What model is the Mikrotik?
  2. What type of connections are the two WANs? Ethernet/PPPoE/LTE?
  3. Are you doing L3 directly on the WAN interfaces? I.E. you have public IPs directly on the WAN interfaces.
  4. Where is the PBX in relation to the Mikrotik? Is it plugged into one of the Ethernet connections? A port on a switch connected to the Mikrotik?
  5. What type of switches are you using?
  1. R82011UiAS-RM
  2. Eth2 WAN 1: Ethernet, DHCP, VLAN 30 WAN 2: Ethernet, DHCP, VLAN 130
  3. Kind of WAN 1: public dynamic ip WAN 2: private dynamic ip ( this comes from the provider side they provide the SIP WAN connection with private IP’s)
  4. FreePBX runs on XenServer with two virtual interfaces but they appear to FreePBX like physical ones and each has a VLAN assigned to it.
    PC and internet Network VLAN 1 (default not taged) and voice network VLAN 201 (taged) Ethernet cable from XenServer host directly in to Eth3 on MikroTik.
  5. Dumb Switch.

OK, so here’s the thing with all this. You have two interfaces on the PBX and that’s great but all you want is your SIP traffic to come in and go out over the SIP provider WAN and all the other things the PBX does like pulling updates from the Internet to go over your main WAN. So far none of this even requires two interfaces or VLANs.

  1. I don’t understand why you have VLANs on your WAN interfaces, outside of maybe the SIP provider if they require it. Do they? Otherwise they are pointless.

  2. You could give the PBX two IPs of your network and then bind Asterisk to one of them.

  3. You set up src-nat so that the IP you’ve bound on Asterisk, let’s say so that it uses what you want for the outbound traffic. Like so:

    /ip firewall nat
    add action=src-nat chain=srcnat comment=“Voice Masq” ipsec-policy=
    out,none out-interface=voipwan src-address= to-addresses=srciptouse

That is like the easiest way to set this up. Then you can do whatever you want on the other IP for the rules and routing.