FreePBX | Register | Issues | Wiki | Portal | Support

FreePBX policy based routing for trunk over separate connection


Oh nooo why did i miss that you can bind asterisk to a diffrent ip address :man_facepalming: i knew this shouldn’t be so hard to get running.
now i just wasted 3 days trying to get my complicated linux routing to work :joy: which funy enough now works some how quite well but it was nice learning some complicated linux routing… and I also learnd a lesson always go and ask before you over complicate stuff.

Thanks Tom you helped me a lot :slight_smile:

(Tom Ray) #22

You don’t even need the second NIC for this. You want very specific traffic to go out over your SIP WAN connection. You could use a single local IP of your LAN and just do the src-nat/dst-nat rules in the Mikrotik.

You made this way more complicated then it ever needed to be.


Ok so I set everything up now how you recommended to, and it doesn’t work. Not surprisingly the part on the Mikrotik works fine. If I set my laptop’s IP to the one which asterisk would use I can use a soft phone to register the trunk and everything works fine and goes out trough the SIP WAN.

If I use FreePBX it’s a different story. When I add “bindaddr =” the phones on the LAN can only register to that IP address - that’s fine this is how it is supposed to be. But the trunk connection runs out from the IP address which is the first IP address the FreePBX box has. I used tcpdump to check if SIP goes out with the right address.


I don’t think you need two different IPs if the routing is going to be handled by the Mikrotik, but I might be wrong as I can’t seem to completely understand your scenario.

(Tom Ray) #25

The bindaddr= sets the IP that Asterisk listens on. When it comes to an inbound request, the replies will have that IP in the headers of the SIP packet but the SIP packet will still come from the interface it came in on. As well, that has no impact on the outbound requests in regards to what the actual network source IP is.

You seriously don’t need two IPs for this because there is nothing happening at the PBX level that requires it. Disable all but the main interface on the PBX, let the PBX use that. Then set the Mikrotik up so that any traffic from the PBX IP meant for the Internet uses the SIP provider’s connection and WAN.


Yes I know i don’t need all this if it were not for the stupid fact that the sip wan does not route any other traffic than the sip traffic to my sip provider. This will end up with the freepbx not being able to pull auto updates, getting time etc.

(Tom Ray) #27

That’s completely incorrect. You can route the SIP traffic to your SIP Provider and the data traffic to your data provider. Your SIP traffic is over UDP on 5060 and 10000-20000 for RTP, all your other traffic done via TCP to HTTP or other locations can be routed out the other connection.


the ports which are used are not between 10000 - 20000 for RTP they can be as high as 65535. I’m sorry it’s sounds like I’m making this up but it is like this.

(Tom Ray) #29

OK how about this. System updates happen over TCP not UDP so route all TCP traffic out the data connection. Then look at what other UDP traffic might need to route to the data connection. DNS is over UDP so you probably want that over the data network. DNS uses port 53.

This is all basic networking and can be done in like an hour.


Ok we are stuck. I don’t think it’s a good idea to go ahead and try finding out which services on the freepbx use what port and what means of communication and set up rules to make sure all of them get routed the correct way.

If this system has to be running reliably for a client I don’t want to have to go out and fix it again if some update changes the port something uses to connect to the internet or if for example somebody installs a new module and this all of a sudden wants to connect on a port that was excluded.

Also I just don’t see how it is a wise idea to pretty much route the whole udp port range to the SIP providers network. (The routed udp range would need to be from 1024 to 65535 because that’s all the ports which can be used by rtp and i don’t have one clue what my SIP provider has set the range to.)

And even if I go and set up custom rules for everything that has to connect to the internet, if it’s within the range that the rtp uses if the rtp chooses to use this port it will again land in the wrong place and the calls will be with no audio.

My initial idea was to be able to discuss why my routing setup which I posted at the beginning of this thread was in any way faulty or not working but I guess I’ll now have to go to a linux networking forum with that.

(Tom Ray) #31

Well then I suggest you hire someone that understands firewalls, routing and Mikrotiks to deal with this. This is literally less than an hour of work to have all the routing set up and in place.


Ok now we are at a point were we are just insulting each other. I think everbody has the right to learn but I do get that some pro’s don’t like to help. If I’d hire you, you would definetly mange to do it in under an our and it would be working fine, I guess I could do the same probably in two hours since I’m not as experienced with networking as you are. But then again let’s say that in the future some module wants to connect to it’s own server on the internet at UDP it will not work. And then we both would get a call from our client and he would say this and this is not working and we had to go and exclude this again from the rules in the mikrotik and you would do it in 5min and it would take me 15 min. But in both cases the client wouldn’t be happy.

Anyway thank you for your help and cheers mate :slight_smile:


I could try to help further if I could understand your scenario better. I work with Mikrotik and dual-homed FreePBX, so if you could maybe draw a diagram with your network infra, I could try to come up with some other ideas. The issue is that I can’t seem to understand your scenario just by reading, sorry.

(Tom Ray) #34

Let us be very clear on something. I have spent the last week helping you on this. Working my way through this mangled mess you setup and trying to help you do basic things in the Miktortik. It has clearly become the case that you do not have the skillset for this yet, yet. Since this is a business need I gave you a very solid business suggestion. Because you know what you can do when you hire that person, you can pick their brain and learn from them while they work on it with you.

So basically because I said “Hire someone” after spending a week trying to help you, I’m the jerk pro who just doesn’t want to help? That is pretty insulting to me that my time awesome while I was helping but not so much when I made a suggestion that hurt your feelings.


That’s true you definitely helped me and I do really appreciate this, and I do apologize that I called you a jerk pro that doesn’t want to help. That sentence was not clever and I regret it, sorry. It wasn’t supposed to be meant like that. Your suggestion didn’t hurt my feelings it’s just that we must have had a misunderstanding. It may seem that my problem is with setting up the MikroTik but this is not the case I just don’t agree to leave the routing just to the MikroTik router. The concept seems flawed in my opinion. As I described in my previous post.

And again I’m sorry if I’ve been the jerk I’m trying no to be him but I guess I couldn’t have done him better if I wanted it.


Thanks I will draw a diagram…


Remember that FreePBX is not a routing device. There is not much you can do aside from installing two network cards and setting up static routes. If you want real routing, you need to go with a router, in your case the Mikrotik.
The easiest would be if the IP or IPs to your VoIP provider would be known and none changing, then you could easily solve that with just the two NICs and the static routes on FreePBX. But if I remember correctly, you already told us that is not the case.
Of course you could install the necessary packages to turn your FreePBX server into a Linux routing device, but I’m not sure you would want to go down that path. Then again I might be wrong.


exactly that’s the issue because this is how it was set up before and it failed as the SIP provider started moving around their RTP servers.

yes and that’s pretty much what I’ve done as i have shown in the first post (but probably wrong)


Maybe we already discussed this before, but why can’t you just connect your SIP provider’s equipment directly to one of the NICs, make the other NIC the default gateway, so updates go over that other NIC and create a static route for the whole network of your provider’s servers on the NIC connected to your provider’s equipment? Do they have IPs in multiple different networks?


Yes they do that’s the problem… and they have changed them in the past multiple times to other networks…