FreePBX policy based routing for trunk over separate connection

Then there’s not much more to do than trying to make it work through a router. In this scenario, where the IPs are changing to different networks, not sure even if an SBC would make it possible to work through it.

Yes and that’s what I wanted to do. So I successfully set up some policy based routing on my MikroTik router but I had no criteria to route by as can be seen by this table:

  1. destination address -> out the window, because they change
  2. destination port -> out the window, because the ports are not specific to RTP. Other services use them too this would mean anything on the lan trying to connect to the internet with a port number between 1024 and 65535 and using udp would go the wrong way
  3. source address (i.e. FreePBX adress 192.168.239.205) out the window, because then FreePBX could not get updates and time etc. since SIP WAN does not lead to the internet
  4. destination port and source address -> out the window, because if at any time there is any service other than asterisk on the FreePBX using a port of the range 1024 -65535 udp it wouldn’t be able to connect to the internet as it would go the wrong way.

“Solution”
5. source service “asterisk” on FreePBX Box -> would be the solution but does not work since the MikroTik can’t see from the IP packet which service made it. That’s why I wanted to route directly on the host Linux system on the FreePBX Box because there this is possible.

Point 3 is not entirely correct, because the issue there is not updates, but the fact that you have 2 different IPs on FreePBX, so you can’t fix the source IP, again because you can’t create static routes on FreePBX.

The only solution I can think of is to set only one IP on FreePBX, and then create a rule for that IP and SIP and RTP ports. That way it should work, unless your provider requires that your PBX has an IP in the same range of their equipment. By the way, what equipment is that, modem, router, switch?

In any case, can you please try to elaborate on your specific VoIP network infrastructure? I’m sure I’m missing something, so it would be a lot easier for me to understand your current scenario, including provider’s equipment.

hope this explains my situation…

How can your SIP provider expect you to set anything up if the destination IP AND Port keep changing? It doesn’t matter if you have a single connection or six connections, if they keep changing where you have to connect to regularly that is a completely different issue that has to be dealt with.

I also don’t understand why you are so focused on RTP, you will never know their media IPs until they provide the in the SDP Body. I don’t know how many times this has to be explained. Your main concern is the SIP Signalling to route the traffic.

OK, this is going to be the last attempt. If you do not understand any of this, speak up immediately and be clear and concise. I’m going to use placeholders for things, adjust as you need to.

  1. Pick a port on the RB2011, that will be the PBX port. Remove that port from the bridge so that is becomes a “standalone” port. Let’s say Port 10.

— In the RB2011 —
2. IP → Addresses → New: Address: 192.168.99.1/30 Network: 192.168.99.0 Interface: ether10
3. IP → Firewall → NAT → Add New
SRC Address: 192.168.99.2
Protocol: 17 (udp)
Dst Port: 5060
Out Interface: ether2 (the WAN for the SIP connection)
Action: src-nat
To Address: WAN IP of SIP Connection

  1. Use the copy command to duplicate the original rule
    SRC Address: 192.168.99.2
    Protocol: 17 (udp)
    Dst Port: !5060 (check the little box next to the port this (!) means NOT as in NOT 5060)
    Out Interface: ether1 (the WAN for the Data connection)
    Action: src-nat
    To Address: WAN IP of Data Connection

  2. Use the copy command to duplicate the original rule
    SRC Address: 192.168.99.2
    Protocol: !17 (udp) (Means everything but UDP)
    Dst Port: – (use the up arrow next to it to “delete” the dst port) because it doesn’t matter where.
    Out Interface: ether1 (the WAN for the Data connection)
    Action: src-nat
    To Address: WAN IP of Data Connection

— In PBX —
5. Assign 192.168.99.2/30 as the IP of the PBX with 192.168.99.1 as the gateway
6. Make sure it’s in ether10 on the RB2011
7. Set the External PBX IP to the WAN IP of the SIP connection
8. Set the Local Networks for 192.168.88.0/24 (Local network where phones are)

So in a nut shell the RB is now set to send the traffic out the proper WAN connections, will make the src-reply address the WAN connection it went out. The PBX will accept calls from the internal phones over the LAN and when it makes or accepts calls from the WAN it will use the WAN IP of the SIP connection for record routes and SDP/media.

The only thing I haven’t done it outline inbound NAT rules. I’m hoping you can deal with those.

Let me see if I understood it correctly. Strictly for VoIP. You have a private 10.x.x.x IP on VLAN 30 that is used to reach sip.mysipprovider.com ? ? ? ?

Does sip.mysipprovider.com resolves to an IP in the same 10.x.x.x subnet or to a public IP ???

This seems quite a strange setup, was 10.237.123.34 specified by your provider? If so, didn’t they also specify an IP for your PBX ???

Sorry if my questions seem dumb, it is just I’m having a hard time understanding why your provider would set you up like that, not that it matters for this particular issue, it just baffles me. Then again, I’m not used at this kind of convoluted setup.

  1. yes there is no other way to get a response from sip.mysipprovider.com other than having a source ip in the request packet of within 10.x.x.x so yes i have to go trough that private network

  2. sip.mysipprovider.com resolves to an public ip

  3. no that is dhcp i get a diffrent adress when i renew ( they dont tell you anything they give you aFritzBox which should be used as a router and a PBX but it’s shit

no your questions are perfectly fine…

Read my updated reply. It sent before finished and I had to edit it.

Ok thank you very much that was very kind that you wrote all of this down like that! I’will try that, one question still remains you said i don’t have to care about RTP. That means that when the call establishes and the FreePBX sends out an RTP stream then it will know that it has to go via the SIP Wan automatically an thus the nat rules don’t need to deal with this right?

You shouldn’t have to do anything with the RTP. Even if you have to you can use the Dst Address and port range option to specify that incoming traffic to 192.168.99.2/30 on UDP from 10000-20000 go to the PBX. This isn’t like a Netgear or a D-Link or some Walmart/Best Buy router, this is a fully Linux kernel driven OS which means you can be very, very specific about your firewall rules.

Ok I’m going to try that and I will report back, I’ve always been using mangle rules on the MikroTik to get the 192.168.99.2 to go out the ether2 and thus it might be that I had to worry about the RTP stuff because the NAT detection on SIP probably didn’t get that. And I know that the MikroTik’s are Linux based routers and that’s why I always use them since they work great and have amazing flexibility.

Wait. When you say that the FritzBox is supposed to be used as a PBX, then your provider is not expecting to receive connections to the service from another PBX, they are expecting you to connect a phone to an FXS on the FritzBox???

Yes this is not how they expect the setup to be but I’m not going to use a FritzBox because we need the functionallity of FreePBX.
They put there own software on to the FritzBox via remote config, and they want you to plug analogue phones in to the back of it, but comon it’s 2018. And this SIP provider / ISP is just what the customer wanted/had and the provider said that it will all work with FreePBX but apperently the sales reps at this provider are told to say yes to every whish the customer has even tough they had no clue. So now we are stuck with this provider and trying to get it working.

Well to be honest, if I were you, I would not try to “hack” this. Just get FXO ports for your FreePBX, preferably on a gateway as you are running a VM, and get done with it.

I didn’t see this yesterday as I was posting my instructions and missed this reply but this was a VERY IMPORTANT piece of information since the FritzBox’s cause all sorts of issues with the SIP devices that sit behind them since IT IS A SIP DEVICE.

So I basically have no idea now if anything I gave you will work since the FritzBox will completely mess with it and cause issues. I always love that things like this are always mentioned in passing, after people have been asked for details and after help has been provided because things like this completely make everything that was done before moot due to it completely changing the scope of the issue.

The FritzBox is not in use, it is only how the ISP wants to me to do things. The MikroTik is directly connected to the WAN connections like I described in my diagram.

I totally get that. Do you think you’re the first person who has tried to not use the PBX in the FritzBox so they could use FreePBX instead?! No, you are not. So when I say this will mess with all your crap and causes problems with trying to use FreePBX (or a PBX) behind it is a big pain in the ass it is because I’ve had to deal with this crap before.

And yes people have claimed “It’s not being used” but that doesn’t change how the things in the FritzBox are programmed overall. So I guess you can try how I said set it up but at this point I have no idea what will happen or how long it would work due to the FritzBox.

why do you accuse me of thinking I’m the only one that wants to do this? NOOO! Thats why I’m asking here to get help from people which have done something like this before! And I’m greatfull to have people like you helping me!

But now my question is, since those seem to be normal sip accounts that have been registered in the FB why would they cause problems when used ond FreePBX?

Because the FritzBox was designed with the fact it is the SIP device so all the default firewall/NAT rules and other policies inside the FritzBox will be based on that. It also is a service where the included SIP device is the expected SIP device so again, these things have just caused trouble and are a real PITA.

Yes I agree with you completly but this is not a case of it just has to work. This is a case of I want to try to “hack” the system and get an alternative solution. (BTW: I’m doing this abviously without getting paid for and the customer has also agreed to let me test this like that on his setup) It’s just a bit rediculous to me having to go: fiber->ethernet->fritzBox->old style rj 11 telephone cord -> FreePBX and for the Internet connection fiber->ethernet ->fritzBox(DMZ)-> mikrotik