Hosted PBX (with) remote phones (port 5060 UDP) (Solved: thanks dicko and lgatez)

Hi:

I’ve been seeing this happen more than once in the past few weeks.
FreePBX hosted (co-location) (static public IP)
Remote phones (Yealink)
UDP port 5060

The phones have been up and working for YEARS.

In the last few weeks: the remote phone(s) from this location will no longer register

No changes on the hosted PBX side (nothing changed).
Using tcpdump: The remote phone traffic is not arriving to the PBX
No UDP port 5060 traffic is arriving to the PBX
Also using: sngrep (no traffic arrives)

Probably no changes on the remote phone side (customer location)
NOTE: clients use the ISP equipment as their router/firewall/WiFi

Here is the interesting part:
On the phone side: (accessing the phones UI remotely)
We change the transport FROM: UDP (5060) TO: TCP (5060)

On the PBX side (watching with tcpdump)
We now see the TCP port 5060 traffic arrive to the PBX
Of course: the phone will not register … because it needs to use UDP

If we then change the transport type BACK to UDP (5060)
No traffic arrives to the PBX side … (using both tcpdump and sngrep)

We can register other UDP 5060 phones (from a neutral location)
tcpdump shows the port 5060 UDP traffic arriving

I think:
Maybe the ISP has had a firmware update stopping UDP 5060, and I’m not confusing this with SIP ALG (which is off / disabled)

Thanks for any tips / suggestions

Why won’t the phone register using TCP? It’s a band-aid, but if UDP is not getting routed and TCP is, that seems like a quick and dirty way to make things start working.

I’ve definitely seen ISPs block traffic over specific ports. From the remote network, can you use a computer to telnet to the PBX over port 5060 and see if that traffic hits?

Can you remind me:
How to make TCP port 5060 work on the FPBX side?

The FPBX box is not SangomaOS.
It is a older chan_SIP port 5060 UDP build.

What do we do in FPBX to make either / both UDP / TCP work?

Thanks for this reminder (knowledge gap / loss)

(telnet cannot be used over UDP to test a udp route you can use netcat/socat )

@dicko is right. I missed that the traffic passes when TCP 5060.

All Yealinks will happily work over TCP, just chose that as it’s transport

I would comment that in 2022 there is NO reason to use UDP/5060 for your phones, the Attack vector surface is just too huge, consider TLS (excellent) or TCP always over UDP for your extensions’ transport, but there are many bad guys out there roaming ports 5000-5999 for badly configured VOIP systems that can directly ‘cut-purse’ you.

My own comment:
Using UDP 5060 is fine: there are MANY reasons to leave it this way, but I do hear your point about not using UDP / 5060.
If you have the right firewall process: you are A-OK using UDP 5060.
In fact, it is way cleaner than using TCP.

By default: FPBX does not work with TCP for port 5060.
Yes: TLS also uses TCP, but we do not care for TLS right now.
No desire to deal with the SSL part of TLS (Yealink) right now.

I’m not sure how to setup FPBX to use either / both TCP or UDP on port 5060. I have a knowledge gap / loss for this point.

Your tips are appreciated.

ALL of our remote phones and hosted Freepbx phones use TLS without issue. Additionally we don’t use ANY standard ports…we use non-standard ports for UDP, TCP and TLS… while yes standard ports work for now…your asking for problems when you can easily avoid them

I would disagree , there are NO good reasons and it is NOT fine, you will be fighting the bad guys for ever

In the advanced settings you can enable both transports, you might need to open the read/write restrictions at the top of the page

My own comment:
Using UDP and 5060 is fine (esp) if you have your firewall under control.

Using TLS is cumbersome, but you enjoy it if you got it working.
Too much TCP chatter on the network for my liking.

We use standard ports because we have the firewall processes locked down. If you use non-standard ports across the board for a mass number of customers: you are asking for woes (IMHO).

Thank you for the tip:

Advanced Settings (enable both transports).
Really cool update: dicko

Take care.

Manageing your ‘mass number of customers’ is your responsibility that you should take seriously, if they are using UDP/5060, they are also intrinsically exposed to attacks outside of any control you have.

(always read the wiki for enlightenment)

Ah:

Actually: to enable both UDP and TCP (for) port 5060 using chan_PJSIP
This is located under:

Advanced SIP settings (not general tab) but chan_PJSIP tab

Once I did this: the phone registered to port 5060 using TCP

Thanks again!

now consider not using ‘well known ports’ , seriously there are folks cleverer than you or me that will advantage that

IMHO:
That is so NOT true.

Since I was speaking about the other guy using non-standard ports.
It will face woes. This idea is fun in thought: but not in actual practice over a large customer base (again) IMHO.

Use standard ports: and know networking / have a firewall.
This is the position FPBX was taking for many years.
AstriCon days.

There was a thread on this very topic just the other day of a user complaining about the number of SIP attacks on freepbx standard ports…the solution…don’t use standard ports…we see maybe a few fail2bans every few months…standard ports…LOTS constantly

This is not true…know networking and use a firewall is not the answer… I don’t think you get it…we run Freepbx behind fully configured NGFW’s, use non-standard ports for ALL transports and TLS for all remote phones…we have LOTS of clients…I’m not talking about one deployment here…

If you KNOW networking and the threats out there you face daily…properly configured firewalls, non-standard ports and TLS are no-brainers and easy…everything works great and you have less headaches and problems…thats if you know how to set it all up properly…