I’ve been seeing this happen more than once in the past few weeks.
FreePBX hosted (co-location) (static public IP)
Remote phones (Yealink)
UDP port 5060
The phones have been up and working for YEARS.
In the last few weeks: the remote phone(s) from this location will no longer register
No changes on the hosted PBX side (nothing changed).
Using tcpdump: The remote phone traffic is not arriving to the PBX
No UDP port 5060 traffic is arriving to the PBX
Also using: sngrep (no traffic arrives)
Probably no changes on the remote phone side (customer location)
NOTE: clients use the ISP equipment as their router/firewall/WiFi
Here is the interesting part:
On the phone side: (accessing the phones UI remotely)
We change the transport FROM: UDP (5060) TO: TCP (5060)
On the PBX side (watching with tcpdump)
We now see the TCP port 5060 traffic arrive to the PBX
Of course: the phone will not register … because it needs to use UDP
If we then change the transport type BACK to UDP (5060)
No traffic arrives to the PBX side … (using both tcpdump and sngrep)
We can register other UDP 5060 phones (from a neutral location)
tcpdump shows the port 5060 UDP traffic arriving
I think:
Maybe the ISP has had a firmware update stopping UDP 5060, and I’m not confusing this with SIP ALG (which is off / disabled)
Why won’t the phone register using TCP? It’s a band-aid, but if UDP is not getting routed and TCP is, that seems like a quick and dirty way to make things start working.
I’ve definitely seen ISPs block traffic over specific ports. From the remote network, can you use a computer to telnet to the PBX over port 5060 and see if that traffic hits?
I would comment that in 2022 there is NO reason to use UDP/5060 for your phones, the Attack vector surface is just too huge, consider TLS (excellent) or TCP always over UDP for your extensions’ transport, but there are many bad guys out there roaming ports 5000-5999 for badly configured VOIP systems that can directly ‘cut-purse’ you.
My own comment:
Using UDP 5060 is fine: there are MANY reasons to leave it this way, but I do hear your point about not using UDP / 5060.
If you have the right firewall process: you are A-OK using UDP 5060.
In fact, it is way cleaner than using TCP.
By default: FPBX does not work with TCP for port 5060.
Yes: TLS also uses TCP, but we do not care for TLS right now.
No desire to deal with the SSL part of TLS (Yealink) right now.
I’m not sure how to setup FPBX to use either / both TCP or UDP on port 5060. I have a knowledge gap / loss for this point.
ALL of our remote phones and hosted Freepbx phones use TLS without issue. Additionally we don’t use ANY standard ports…we use non-standard ports for UDP, TCP and TLS… while yes standard ports work for now…your asking for problems when you can easily avoid them
My own comment:
Using UDP and 5060 is fine (esp) if you have your firewall under control.
Using TLS is cumbersome, but you enjoy it if you got it working.
Too much TCP chatter on the network for my liking.
We use standard ports because we have the firewall processes locked down. If you use non-standard ports across the board for a mass number of customers: you are asking for woes (IMHO).
Manageing your ‘mass number of customers’ is your responsibility that you should take seriously, if they are using UDP/5060, they are also intrinsically exposed to attacks outside of any control you have.
Since I was speaking about the other guy using non-standard ports.
It will face woes. This idea is fun in thought: but not in actual practice over a large customer base (again) IMHO.
Use standard ports: and know networking / have a firewall.
This is the position FPBX was taking for many years.
AstriCon days.
There was a thread on this very topic just the other day of a user complaining about the number of SIP attacks on freepbx standard ports…the solution…don’t use standard ports…we see maybe a few fail2bans every few months…standard ports…LOTS constantly
This is not true…know networking and use a firewall is not the answer… I don’t think you get it…we run Freepbx behind fully configured NGFW’s, use non-standard ports for ALL transports and TLS for all remote phones…we have LOTS of clients…I’m not talking about one deployment here…
If you KNOW networking and the threats out there you face daily…properly configured firewalls, non-standard ports and TLS are no-brainers and easy…everything works great and you have less headaches and problems…thats if you know how to set it all up properly…