I made a huge mistake and created a monster. I built a machine and used 3 nics thinking I would isolate the phones from the business lan from the SIP provider. But its been working fine for a year now. It’s a mess but it was functional… and now I’ve forgotten all I knew.
I changed out all the very old flat network hardware today (replacing with Unifi Parts) adding vlans and now I can’t make or receive calls. I added a USG and I expect maybe the firewall defaults are not allowing connection to the SIP provider - but how can I see for certain which ETH port is for the outgoing SIP? That’s a starting point
This might be vauge but I’m exhausted, please… ask me whatever I left out.
I’m more awake now. Maybe this makes more sense. I see the 3 NICS, But where in the interface do you tell FreePBX that a particular ETH port is connected to the WAN side. I am getting old and really bad with remembering how I did these one off projects.
I now have 2 ISP’s into a USG for failover, As I recall ATT didn’t play nice with port 5060 so I was using Comcast only for that interface (although the ETH port appears to be pointed at ATT IP’s, I can’t explain that unless I simply abandoned that ETH port) .
Now with the USG failover the USG is doing all the DHCP work so I have to figure out how FreePBX needs to have that configured.
I will work with ATT to fix their port 5060 problem, but this is not that.
This isn’t a huge problem. Thats a fairly common way to deploy a PBX. I do mine similarly.
From your PBX, traceroute to the SIP provider. What’s the route. If its dying, see where its dying. Its probably boiling down to a route problem. If you issue a ROUTE statement, do you have some routes that are affecting you? (example below is a dual nic setup, eth1 being the internet facing IP and ETh0 being the internal facing IP.
[root@pbx02 network-scripts]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
200.5.5.32 * 255.255.255.224 U 0 0 0 eth1
10.1.100.0 * 255.255.255.0 U 0 0 0 eth0
10.2.0.0 10.1.100.1 255.255.0.0 UG 0 0 0 eth0
10.3.0.0 10.1.100.1 255.255.0.0 UG 0 0 0 eth0
10.1.0.0 10.1.100.1 255.255.0.0 UG 0 0 0 eth0
10.4.0.0 10.1.100.1 255.255.0.0 UG 0 0 0 eth0
link-local * 255.255.0.0 U 1002 0 0 eth0
link-local * 255.255.0.0 U 1003 0 0 eth1
default 200.5.5.33 0.0.0.0 UG 0 0 0 eth1
There are various ways to do it, it depends on your preference. I can give you two examples, but there might be other ways to do it for sure.
1.- Set the default gateway on the NIC connected to your VoIP provider. Easiest way but all traffic not locally destined on your PBX will go out that way, which might or might not be what you want.
2.- Create a specific static route on the desired NIC to the IP of your provider, that way only the desired traffic will go out that NIC. This might not be ideal if your provider doesn’t inform all possible IPs and instead provides you with a hostname.
Well this is weird. I got both my ISP modems into bridge mode and into the USG. Hit Detect Network Settings under Sip Configuration… then the phones worked. I didn’t have to do any of that before.
More confusion is that I completely unplugged the third ETH port which is what I thought was the wan port. Guess not. Everything is working on the single port. Incoming and outgoing. And all behind the USG.
And even more confusing to me is that under SIP settings the external address is a public IP. How did FreePBX get and know about a public IP if its behind the USG?? I would have thought it would have an address from the gateway and be NAT’ed within the USG. How does that work?
External IP detection is exactly that. FreePBX has a script that let it check which IP is being used to get to the internet. That way you can configure NAT parameters easier.
Funny story on that. The old code (and perhaps the new code, I haven’t tried it in a long time) would use the external IP for the browser you were using to modify the FreePBX GUI.
I don’t think it does that anymore (with the advent of virtualization) but it was a hair puller for a while.
Just to help me understand, the external IP Detection uses a method like “WhatsMyIp” where it goes out to some site that returns the address it saw?
I ask because I can’t understand how that IP would make it through the gateway device (Unifi USG in this case) without modifying the firewall rules which I have not done.
And finally, when I built this I expressly set ETH2 to be the WAN port and yet now its not. Where in the GUI is that set? All I can find is the firewall and network configs, but they don’t say what each is used for. Just that they are all local and trusted.
There is no need to specify any firewall rules. If you have allowed outgoing connections from your PBX, that is all it takes for it to detect the external IP, as long as the PBX has a default gateway defined.
By default most routers of this type will respond to internet traffic that is belonging/matching to a request that is originating from inside your network. It won’t respond to traffic that is spontaneously trying to come in.
If an internal device asks an internet device for data, that traffic will be allowed to come back in, for that request only.