How to set up 2 indpendent asterisk boxes behind same firewall?

Allright. So I am trying to port my FreePBX/Asterisk installation to new hardware, and I have come to the conclusion that it is probably better to start from scratch.

My old installation sits behind a Firewall with a local address of 192.168.x.40. I downloaded the AsteriskNow 6.12 distro and installed it. The new system comes up with IP 192.168.x.116. Then I set up a trunk and registered it. “sip show registry” shows a registered trunk. I set up an outbound route and a phone. The phone does connect to the new server,

When I dial from the phone, whatever I do, I only get “The number you dialed cannot be connected as dialed” or similar. I also noticed, that when the new system is online (registered), my old system doesn’t work correctly anymore. I can dial out, but when I for example dial my cell phone, it rings, and I can pick up, but the extension on the old phone keeps on ringing. So there is some interference which I think I need to resolve first.

So, that finally brings me to my question: How do I need to set up 2 freepbx/asterisk systems that reside on the same network to work independently and not interfere with each other. I checked the firewall, and there are a few ports forwarded to my old system. I don’t think I can forward them to both systems, can I?

Any help is appreciated.

a couple of things.

  1. the pbx’s should have static ip addresses
  2. you need different trunks for each pbx
  3. if the trunks register you should be able to delete the port forwards in the firewall. and no you can’t forward ports to both systems
  4. if you use ip registration instead of user id/password registration for your trunks it will not work

You also need to also use separate SIP signalling ports for each machine or your NAT forwarding might not work as you want.

Great. I will check into that. Couple of questions:


When you say “static IP addresses” do you mean a static IPAddress within the subnet (192.168.x.x), or a valid internet IP address?

I got two trunks. I checked one of them and it says it is using port 5060. Since I don’t think the other is setup differently (I didn’t check), I tried to change the port of the trunk with a “port=x” statement in the peer section of the trunk. That did not work, the system (“sip show registry”) continues to show 5060.

At the moment I have forwarded the following ports to the “40” machine (the old one that works): 5002 - 5082 (except 5038, I read somewhere that this is used by something else), and 10,000 - 20,000. When I forward all of them to the “116” machine (new setup", I still can’t call, even when the “40” machine is offline.

I am using id/password for both trunks.

I suppose with "sip signalling ports you mean the 10,000 - 20,000 ports, right?

No, they are the resulting SDP connections (audio) ,Your SIP signalling by default will be on 5060/5061

try removing all port forwards in the router. don’t change the port in the trunk ad test again.
also verify that the udp session timer on your router is set to a value higher than the qual time (usually 2 minutes).

are your trunks registering with the same ip address or are you using two different sip trunk providers?

if it is the same ip, then you need to talk to your provider on how to properly register and use two trunks from the same ip address. i know some providers don’t allow it.

and yes by static i meant on your internal network.

no dice so far.

I tried the following: remove all port forwards in firewall.
(old system still works)
Turn off old system (shut down PC)
Start new system.
Verified that trunk was registered (sip show registry)
Tried outbound call to my cell phone
Result: (phone number replaced by XXXXXXXXXX)

[2016-10-04 10:24:32] VERBOSE[3588][C-00000001]
pbx.c: – Executing [[email protected]:1] ResetCDR(“SIP/2000-00000001”, “”) in new stack

[2016-10-04 10:24:32] VERBOSE[3588][C-00000001] pbx.c:
– Executing [XXXXXXXXXX @from-internal:2] NoCDR(“SIP/2000-00000001”, “”) in new stack

[2016-10-04 10:24:32] VERBOSE[3588][C-00000001] pbx.c:
– Executing [XXXXXXXXXX @from-internal:3] Progress(“SIP/2000-00000001”, “”) in new stack

[2016-10-04 10:24:32] VERBOSE[3588][C-00000001] pbx.c:
– Executing [XXXXXXXXXX @from-internal:4] Wait(“SIP/2000-00000001”, “1”)
in new stack

[2016-10-04 10:24:33] VERBOSE[3588][C-00000001] pbx.c:
– Executing [XXXXXXXXXX @from-internal:5] Progress(“SIP/2000-00000001”, “”) in new stack

[2016-10-04 10:24:33] VERBOSE[3588][C-00000001] pbx.c:
– Executing [XXXXXXXXXX @from-internal:6] Playback(“SIP/2000-00000001”, “silence/1&cannot-complete-as-dialed&check-number-dial-again,noanswer”)
in new stack

[2016-10-04 10:24:33] VERBOSE[3588][C-00000001] file.c:
– <SIP/2000-00000001> Playing ‘silence/1.ulaw’ (language ‘en’)

[2016-10-04 10:24:34] VERBOSE[3588][C-00000001] file.c:
– <SIP/2000-00000001> Playing ‘cannot-complete-as-dialed.ulaw’ (language

[2016-10-04 10:24:36] VERBOSE[3588][C-00000001] pbx.c:
== Spawn extension (from-internal, 3037484346, 6) exited non-zero on

[2016-10-04 10:24:36] VERBOSE[3588][C-00000001] pbx.c:
– Executing [[email protected]:1] Hangup(“SIP/2000-00000001”, “”) in new stack

[2016-10-04 10:24:36] VERBOSE[3588][C-00000001] pbx.c:
== Spawn extension (from-internal, h, 1) exited non-zero on ‘SIP/2000-00000001’

This looks very different when I look at the log for the old system, which calls all sorts of macros. I should say that I do not have a phone number set up yet for the new system, so there is no inbound route. Is that required?

I had a thought on this.

Can you get a second IP address for your firewall? if so, you can put PBX-1 behind and the other behind… Redirect from the external address for each to the appropriate PBX. I know it’s kind of cheating, but it’s going to be a lot easier than trying to do this through just configuration.

I can probably try this, but at the moment the new system does not even work when it is “alone”. Before I go into the “dual system” configuration, I think I want to get the new system set up so that I can at least make and receive phone calls. I will take the computer home today, and try to set it up there. That should avoid any conflicts between the systems.

Do you have a working outbound route for XXXXXXXXXX ?

Oops. Feeling stupid now …

I did have outbound route setup, but the dialing pattern was set up incorrectly. I needed to add a “1”. Doh.

System is now dialing out. SUCCESS!

Next step: get a dial in number and set up inbound route.

Separate SIP ports were mentioned, but RTP ports should not overlap also. Configured RTP port range is probably wide, so chance is not that high, but from time time both machines may choose same port and one of them would end up with different source port because of NAT. Without correct NAT forwarding for both machines (= separate port ranges again) you cannot also handle scenario when 2nd party is behind another NAT and it’s source RTP port is different than advertised in SDP.

1 Like


Why do you consider that cheating? To me, it sounds like the preferable solution… Moving ports around and trying to avoid overlap does sound like cheating to me…

Have a nice day!


Because it doesn’t answer his question. It solves his problem, but he asked if there was a way to do it.

The easy way is to put to external addresses on the firewall. The hard way is to carve out the address blocks and set up different ports for each server.

Incorrect. RTP Ports can overlap without any issues at all. The larger the RTP range the better, too. RTP is unique enough that even with matching ports the traffic will get sent to the correct host.

Relying on RTP ports being “unique enough” is bad practice in my opinion. Even 1 in 100 calls dropped because of one way audio would be bad service, especially if it can be easily prevented. If my math is correct for 200 calls from 2 endpoints over 10000 ports there is 73% chance (1 - 0.99^100) that one of the calls would fail. If number of endpoints would get higher than this problem would move toward birthday paradox (for 23 PABXs using 365 ports there is 50% chance that at least one call would fail).

  • assuming no RTCP or RTCP muxing

Unique enough for the NAT device to be able to handle it correctly. There is nothing to rely on, this is a factual statement.

What kind of NAT can handle it correctly?
I’m seeing almost exclusively port restricted cone and once second device attempts to send packet using same source port as first one - source port is changed to (almost) random by NAT. Since source port is then different than advertised in SDP, second party (e.g. phone) starts sending RTP to incorrect port (used by first device). There are various kinds of RTP destination switching logic in endpoints, but if this example phone is also behind NAT and advertises incorrect RTP port in SDP this mechanism would not work and there would be no voice in any direction.
Also, as phone started transmitting RTP to port with active translation to first device there is risk of breaking previous call, especially if two phones would belong to same network sharing single public IP. Correction: this would apply only to restricted cone NAT.

this is a bad practice because you have no control over how traffic flows to/from the internet. if it is only phones and you have enough bandwidth it is probably not a problem. however if the internet connection is also used for data traffic (ala computers) then you are asking for trouble.

And in what way going through hoops to avoid port overlap between multiple PBXs would help in that regard?

What do you gain from doing that? I don’t see any advantage as far as sharing bandwidth is concerned…

And, this solution is not scalable…

[quote=“bksales, post:19, topic:37359, full:true”] if it is only phones and you have enough bandwidth it is probably not a problem. however if the internet connection is also used for data traffic (ala computers) then you are asking for trouble.

No, not if you prioritize the traffic…

A good example of that is the setup I have at home. The Internet connection I have at home is DSL with very little upload speed (and not so good download speed) so I prioritized voice traffic to/from the PBX over regular traffic. My firewall is also setted up not to allow any computer to eat all the remaining bandwidth.

(If I could get better speed from my provider I would…)

My PBX has its own IP, most of the Internet traffic another and my mail server another just like a normal business would…

Having multiple IPs is no problem if your firewall knows it all comes down the same pipe…