I have a working (version 14) freepbx system that is currently working. For reasons, I need to add a second NIC for a different LAN. Both NICs have public-internet-facing ip addresses, both are fully routable.
The setup was simple enough to get a second NIC’s internet responding, after a minimal amount of google:
added an entry to /etc/iproute2/rt_tables (ie. “200 second”)
add a default route to that table named “second” (ie. “ip route add default via table second”
add a rule to select that route for source ip (ie. “ip route add from <eth1’s-ip> table second”)
After doing all that, then the server was able to respond to both ip addresses. I didn’t even have to restart ssh and could connect via the secondary ip; I could ping; httpd; etc.
I have verified that the pbx is at least purportedly LISTENING for connections on all interfaces via lsof:
but when I set up a sip client for an extension (all my extensions are pjsip), then it just times out. Nothing gets logged in asterisk. From what I can see, asterisk SHOULD be listening on all interfaces for sip connections (port 5060), but … nothing.
Do REGISTER requests show in sngrep when an extension attempts to register? If so, it’s almost certain that FreePBX firewall is blocking them. Look at the active iptables rules.
If not, possibly a routing or firewall issue unrelated to FreePBX?
Part of why I’m confused is, I’ve already got another freepbx (running a slightly earlier version) that has dual NICs… AND is working. The biggest difference I can see between them is, this second server’s second nic is using a non-routed private ip in 10.x.x.x, and so only devices already in that subnet are connecting to that ip.
It (the working dual-nic server) doesn’t have ANY settings in it whatsoever in Settings / Asterisk SIP Settings that even mention the 10.x.x.x subnet
OK, so either iptables is blocking the REGISTER, or the reply is being blocked or misrouted. At the Asterisk command prompt, type pjsip set logger on
and see whether REGISTER requests are received and if so, whether replies are being sent to the correct address and port.
OK, so the client didn’t ‘hear’ the 401 and just kept retransmitting the REGISTER without an Authorization header. AFAICT Asterisk sent it to the correct IP and port. Possibilities:
Outgoing packet (the 401) blocked by iptables.
OS level routing issue (went out wrong interface, not sent to proper gateway, etc.)
Blocked by hardware firewall in path back to client.
Client ignored the reply, e.g. because it was mangled by a SIP ALG in the path.
Expand the REGISTER in sngrep to see whether replies were correctly sent (use tcpdump instead if the results are unclear). If it looks clean there, run Wireshark on the client machine to see whether replies are coming in and whether they have been butchered.
My client device is an iphone running a softphone. There’s no “wireshark” possible there whatsoever.
The issue is easily related to the “policy based routing”, especially if the udp packets from the freepbx are being immediately misdirected. But I cannot “lab” that up, and I’m reeeeeeally hoping that somebody else in here can confirm that there isn’t some weird bug in how asterisk generates the udp responses.
I note now that I managed to try getting my pjsip extension to log in using “tcp” instead of “udp” for the sip protocol – and that immediately worked. The call itself failed, I presume because the rtp is udp-based.
On Wi-Fi or mobile data? If Wi-Fi, a softphone on a laptop connected to the same network will probably fail the same way. If so, you have good network tools available. If mobile data, set the iPhone as a hotspot, connect the laptop to that and test. This will be double NATted, which might cause an unrelated problem, though it usually works quite well.
Alternatively, you should be able to get a SIP trace from the softphone. In Groundwire, which I believe is similar, go to Settings → Preferences → Troubleshooting log.
Useful info. If the RTP failed the same way, I’d expect outbound audio to work and inbound to fail. Possibly, port number rewriting caused Asterisk to ignore the RTP. You should still be able to see the RTP at the PBX using tcpdump.
With multiple public IP addresses you will need to define a transport for each one rather than binding to 0.0.0.0.
(edited because I was mistaken)
In Asterisk SIP Settings - pjsip tab, disable the 0.0.0.0 transports and enable the transports bound to each of your public IP addresses. To see these you have to toggle Show Advanced Settings in this tab.
Probably generally true of people here, but it assumes that you are appearing on the internet as though you were two separate sites, rather a single multi-homed site.
If you are doing this for general internet resilience, you need to obtain an autonomous system number and implement border gateway protocol. This probably something that only serious business ISP’s will support, but the company I worked for before I retired did so when it only had about 50 staff.
This means that the IP address from either ISP will route to you through either ISP.
(I think a lot of these dual NIC cases are really about an extranet (for VoIP) and the internet, rather than two internet connections.)
Does making this change not kick in immediately upon pressing the “Apply” button? Because after doing this 1- I didn’t get any improvement (ie. only the tcp connectivity was functional), and 2- the “lsof -ni” still shows that asterisk is binding to “0.0.0.0” not the ips directly.
I’ll have to wait until some time tomorrow if I have to manually shut down the asterisk service and restart it.