I’ve been using FreePBX/Asterisk for nearly 10 years and have never had this problem before, but something has changed…
When registering with my trunk provider, the source PJSIP port is a random port number, not 5060. This causes the trunk provider to try to respond on that same port… which is blocked by my firewall.
The odd thing is that this happens sometimes. Sometimes the source port is 5060 and all is well. Other times, its a random port number and all inbound calls fail. Outbound calls work fine.
I can’t pinpoint when this started happening. I could have been when I switched from SIP to PJSIP, or maybe when I upgraded to FreePBX 16. There have been no changes made to the firewall rules. It’s been going on for a while, but I’ve been “just dealing with it.” Now it’s to the point I need to find a solution.
According to the trunk provider (Flowroute), it doesn’t matter what the actual source port is, it only matters what the source port is identified as within the SIP data. If the SIP request/response states that it came from port 5060, but it actually went out on port 12345, they would respond back on port 5060.
So… how do I tell FreePBX to always set the port to 5060? I’d really rather not open up my firewall to an indefinite number of ports for inbound traffic; even if I limited the source , that still seems unwise.
If using UDP, then it uses the port configured in the transport which would be 5060. Any case of a random source port in that case would be outside of Asterisk, such as due to NAT translation.
My guess is that your firewall setup was fine with chan_sip since even if the source port changed, chan_sip would rewrite the contact port within SIP requests accordingly.
And PJSIP on Asterisk doesn’t support contact rewrite for outbound registrations and always uses transport port (5060 or External Signaling Port) as the contact port.
When you have NAT and registering with PJSIP you have to use TCP transport or configure port forward (and firewall it to only allow Flowroute IPs in).
Otherwise, I suspect that there is another system or device on your LAN that uses SIP over UDP to communicate with a remote service (bypassing FreePBX). So when that device makes a request from port 5060 (ahead of FreePBX), your firewall is then forced to assign a different port to FreePBX, because 5060 is already taken. Your firewall may have some settings that will effectively reserve port 5060 for Asterisk. Or, you may be able to change the local SIP port on the competing device to something other than 5060.