I’ve had FreePBX running smoothly for a week or so, day in day out, but suddenly, inbound calls stopped working.
Our internet comes through from our ISP, into a pfSense that we manage, into a DrayTek P2500 and then into the FreePBX. No VLANs or anything confusing.
I have made firewall/NAT rules which looked correct, as calls were flowing in and out correctly for about a week.
Today however, no inbound calls. When attempting to ring one of my DID, it immediately hangs up.
There is no activity in asterisk -r with core set verbose 5
There is no activity in sngrep when I make the call.
Outbound seems fine though.
Our VoIP provider claims it’s not their problem, they are getting a
Hi,
I will say first check your Router Firewall settings. Maybe you can create specific rule for DMZ to FreePBX box.
then check your Asterisk Settings (NAT Settings ) and Firewall too.
Are you using registration, and, if so, what is your registration status. Provide logs for any failed registrations. Also, what are the detailed registration settings?
What would be the best way to troubleshoot a similar issue. Registration outbound enabled (based on trunk provider’s documentation). Can make outbound but absolutely no INVITES on inbound. Firewall is correctly pierced and ports correctly forwarded
I believe I have re-done the firewall rules twice for good measure, and still the same issue.
I don’t have a DMZ as such, the FreePBX is static and I’ve got port forwarding/NAT rules for UDP ports such as the RTP range, etc. Not sure what else I’m missing.
I’m happy to post some screenshots of the rules and/or FreePBX Asterisk/SIP settings.
First, check that in Asterisk SIP Settings, External Address and Local Networks are correctly set. If you change these, after Submit and Apply Config you must restart Asterisk.
Next, capture traffic on pfSense WAN interface and see whether the incoming INVITE appears. If yes, find out why the network configuration is not passing it to the PBX.
If no, look at the registration request in sngrep to see whether the Contact header shows correct IP and port. If yes, ask for a SIP trace from the provider; your ISP may be blocking ports or mangling the traffic.
Do you have a real live business level Internet account connected to that firewall with a static IP and all that? Or do you have the cheapo home residential account?
An ISP will tolerate a certain amount of SIP on a residential account for the Ma and Pa Kettles who are running MagicJack and it’s equivalents, but unless you setup encryption to your VoIP provider, they can see your telephone number and it’s child’s play to cross reference that against a directory and determine if you are advertising your telephone number as a business number.
I’m assuming you are running a business due to the use of the royal “we” in your post.
It’s interesting you mention this one as I just thought of something that may or may not be related.
In Asterisk SIP settings, if I click on “Detect Network Settings”, it successfully adds in the public IP of our network 46.***.
I then manually add the local LAN address and subnet which is fine. If I restart Asterisk (Or the whole thing for good measure), when I come back here, I still have the public IP listed, but I now have 5 different local networks. If I delete those and add the LAN address again (192.168.0.0/24), it sticks until I reboot.
When I generate a Let’s Encrypt certificate, it claims to generate it successfully, as I’ve got the right ports open, but Let’s Encrypt returns that the local IP is 127.0.0.1 and the external is the public IP.
I’m trying to figure out if I’m reading this correctly. I’ll try and capture SIP/RTP traffic with Wireshark but I can’t seem to find anything in Packet Capture within pfSense. Nothing that stands out that is, but I’m happy to capture it whilst making a failed call and post it here to see if you can make sense of it better than I can.
I contacted the VoIP provider - which is the same company that provides our internet - and they claim the call is sent to FreePBX but it doesn’t acknowledge it properly - The call dies after one ring because the dialog doesn’t progress. I immediately thought they would be the problem because our FreePBX & pfSense setup was working perfectly fine for about a week until it suddenly stopped working.
What is the outside ethernet port of the pfsense plugged into? Is it a cablemodem, is it a fiber terminal? What’s the make and model and ISP involved?
Certain ISPs force customer to “rent” a modem/router and if you bitch to them that you want the static IP on YOUR equipment not theirs, they claim that they are putting their modem/router into “bridged” mode. However, under the hood the router part of the “bridged modem” is still in fact fully active and doing some kind of horrible quadruple NAT or other horrible hack to make it SEEM like it’s a dumb bridge when in reality - it ain’t. And some of those devices have an ALG that will really eff up SIP packets.
We have fibre coming into the building, it goes into an OpenReach ONT box and that then goes straight into our pfSense box.
Just in case you want to see it, this is what we have in our building, and the vast majority of customers we look after, also have one of these just bringing in the fiber and then straight into a pfSense or DrayTek depending on the customer’s needs.
I should have guessed you were in the UK since DrayTek isn’t common in the United States. (and now with the idiot in the white house and his tariffs, it probably never will be)
You have an OpenReach because everyone on British Telecom has one since Openreach is just a branding of BT’s. The actual electronics can differ as there’s multiple models of Openreaches.
If it was me, I would (temporarily) plug in a FreePBX test system directly into the ONT and assign it’s interface the public IP, and then make a call from an outside line to it. If that does not work, then it eliminates any firewall Rabbit holes you might get sent down and I’d scream at BT. If they still claim it’s not their gear then challenge them by plugging a SIP phone into their ONT and see if it can register into their trunk and make and get calls.
That is correct. We are also broadband resellers so we have a portal in which we can manage our VoIP settings, and our internet settings as well so there may be logs I can look into but I’m digressing a little bit here, one thing at a time.
That however, is a good shout for sure.
Between the pfSense and the FreePBX system, there is a 48 port managed DrayTek switch. This does not have any options for SIP ALG so I don’t think that is doing anything, but may be worth a shout to also do this with a dumb/unmanaged switch just in case the DrayTek is suddenly interfering.
I will test both methods and will report back today.
I was unable to plug it straight into the ONT box as it is a PPPoE connection and it needs username and password authentication. Couldn’t see that option in FreePBX or Debian but I do have Webmin installed so perhaps there’s something there.
I have tested with an unmanaged switch, same result.
I have now tested on a completely different network, fresh install of FreePBX and still the same result.
Does your provider actually provide inbound calling? I’ve assisted someone else from the community here. And we had the same issue. Reading their fine print, it sounds (it’s not an English speaking provider) like they only provide outbound calling
Scratch that. I see you say inbound used to work. I’d be following to see what solution works for you.
I ran a fresh install on a separate network with OPNsense as the firewall, same rules applied and there is still 0 activity in sngrep or asterisk verbose. I’m puzzled.
