I’ll start with the part I didn’t fully explain:
When you start a connection to an exterior network destination, your firewall opens a “return path” to the port that established the link. This is done through something called a “SYN” (or “START” depending on whether you are a real network guy or work for Microsoft) packet and, as long as traffic flows back and forth, your “incoming” connection paired with the “outgoing” SYN request is honored. In order to allow traffic to flow, the port stays open for (typically) about 30 seconds. If there’s no traffic, the firewall assumes you are finished processing your traffic and shuts down the opening in your firewall.
Your action of shutting down the interface will start a session with the remote end if no session currently exists. Since this connection terminates after about 30 seconds, it sounds like that action is the only one that is actually getting forwarded to the remote destination.
So, If that’s the case: if you can get traffic through the firewall for about 30 seconds, that means that you are sending a “SYN” packet out which opens the connection through the firewall.
With the advent of FreePBX 13, a new “local” firewall has been added. You need to either set it up so that it is configured correctly or disable it completely. Having it up partially will cause all kinds of problems like this. There is a Wiki page (IIRC) on setting up the new firewall. Note that some of the settings only make sense once you understand what the author means, so you can’t just throw it together slap-dash.
If the traffic is not getting to your machine (wireshark would be a good tool for troubleshooting this part), then the firewall is blocking it. If the machine is, in fact, getting the packets and ignoring them, the local firewall is probably to blame.
At this point, more details would help. Telling us your network architecture would be a big help.
Things we are pretty sure about:
- Port 5060 is working for your local phones from the local network.
This could mean that your firewall is completely off or that your local network has been identified as “safe” and the local firewall is allowing that traffic to pass.
- You have “port forwarded” TCP ports 5060, 5061, and UDP ports 10000-20000 from your firewall to the PBX.
You say your actually forwarded UDP ports 5060 and 5061, but that’s so wrong I assume you meant you did the right thing and just mistyped. There’s no way that you could really do this and expect it to work, so you get the benefit of the doubt.
- You have an ITSP that you are using for your incoming phone number.
You asserted this, indirectly.
- Enabling and disabling trunks is working as one would expect.
When you disable an outbound trunk and can’t place an outgoing call, that makes sense. That’s what disabling a trunk does.
As far as why 12 works and 13 doesn’t, I couldn’t tell you. The big difference between the two is the local firewall, so if the configuration of all of your firewall equipment is correct, the configuration should work The local firewall is more of an impediment than a help in a PBX that doesn’t connect directly to the Internet, especially if you have a good, working firewall in front of your PBX.