Incoming calls not reaching to PBX

Hi,

We are experiencing an issue with our PBX setup. Our PBX machine is mapped to a public IP, which is assigned to a local IP. This same public IP has been provided to our SIP provider. Additionally, we have allowed the SIP provider’s IP in our firewall. Despite this configuration, incoming calls from outside do not reach our PBX. However, we can see the hits of SIP provider IP to our PBX IP on the firewall. But calls not reaching to the PBX

Could you please help us identify the issue and suggest a solution?

Regards,
Amar Bhilare

Version of FreePBX? You have a NAT set up on your Firewall with a Virtual IP Mapping from External to Internal? Enterprise Firewall model? What services are you allowing thorough the NAT to your FreePBX? Who is the SIP gateway provider? Have you made sure to allow ALL services needed for SIP through the NAT to your FreePBX server? Depending on your firewall model and SIP gateway provider, you may need to Disable VOIP ALG on your firewall, there will be documentation from your firewall manufacturer on how to disable built in ALG Services.

I can provide other suggestions as well, but we need to start somewhere.

Thank you for your response. Here are the details you requested:

Version of FreePBX: FreePBX 15.0.37.4

You have a NAT set up on your Firewall with a Virtual IP Mapping from External to Internal?: No we havn’t set up NAT on firewall

Enterprise Firewall model : Fortigate-80F

What services are you allowing thorough the NAT to your FreePBX: All Services allowed

Who is the SIP gateway provider: PNG

Have you made sure to allow ALL services needed for SIP through the NAT to your FreePBX server: Yes

VOIP ALG: We have to check our firewall documentation and will disable the built-in VOIP ALG as per the manufacturer’s guidelines.

Please let me know if you need any additional information or if there are other suggestions you have for troubleshooting this issue.

That would be your issue.

We have tried by enabling NAT also, but the issue is still same.

What firmware level is your fortigate on? Based on the level it is on, you will want to disable VOIP ALG as per firmware level as per instructions here or similar:

As per @BlazeStudios studios and my recommendation, make sure you have a virtual IP designated that maps DIRECTLY to your internal IP via a VIP mapping; this is very important and will make the difference. It does not matter if it’s your 1 External Class C identified by your ISP or a class C from a block you own, but its very important you directly VIP MAP the Class C External to your Internal IP and then use that for the incoming fortigate rule from external to internal on your fortigate. More than likely, if you do NOT do this, you will not get traffic to your PBX. make sure as well to disable your FreePBX SOftware firewall since you are using the fortigate as your firewall and ONLY allowing your sip gateway to hit this rule. DO NOT allow ANY other EXTERNAL IPs access to this rule ONLY allow your SIP GATEWAY provider.

As well you say ALL Services, I’ll assume you mean required SIP and RTP services and what whatever your SIP gateway provider is asking for. As an example, here is what Thinktel requires the SIP gateway to have access to on a FreePBX, you will have to check PNG to make sure you have all the required services, ONLY allow the services needed:

One last note, in this section here Under Settings–>Asterisk SIP Settings on FreePBX, make sure you Define your EXTERNAL IP you VIP Mapped, and the internal segments of your network for the VIP Map and NAT IE:

ALSO, make sure your local segments are WHITELISTED under Admin–>Sysadmin–>Intrusion Detection:

image

This should be enough to make things work; BTW, this part is all in the documentation. The ALG stuff may not be, but there it is.

You can’t just ‘enable NAT’ you have to also configure’ it (likely with iptables (read firewall) rules.) Mostly rules for SIP (VOIP) REGISTER and INVITE and other for any SDP (AUDIO) connections, SIP might be ‘transported’ on UDP, TCP, TLS. WS, WSS , maybe more , SDP (audio) in asterisk is usually apparent on a mathematically incorrect range of 10000-20000)

Such rules allow for calls to arrive on your ‘external IP’ and be handled by your PBX, any resultant audio/video connections and reverse connections are mostly accepted and properly routed then.

Can we presume that incoming calls work?