Moving to vlan issues

mkaye · April 7, 2022, 12:00pm

Freepbx 16.0.19

unifi UDMPro, 8 & 24 port switches

unifi PBX profile - native LAN, tagged 100, voice 100

my LAN has full access to vlan 100, but vlan 100 only has internet access

my Grandstream phone grabs the 100 vlan (llpd-med) & gets 100.x IP - port profile PBX

my HT802, i had to manually add vlan tag 100 in advanced settings - it gets 100.x IP

FreePBX is running in a VM on server 2016, port = VLAN(100), it gets 100.x IP

fixed all the IP’s and my extensions & trunks are all registered

everything was looking good

i have 2 trunks, business using voip.ms and personal using freephoneline.ca

personal calls out hangup a couple of seconds after connecting, business voicemail hangs up immediately - didn’t do too much more testing

i put everything back on my LAN and personal is working fine

i have missed something, just don’t know what?

log - these seem to be the problem lines

675 [2022-04-03 13:41:57] WARNING[2747] chan_sip.c: Retransmission timeout reached on transmission [email protected] for seqno 61 (Critical Response) – See SIP Retransmissions - Asterisk Project - Asterisk Project Wiki

676 Packet timed out after 6400ms with no response

677 [2022-04-03 13:41:57] WARNING[2747] chan_sip.c: Hanging up call [email protected] - no reply to our critical packet (see SIP Retransmissions - Asterisk Project - Asterisk Project Wiki).

BlazeStudios · April 7, 2022, 12:24pm

This is clearly a networking problem and you have provided no real debugs or information related to that. Without knowing what you did it is hard for us to tell what you missed.

mkaye · April 7, 2022, 12:57pm

i’m not sure what else i need to provide?
just FreePBX & 2 extensions, 2 trunks
all moved to vlan 100 & registered
vlan 100 is restricted to internet only
i gave the lines in the asterisk log that show hanging up the call
i read the SIP Retransmission stuff, but don’t understand what i need to do to fix it?

BlazeStudios · April 7, 2022, 1:09pm

You moving the voice to a new network and there being issues is a networking problem. This only happening with your calls that are coming from external sources outside your network shows that this is happening in the router/firewall and has to do with NAT.

Since this is a networking problem revolving around your vlan that you setup, showing us stuff in Asterisk/FreePBX is great to a point. The error you are getting is Asterisk re-transmitting packets because it didn’t get responses. This is network related.

So when you move to this new vlan, you can no longer get external incoming requests and the outbound requests to an external source seem to not get replies as Asterisk has to keep retransmitting. This is network related.

If this is network related then we need to know network related things and see network related data, like routing and NAT/firewall rules.

sorvani · April 7, 2022, 2:02pm

Aside from properly forwarding traffic at the router, did you update the settings in “Settings” → “Asterisk SIP Settings” and then run “fwconsole restart”?

mkaye · April 7, 2022, 2:25pm

i added my 100.x/24 network to the NAT settings
i did not do fwconsole restart

BlazeStudios · April 7, 2022, 2:34pm

He is using chan_sip, a simple reload updates those changes. Plus recent versions of Asterisk allow certain things like local_net, external address/media to be reloaded without a restart or impacting active transports in chan_pjsip.

Things like bind address, protocol changes in chan_pjsip still need a restart of Asterisk.

mkaye · April 7, 2022, 2:59pm

i allow my LAN traffic to all RFC1918 subnets (IPv4)
i block all vlan traffic i.e. RFC1918 to any (IPv4)
nothing else that i can see
no rules change when i move FreePBX to vlan

i updated the FreePBX firewall rules to allow 100.x/24

idho0618 · April 8, 2022, 2:56am

I use a udm-pro. This is a firewall (udm and PBX) and port forwarding issue.

mkaye · April 8, 2022, 11:48am

i have a UDMPro also
i realize this is a network issue
just not sure what i am blocking when i move everything to the vlan

idho0618 · April 8, 2022, 11:55am

Portforwarding and your firewall rules under LAN-IN. Feel free to upload screen shots of your configs and we can look to help.

mkaye · April 8, 2022, 1:05pm

here are my lan rules
no ports forwarded

BlazeStudios · April 8, 2022, 1:23pm

Silly question, what happens when you disable the rule blocking inter-VLAN traffic? Have you tested with that rule disabled?

idho0618 · April 8, 2022, 4:02pm

Thanks for getting back to me.

When you move your PBX to the new VLAN, it will receive a new IP address. With the move to a new VLAN, how does your unfi router know where to send the PBX data? This is where port forwarding comes into play. There are defiantly good and bad ways to do this. A lot of the ideas on how to do this are discussed in this forum. Just like the way you have set up your network, I would continue to keep it simple. Your idea to VLAN off your PBX is a good one. Don’t get frustrated if things don’t go your way at first. Use that as fuel to continue to find the contributing factors to the problem.

Please watch this video. This is how I started to learn about FREE PBX and port forwarding with the unfi firewall.

Next please read these documents. It will teach you what to port forward.

https://wiki.freepbx.org/display/PPS/Router+Configuration

https://wiki.freepbx.org/display/PPS/Ports+used+on+your+PBX

Once that is configured then please look at your port(s) and firewall on the PBX side and configure where needed.

Typically from what I have seen, folks that know how to access their unfi firewall are usually folks that are ok to tinker. I have given you the answers you are asking for in a way that is vague enough for you to have to put in the work to learn how to do it.

If you get stuck and just want the answers, please let me know and we can look into that.

mkaye · April 8, 2022, 4:58pm

i’m confused that i have to open ports
when everyone is on my LAN, no ports are required
i move to the vlan and INTERNET IN and LAN IN rules have no restrictions, but i am failing
when on my vlan my trunks are registered (IAX & SIP) - i thought this indicates that i have no NAT issues
i still realize this is a obviously a network issue
still going through the links you sent…

dicko · April 8, 2022, 5:10pm

VLANs generally nee layer 3 routing not necessarily port forwarding

idho0618 · April 8, 2022, 5:52pm

“i’m confused that i have to open ports”

As you have tested, if you keep the PBX on your LAN you may not need to. What is your threat model? Do you want the PBX in its own VLAN? If so then some config may be required.

Assuming a move to a new VLAN, how does your unfi router know where to send the PBX data from your trunk providers as an example? If the PBX stays on the LAN do you need to tell the unfi router where to send the PBX data?

" i thought this indicates that i have no NAT issues"
Yes, in your LAN with your current firewall/PBX config there may be no issues. Now, using a VLAN I think your jumping too quickly to conclude that you don’t have NAT issues.

Hope this helps you stay going in the right direction. Keep tinkering. Don’t give up. You will get this!

mkaye · April 9, 2022, 3:06pm

i have set up an INTERNET IN rule
voip.ms & freephoneline.ca voip IP’s are allowed to the IP’s of my FreePBX servers (primary & backup) on both LAN & VLAN 100 on ports 5060,5061,4579,10000-20000 (all UDP)
things seem to be working OK with everything still on my LAN
i’ll flip everything to the vlan this afternoon & see

update: everything on vlan & seems to be working!!

system · May 10, 2022, 3:07pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.