Need some help here :-/, Tailscale, PFSense, and FreePBX

Good morning all,

I have one that I am scratching my head on.

I have a multi-site install. Lets refer to the main office as “Site A”. I have a satellite location we will refer to as “Site B”.

Both Site A and Site B are connected to the internet with PFSense. We have Tailscale on both firewalls, and are routing traffic just fine. We can access server in Site A just fine from PCs in Site B, network printing, scanning, whole 9 yards.

I have a FreePBX install at Site A, which is connected to a SIP trunk online for PSTN access. I have a handful of phones there in Site A. I also have a couple of phones in Site B, which register just fine. Site B phones can call phones in Site A just fine. No issues what so ever.

Phones in Site A call out to PSTN just fine. Phones in Site B however, on some calls, not all, when calling out to PSTN rings fine, but when the remote party picks up, go to no-way audio.

I have PFSense rules setup in Site A for outbound NAT for FreePBX as documented, and works fine. I added some rules (to try it out) at Site B for phones going over Tailscale to Site A, but it has not made a difference. Essentially the rule I think was for static port mapping on NAT for UDP ports.

Has anyone here used a similar configuration as this? I had thought about adding Tailscale to the FreePBX itself and try to register to that from Site B, but havent tried that yet. It doesnt make sense to me (funcitonally yes, ideal no) to run a Tailscale client behind another one.

One thing to point out on Tailscale on PFSense is that because of the way the module loads, I read anyway, it will show phones in Site B as having the source IP of the firewall in Site A on FreePBX in Site A.

Any help is more than welcome. I am lost here.

Thanks,

Have you added the LAN subnet info from your other site to the Firewall and Settings -> Asterisk SIP Settings -> LAN networks?

Greetings @dobrosavljevic

I just double checked, and under FreePBX (Site A) Settings->Asterisk SIP Settings->Local Networks, I do have the subnet from Site B.

I also have it set in FreePBX as a trusted network in the firewall.

I do not have any restrictions on that subnet (Site B) accessing the FreePBX network (Site A).

To re-iterate in my original post, one caveat of using Tailscale in PFSense is that on FreePBX, it shows the client as registered as the IP (and a unique port of course) of the gateway the PBX is hooked to. It masquerades through Tailscale and appears that way to FreePBX.

Thanks,

Yea, Tailscale does NAT those connections looks like and that might be causing a problem for you.

We use pfsense quite extensively but none of our deployments use Tailscale for point to point VPN so I can’t check any of ours for proper configuration.

I would say if you can switch to IPSec give that a try as not only does that allow you to not NAT through your point to point but also throughput performance through IPSec is much better then WireGuard (depending on how much bandwidth you have to begin with).

Alternatively, if you don’t have static IPs on either side and IPSec is not an option you could try setting up WireGuard point to point on the firewalls directly and configure it not to NAT. I do have one of those (from my house to my office) and the connection through the WireGuard point to point doesn’t get NATed, our PBX sees the IP of the phone registered.

Here is a video on how it’s done directly from one of the developers of pfSense:

For both the Site B extension and the trunk, confirm that Direct Media is set to No.

If that’s not your issue, I’m quite puzzled because (without Direct Media), an Asterisk call has an incoming and an outgoing leg and simply relays audio between them. If the incoming leg were failing, I’d expect some calls from Site B to extensions at site A to also fail. And if the outgoing leg were failing, I’d expect some outgoing calls from site A to also fail.

Set up to record the call and report which side(s) audio is silent on the recording.
What codec(s) are being used on the two legs?

As an effort to try and sort this out, I did install the tailscale client on the pbx itself, and updated the problem phone to register to the tailscaile ip address. Made two test calls and it worked.

I’d love to not use tailscale behind tailscale, but it is working which at least alleviates some pressure…

Hey @Stewart1

We are using ULAW for the calls. When we ran tcpdump on FreePBX and on phone, what we saw is FreePBX was hearing the audio from PSTN just fine, but nothing from the phone. The phone itself was recording that it was sending audio out (towards the PBX) but no inbound audio.

We could hear ringing as the call was being setup and progressing, but once the remote party picks up it goes dead for both ends (neither can hear the other).

As I mentioned above, I did just install Tailscale on Freepbx just now, and in testing it is working with phones pointed at the tailscale IP versus the internal LAN IP of FreePBX. I don’t really want to leave it this way (tailscale client behind another tailscale client) but it is hopefully a clue as to whats going on.

Thanks,

I know almost nothing about Tailscale. Can you configure it so there is no NAT (a device on Site A can ping any device on Site B, and vice-versa)? If so, fix that and retest. If not, why are you married to Tailscale? I would recommend Wireguard, though OpenVPN should be fine if you don’t have a heavy traffic load between the sites (the VoIP is a light load).

Other options:
If your phones have OpenVPN built in, use that, with the built-in VPN server on FreePBX. At Site A, just forward the UDP port for OpenVPN to the PBX. At Site B, have the phones connect to OpenVPN via Site A’s public IP (Tailscale is not involved).

Or, connect to the FreePBX Tailscale via its public IP (your site-to-site Tailscale is not involved).

Tailscale is a mesh implentation of Wireguard. Am using it for this install for 6 nodes I believe? I did end up installing the tailscale client on freepbx and connecting it in. Once I had the phones register to that IP it seems to have resolved.

Im just not sure why we would need the extra client, it has to be a NAT issue of some type…

Thanks

I don’t know the technical details, but this makes sense, assuming you use --snat-subnet-routes=false .

Now you do need to have static routes to send the intersite traffic via the Tailscale routers.
An IP phone would not normally have a way to set specific static routes, but if the local Tailscale router is also your internet gateway/firewall, then the default route should take care of it, so you shouldn’t need Tailscale running on the PBX. Have you tried this config?