When adding the rules to your firewall do NOT allow “all” for wan users, make sure you only allow SIP traffic from your PBX. If you allow all you will be hacked in minutes. I have had gateway devices that hackers have enabled call forwarding to some other country in seconds if it was open to “any” or “all” wan users. Fortunately I have my calling profile configured at the SIP provider to only allow domestic calls so they couldn’t use it.
To answer your main question (not having looked at any diagnostics here) any time I havent been able to receive calls (especially if you get a message the number is not in service) has been the following
- is the number registered with your SIP provider
- can the SIP provider get to your PBX
- run SNGREP on your PBX to watch connection request and see if you are getting a connection request for the sip trunk, is the request successfully authenticated?
- is the SIP provider and your PBX using the same protocol (CHAN_SIP or PJSIP)?
- on PBX do a show sip trunk or show pjsip trunk to see if they are registered
Several times I use the chat feature with my SIP provider and they diagnostics and come back and tell be if they are able to communicate with my PBX without me having to do anything. Once they say its working then I look into the pbx like do I have the inbound router added, etc… If its not working they usually tell me what to fix to make it work.
When you say “the vendor says they can see the packets cumming into the firewall” is that the SIP firewall or your PBX firewall?
NOTE: due to recent changes in laws, at least in my case, if you suddenly notice you cant make outbound calls from some extensions on the PBX, check that you have the caller ID setup correctly. My sip provider will not allow an outbound call if it doesn’t have a caller ID configured.