I’m so very close to my solution. I was hoping someone here could give me a nudge in the right direction.
Here is my topology:
One PFSense gateway router (nicknamed VOICESECURE).
An internal network full of IncrediblePBX deployments, (actually about 3 right now).
VOICESECURE has rules to split the traffic to the intended PBX based on port, so for example PBX1 uses RTP ports 10000-20000, PBX2 has RTP 20001-30001, and so on. The same thing is done for the SIP register port.
And believe it or not, that all works. I have registers, audio passthrough on PBX2, and so on.
The issue I’m having is setting up an x-lite softphone to PBX1 from another location, also behind a PFsense firewall. The session connects, but I can’t get any audio during my call (trunk audio works fine like from an outside number).
Intense firewall diagnostics shows me that when x-lite contacts VOICESECURE, the traffic is being properly mapped to PBX1, source port info stays the same, and PBX1 attempts to reply to my softphone, aiming back at the source port that the traffic came from (UDP hole punch).
The issue occurs because the PBX replies to the local IP of my softphone, which is on another network, rather than replying to the external IP of the remote network, so VOICESECURE drops it as unreachable.
I’ve made sure the extension is set to NAT Mode - Yes (force rport, comedia)
I set X-lite up (and again, it registers fine! just no audio) with “Discover public IP (STUN)” with the server stun(dot)sipgate(dot)net
X lite is set to “register with domain and receive calls” and “Send outbound via domain”
I explicitly tell xlite to use RTP ports 10k-20k for audio. I set transport to UDP. Send SIP keep-alives and use rport are checked.
It feels like I’m a setting away from full functionality, but even with all this, the PBX still tries to reply to x-lite like it’s local, instead of heading back through the internet.
I appreciate you people whether you can help me or not, but I bet you can!