Not able to get successful call when connected to PBX remotely

Hello

I have a FreePBX 16 installed on my home server with Matrix FXO-FXS gateway (for converting CO lines to SIP trunks)

My setup

FreePBX - 192.168.1.81
Matrix Gateway -192.168.1.240
Pfsense+ firewall with NAT and firewall rules
Dynamic public IP allocation by ISP - attached to DDNS domain by pfsense.
softphone - GSwave Lite on android and on iOS

When i am in my home network over wifi, i am able to make calls
-extension to extension (both Freepbx and matrix gateway FXS extensions)
-extension to another mobile number using Matrix gateway
-cellular connection to matrix FXS

but when i move out of wifi and connect to my freePBX remotely, i am not able to call
-freePBX extension to another mobile number using Matrix gateway
-freePBX extension to matrix extension

sngrep info - on calling over cellular connection
extension 301 - cellular network
extension 999 - local network

2023/01/12 23:13:07.801411 public_IP:40430 -> 192.168.1.81:5160
INVITE sip:[email protected]_domain:5160 SIP/2.0
Via: SIP/2.0/UDP 10.82.163.47:5160;branch=z9hG4bK291374579;rport
From: "puneet" <sip:[email protected]_domain:5160>;tag=238987507
To: <sip:[email protected]_domain:5160>
Call-ID: [email protected]
CSeq: 30 INVITE
Contact: "puneet" <sip:[email protected]:5160>
Max-Forwards: 70
User-Agent: Grandstream Wave 1.0.3.34
Privacy: none
P-Preferred-Identity: "puneet" <sip:[email protected]_domain:5160>
Supported: replaces, path, timer, eventlist
Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE
Content-Type: application/sdp
Accept: application/sdp, application/dtmf-relay
Content-Length:   672

2023/01/12 23:13:07.802855 192.168.1.81:5160 -> public_IP:40430
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 10.82.163.47:5160;rport=40430;received=public_IP;branch=z9hG4bK291374579
Call-ID: [email protected]
From: "puneet" <sip:[email protected]_domain>;tag=238987507
To: <sip:[email protected]_domain>;tag=z9hG4bK291374579
CSeq: 30 INVITE
WWW-Authenticate: Digest realm="asterisk",nonce="1673545387/13cbfb9ba954c19aaf1ca34f6bc0ef27",opaque="41d65905528382d3",
gorithm=MD5,qop="auth"
Server: FPBX-16.0.30(18.14.0)
Content-Length:  0

2023/01/12 23:13:07.890977 public_IP:40430 -> 192.168.1.81:5160
ACK sip:[email protected]_domain:5160 SIP/2.0
Via: SIP/2.0/UDP 10.82.163.47:5160;branch=z9hG4bK291374579;rport
From: "puneet" <sip:[email protected]_domain>;tag=238987507
To: <sip:[email protected]_domain>;tag=z9hG4bK291374579
Call-ID: [email protected]
CSeq: 30 ACK
Content-Length: 0

2023/01/12 23:13:07.911614 public_IP:40430 -> 192.168.1.81:5160
INVITE sip:[email protected]_domain:5160 SIP/2.0
Via: SIP/2.0/UDP 10.82.163.47:5160;branch=z9hG4bK1135089627;rport
From: "puneet" <sip:[email protected]_domain:5160>;tag=238987507
To: <sip:[email protected]_domain:5160>
Call-ID: [email protected]
CSeq: 31 INVITE
Contact: "puneet" <sip:[email protected]:5160>
Authorization: Digest username="301", realm="asterisk", nonce="1673545387/13cbfb9ba954c19aaf1ca34f6bc0ef27", uri="sip:99
dynamic_domain:5160", response="d2576acb5a0427869699df8b416dcca0", algorithm=MD5, cnonce="04187717", opaque="41d6
05528382d3", qop=auth, nc=00000002
Max-Forwards: 70
User-Agent: Grandstream Wave 1.0.3.34
Privacy: none
P-Preferred-Identity: "puneet" <sip:[email protected]_domain:5160>
Supported: replaces, path, timer, eventlist
Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE
Content-Type: application/sdp
Accept: application/sdp, application/dtmf-relay
Content-Length:   672

2023/01/12 23:13:07.915630 192.168.1.81:5160 -> public_IP:40430
SIP/2.0 488 Not Acceptable Here
Via: SIP/2.0/UDP 10.82.163.47:5160;rport=40430;received=public_IP;branch=z9hG4bK1135089627
Call-ID: [email protected]
From: "puneet" <sip:[email protected]_domain>;tag=238987507
To: <sip:[email protected]_domain>;tag=5dce43ea-a761-4ebd-b56b-672e2fa6767c
CSeq: 31 INVITE
Server: FPBX-16.0.30(18.14.0)
Content-Length:  0

2023/01/12 23:13:08.416210 192.168.1.81:5160 -> public_IP:40430
SIP/2.0 488 Not Acceptable Here
Via: SIP/2.0/UDP 10.82.163.47:5160;rport=40430;received=public_IP;branch=z9hG4bK1135089627
Call-ID: [email protected]
From: "puneet" <sip:[email protected]_domain>;tag=238987507
To: <sip:[email protected]_domain>;tag=5dce43ea-a761-4ebd-b56b-672e2fa6767c
CSeq: 31 INVITE
Server: FPBX-16.0.30(18.14.0)
Content-Length:  0

2023/01/12 23:13:08.501521 public_IP:40430 -> 192.168.1.81:5160
ACK sip:[email protected]_domain:5160 SIP/2.0
Via: SIP/2.0/UDP 10.82.163.47:5160;branch=z9hG4bK1135089627;rport
From: "puneet" <sip:[email protected]_domain>;tag=238987507
To: <sip:[email protected]_domain>;tag=5dce43ea-a761-4ebd-b56b-672e2fa6767c
Call-ID: [email protected]
CSeq: 31 ACK
Content-Length: 0

what i understand from this is that freePBX is not replacing local extension ([email protected]) from [email protected]_domain to [email protected] local network. I may be wrong.

any suggestions??

The request is corrupt. It claims to have 672 bytes of SDP, but has none.

Either it really has been corrupted, or you have silently redacted the SDP which is unacceptable, making it impossible to debug.

The Grandstream is sending the wrong address in the Via header, but the rport parameter compensates for that.

FreePBX should not be rewriting the URIs, so there is no problem in that respect.

If the SDP really being garbled, I’d suspect a SIP Application Level Gateway on either the local or remote NAT routers.

The Grandstream Contact header is also wrong. You will need rewrite contact setting to compensate for that, but the call failed before that would make a difference.

I expect the SDP, when actually present, to contain the wrong address, as well, for which you will need comedia setting.

will send fresh debug info after office hours.
please check again at your convenience.