I am standing up a hosted FreePBX system. I have VMWare as my environment and am in the initial setup phase. I currently have port 84 as port 8401 on the public side and port 5060 as 5061 on the public side. RTP ports 11000 - 11099 are forwarded from outside in. PBX is at hosted site and phones connect via internet. Both behind a firewall. Auto provisioning, SIP registering are both working. When I call an extension, it rings and can be answered. The issue is that there is no audio. I have not set up a trunk at this point and didn’t think that would cause this issue. I see no RTP traffic on either firewall, or in wireshark when I do a capture. I have tested another phone connected in my office and RTP traffic will pass from it to another FreePBX system. I have been beating my head with this problem for a couple of weeks. SO any help / advice would be greatly appreciated. First post. Rob
Rob, FreePBX needs to know the external IP in Settings → Asterisk SIP Settings → External Address.
It is set. I am using my static DNS address.
Did you modify the PBX’s RTP port range? It uses 10000-20000 meaning that if you didn’t update it you aren’t using all the ports for RTP. The PBX will start at 10000
I did. Modified them in RTP Settings → RTP Port Ranges → Start 11000 End 11099.
But, I am not seeing any RTP traffic when a call is initiated. Even if that were incorrect, I should see it in wireshark or the firewall.
I am seeing RTP traffic in the TCPDump that I ran. It is trying to send it to the IP of the phone, which seems incorrect as it can’t be seen directly from the PBX. It should be the outside interface, correct? FYI 10.169.0.11 is the PBX and 172.16.1.66 is the phone. Firewalls and internet inbetween.
h 172
12:52:23.390416 ens192 Out IP 10.169.0.11.11072 > 172.16.1.66.11864: UDP, length 172
12:52:23.410418 ens192 Out IP 10.169.0.11.11072 > 172.16.1.66.11864: UDP, length 172
12:52:23.430397 ens192 Out IP 10.169.0.11.11072 > 172.16.1.66.11864: UDP, length 149
12:52:23.430397 ens192 Out IP 10.169.0.11.11072 > 172.16.1.66.11864: UDP, length 149
Ensure you don’t have 172.16.x.x listed in the local networks section of Asterisk SIP Settings / NAT settings.
Any network listed there will be considered local to the PBX and won’t get NAT treatment (e.g. external IP).
The only network there is 10.169.0.0/24
Asterisk has to receive media from the device in order to know the actual IP address+port to send media to. Until that has happened it will send media to what was requested by the device.
You would need to get a log[1] including SIP trace (pjsip set logger on in the Asterisk CLI will enable it) to see what is actually being given for addresses. If it is then confirmed that Asterisk is providing the correct IP address, the problem is probably outside of Asterisk.
After digging through the logs, it appears that FreePBX is assuming the phones are local traffic, 172.16.1.0/24. However, that network is not set as local in the PBX. That network doesn’t exist on the PBX side, so it is dumped. The odd thing to me is that the phones register and you can call and pickup. So, somewhere the traffic is being routed correctly, just not RTP. I think that it is a media setting somewhere, but not available in the web interface. I am considering using Kamailio and RTPengine to handle this for me. Seems as if I am asking FreePBX to do more than it is capable of. Thoughts? Thank you for all of the help and advice. It is appreciated.
Signaling and media are separately handled, and signaling will “work” in certain cases even if the wrong IP address is present until a certain point. Without logs, more detailed configuration information, I can’t really offer anything except to say that this is a somewhat common scenario.
Here is one tcpdump showing 10.169.0.11(PBX) sending UDP ] RTP to 172.16.1.65
10.169.0.11.11040 > 172.16.1.65.12550: … UDP, length 172
17:39:13.268049 ens192 Out IP … proto UDP (17) …
10.169.0.11.11040 > 172.16.1.65.12550: … UDP, length 172
…
17:39:14.755677 ens192 Out IP … proto UDP (17), length 104)
10.169.0.11.11041 > 172.16.1.65.12551: … UDP, length 76
…
17:39:16.954452 ens192 Out IP … proto UDP (17), length 84)
10.169.0.11.11040 > 172.16.1.65.12550: … UDP, length 56
Also captured SDP inside SIP
c=IN IP4 172.16.1.65
m=audio 12558 RTP/AVP 0 8 18 9 101
c=IN IP4 172.16.1.66
m=audio 11900 RTP/AVP 0 101
For reference, this is the command used. tcpdump -ni ens192 udp. I’d be happy to run any others if needed. Can’t thank you enough for the help. I have been at the for two weeks.
What about the sdp from Asterisk? Is it showing the public ip address?
For that to happen, either the phone has to send its public address, or symmetric RTP has to be enabled (default, I think) and Asterisk has to have received media from the phone on the port number on which it is has told the phone to use. Until that media is received, Asterisk is correct in sending to the address that the phone says to use.
Typically, for the media to have been received, there must be a static port forwarding rule, for the whole RTP range, on your router, or the the router has to have looked inside the SDP. Most routers that attempt the latter manage to get it wrong, so the normal advice is to disable SIP ALG.
The phone would have to use something like STUN to discover its public address, and I’m not sure how many phones to that.
I have a SNAT configured to forward all traffic hitting ports 11000-11099 on my public IP to be forwarded to the internal IP of the PBX. That port range is defined in the PBX. So, theoretically the PBX will never see the phones inside address, only the Ext Int of its firewall. Is this how it should be designed?
If the phones are not aware that they are behind NAT, Asterisk will see their internal address in their SDP. Initially it will send to that address. Once it starts seeing incoming media, it will switch to the source address of that media.
You need DNAT on the system with Asterisk in order to learn the address of a phone that is using a private address in its SDP. (You actually need both.)
Where can I find instruction or a guide on how to do that? I will take a snapshot of the VM and give it a try. Thanks