Pfsense firewall with public IP in cloud > NAT port forward to FreePBX IP address via Tailscale VPN.
I am using Groundwire softphones on the public internet. I am trying to proxy almost through the cloud firewall for added security.
The soft phone works and can make calls, however when connected the audio channel does not work despite the fact the ports are correctly configured. I can see in pfsense that the audio ports are open, so the connection is obviously correct at least to establish a connection.
If I am connected to the local LAN, everything works fine. This is looking like a NAT issue.
Any ideas? I have tried to play around with the asterisk settings and adjusting the LAN to the public IP of the cloud firewall and also the IP of the Tailscale client.
To be more specific, because others have made this mistake, not the subnet of the VPN tunnel network but the subnet of the network that the phone is plugged into.
Something is not setup correctly for your VPN. The phones shouldn’t be connecting to the PBX with the other end’s WAN address. The phone system should see the internal IP address of the phones on the other side of the VPN connection.
So I guess why would the softphones connect to the PBX over the WAN address if they have the VPN tunnel to get that connection going? If they are properly using the VPN and the VPN is configured properly then they should be connecting with their respective local LAN IPs to the phone system.
Your architecture is not SIP-friendly. The softphone will send RTP (and subsequent related requests such as BYE) to the address that the PBX supplies in the response to INVITE (SDP and Contact header).
So, the PBX must be configured with the cloud server public IP, and must know when to send it. If your PBX has SIP trunks connected over the public internet, or ‘regular’ external extensions, it is also configured with pfSense box 2’s public IP address and needs to distinguish requests to know which to send. Conceivably, you could do this by using different protocols, or assiging multiple local IP addresses to the PBX.
But IMO, don’t pile kludge on top of kludge. Run a Tailscale client on the PBX, so pfSense box 1 sends directly to the PBX. The PBX will now have an interface with a 100.x.x.x address, which will have its own pjsip transport, configured with the WAN address of pfSense 1.
Another approach is to use the OpenVPN server built into FreePBX. Run an OpenVPN client on the cloud server, which connects to the PBX via a (possibly nonstandard) UDP port forwarded through pfSense 2.
Or, run a PBX in the cloud with a trunk to the on-site one.
Yet another possibility is using client certificates or other means to get the desired security and have the softphones register to the local PBX (no cloud server).
Installing Tailscale on the FreePBX machine isn’t documented so unsure how I’d do this.
I actually have several remote locations that all connect to the PBX via NAT / Tailscale and work fine. I guess the issue is the fact it’s public facing?
Instead of a new PBX, would a cloud based SBC be easier and offer the same level of security?