Registering phone (to PBX) behind NAT (SOLVED)

We have a SangomaOS PBX (built from .ISO).
It sits on a LAN behind a NAT router (very common).
The SangomaOS firewall is disabled / stopped.

We have a few remote phones (home offices).
Endpoints can use either chan_SIP (5160) or PJSIP (5060)
No OpenVPN involved.

On the PBX (at the extension level) all remote phones use chan_SIP port 5160, and NAT is set to YES.

Here is the question part:
We have (2) phones at a remote site …
One Yealink and one Fanvil.

The Yealink phone registers remotely just fine (has 2 way audio).
The Fanvil phone will not register.

Watching (using) sngrep: shows both phone registration packets arriving to the PBX (also see this with tcpdump).

The Yealink registers fine (watching sngrep) (4 messages) (x201)
Register
401 Unauthorized:
2nd Registration (with digest):
200 OK

The Fanvil fails (watching sngrep) (2 messages) (x202)
Register
401 Unauthorized:
(this repeats with no 2nd registration (digest) or 200 OK)

I’ve tried using x202 on the Yealink, and it registers fine.
I’ve tried using x201 on the Fanvil, and it fails

I’ve not found anything in the UI of the Fanvil for for “NAT” which matters.

I’ve tried setting the x202 extension to be NAT: No (did not work)

I have not tried registering either phone as a PJSIP remote endpoint.

Side-Note (don’t want to start an argument):
I’ve never had any luck registering a PJSIP remote endpoint to a SangomaOS PBX when it is sitting behind a router (NAT), so I’ve stuck with chan_SIP.

Thanks for any tips.

Please provide “sips set debug on” logs of the register transactions.

How have you configured the phones to account for NAT? (nat= should not be needed if this is done properly.)

What port numbers are the phones originating on, and what does the remote site router translate these to. Does the remote end router have or generate port forwarding rules for both remote end port numbers?

So the phone is not ‘hearing’ the 401. Check whether the 401 is being sent to the correct IP and port (same as where the PBX saw the REGISTER came from). If not, check ‘force rport’, etc.

If this looks ok, check at the Fanvil end whether the 401 is coming in and has not been butchered by an ALG.

If you still have trouble, post make and model of the NAT devices at both ends of the link, along with any VoIP-related settings in either.

1 Like

SOLVED:
Because you said this: I was able to solve things

So the phone is not ‘hearing’ the 401. Check whether the 401 is being sent to the correct IP and port (same as where the PBX saw the REGISTER came from). If not, check ‘force rport’, etc.

What I did:
Using sngrep on the remote phone router side: I could see the 401-unathorized message was not coming back to the Fanvil phone.
We could only see the REGISTER attempts.

NEXT: In the UI of the Fanvil phone: we changed the “local port” field to match what the PBX has. We did this in the Fanvil UI (GUI).

The 401 unauthorized messages started to arrive “back” to the remote phone: thus the 2nd register with digest was sent, and the 200 OK happened.

I would not have been able to solve this without your insight…
What a great day!

Thank you, Stewart1

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.