Hi -
I’m having an issue were Zoiper softphones on the internet aren’t communicating in to a PBX on my LAN. They aren’t registering with a Request Timeout (408). The same phone works fine on the LAN.
What works:
• Zoiper phone inside the Lan same LAN the freepbx box is on
• Sip Trunk to Tynlex
• Inbound/outbound calls to Zoiper phone on the Lan
• IAX Zoiper on the internet communicating to the PBX on the LAN, Inbound and outbound
What doesn’t work -
• Registering Zoiper SIP phones outside the lan from the internet
• Error is Request Timeout(408)
I’m really confused because the SIP Trunk works, Telnyx has given me sip.telnyx.com so I sort of assume it’s using 5060
General SIP settings NAT settings set to External IP and internal network addresses
Advanced Settings SIP NAT = Yes
OPNsense Firewall rules for port forwarding
• 5060 TCP/UDP
• 5061 TCP/UDP
• 4569 TCP/UDP for IAX
• 9000-20000 UDP
I looked at siproxd on OPNsense, but it looks like it’s for SIP phones going out of OPNSense, I’m trying to go in from WAN via OPNsense to get to the PBX on my lan.
Unfortunately it happens with the FreePBX firewall disabled. Since I’m fine inside the LAN but not with the phone on the WAN, it is sounding like a NAT issue, no?
A successful SIP INVITE will precipitate an SDP session, if you don’t see traffic than an intermediary device, firewall or whatever, is not correctly forwarding the media packets, or sngrep would see them.
Yeah, that’s what I was thinking. I’ve been trying to find the issue in the OPNsense firewall, but no luck so far
. At least I now know the packets are making it to the FreePBX Box, thanks for teaching me sngrep
With the FreePBX firewall disabled, at the Asterisk command prompt, type pjsip set logger on
and see whether registration attempts from the remote Zoiper appear in the Asterisk log.
If not (but they do appear in sngrep): Possibly, being sent to wrong port? Wrong protocol? Wrong destination IP address?
If yes: Are there any replies? If so, are they sent to correct address and port? Any errors logged?
Thanks for the coaching.
asterisk pjsip reporting a connection attempt one, the return came back at a port in the 50k. My port forward list topped on the OPNsense out at 20K. I just expanded to 60k.
-Edit-
Now a register shows in sngrep but not in pjsip.
no fail2ban on the system yet
-Edit 2-
I can connect on the lan at 51389 so the port forwarding was definitely and issue, thanks for the help on fixing that now it’s the registration not showing on jpsip to resolve.
I also tried to force the softphone to use SIP transport UDP and forced SIP port range to 5060 and RTP to 9000-10000. however I believe above show it is using 6240 on this attempt. Now trying with both Bria and Zoiper individually
Suspect an ALG (SIP “helper” ) sort of thing doing the re-writing, They can help a single phone behind a firewall but mostly will eff-up any PBX’ behind the same firewall
Thanks for the idea!
Unfortunately, OPNsense comes without ALG helpers natively installed, though there is siproxd… https://siproxd.sourceforge.io/ which I’ve stayed away from to this point.
I’m where I might even try it
I’m going to dig and see if I can find something else that would modify the port of an incoming transmission and report back. I don’t think there is, my implementation of OPNsense is pretty generic, though after my last two comments, that seems to be the most plausible answer.
Consider siproxd as a"SIP helper" it will rewrite traversing SIP traffic to the confusion of a PBX behind it, it it is beneficial when you have several disparate local extensions registering to external servers though,
Please don’t use words like “at” or “on” when referring to port numbers. Each UDP or TCP packet has a source port and a destination port. Saying “from” or “to” will make it clear what you are talking about.
This means that sngrep (and presumably Asterisk) saw a packet from the remote address port 6240 to its local address port 5060. Most likely, the remote router/firewall rewrote the source port number. Normally, this doesn’t cause any trouble, because Asterisk will send the response to remote address port 6240 and the router there will forward it on to the Zoiper address port 5060. Note that this behavior is necessary if there were more than one Zoiper running at the same remote location, because you can’t have multiple devices using the same address and port at the same time. Also note that because of remote source port rewriting, the SIP forwarding rule in your OPNsense should allow any source port (though you can restrict the source address as you desire). Don’t even think about siproxd at this point.
Assuming that pjsip now does see the incoming REGISTER request, please post that request and any replies, so we can see whether any ALG butchered the traffic and whether Asterisk replied correctly. If the request is present but there are no replies, there is likely some error logged by Asterisk; please post that.
in pjsip logger I only see tylnex and my server passing what I think are Keepalive messages.
In the asterisk log (FreePBX Admin → Reports -->Asterisk Logfiles I see the same logs.
fwiw, I’ve done a search in the logs for my iphone’s IP, and the iphone doesn’t show up in the logs. even just the first 3 of the iphone’s address doesn’t show up. Also, the trunk and this soft phone are the only devices trying to work with FreePBX at this time. this to keep the logfiles, etc. clean and not cluttered. I’m currently using Bira and Zoiper to take quirks of the soft phone out of the equation. I don’t have the two softphones enabled at the same time.
When I’m on the LAN Bria or Zopier register just fine and I can see this in the logs.