Request Time out (408) phone on internet ,Freepbx behind OPNsense firewall -

Hi -
I’m having an issue were Zoiper softphones on the internet aren’t communicating in to a PBX on my LAN. They aren’t registering with a Request Timeout (408). The same phone works fine on the LAN.

What works:
• Zoiper phone inside the Lan same LAN the freepbx box is on
• Sip Trunk to Tynlex
• Inbound/outbound calls to Zoiper phone on the Lan
• IAX Zoiper on the internet communicating to the PBX on the LAN, Inbound and outbound
What doesn’t work -
• Registering Zoiper SIP phones outside the lan from the internet
• Error is Request Timeout(408)

I’m really confused because the SIP Trunk works, Telnyx has given me so I sort of assume it’s using 5060

General SIP settings NAT settings set to External IP and internal network addresses
Advanced Settings SIP NAT = Yes

OPNsense Firewall rules for port forwarding
• 5060 TCP/UDP
• 5061 TCP/UDP
• 4569 TCP/UDP for IAX
• 9000-20000 UDP

I looked at siproxd on OPNsense, but it looks like it’s for SIP phones going out of OPNSense, I’m trying to go in from WAN via OPNsense to get to the PBX on my lan.

Any suggestions are appreciated

a careful scrutiny of sngrep will likely help, failing that post log of a failed call

Thanks for the fast post
Scrutiny is pretty light, I can see the phone reach the pbx box with method register and then nothing else.

Then most likely the REGISTER request is being blocked by FreePBX firewall, check that the address is not banned by fail2ban and is marked as trusted.

Unfortunately it happens with the FreePBX firewall disabled. Since I’m fine inside the LAN but not with the phone on the WAN, it is sounding like a NAT issue, no?

A successful SIP INVITE will precipitate an SDP session, if you don’t see traffic than an intermediary device, firewall or whatever, is not correctly forwarding the media packets, or sngrep would see them.

Yeah, that’s what I was thinking. I’ve been trying to find the issue in the OPNsense firewall, but no luck so far
. At least I now know the packets are making it to the FreePBX Box, thanks for teaching me sngrep

With the FreePBX firewall disabled, at the Asterisk command prompt, type
pjsip set logger on
and see whether registration attempts from the remote Zoiper appear in the Asterisk log.

If not (but they do appear in sngrep): Possibly, being sent to wrong port? Wrong protocol? Wrong destination IP address?

If yes: Are there any replies? If so, are they sent to correct address and port? Any errors logged?

Thanks for the coaching.
asterisk pjsip reporting a connection attempt one, the return came back at a port in the 50k. My port forward list topped on the OPNsense out at 20K. I just expanded to 60k.
Now a register shows in sngrep but not in pjsip.
no fail2ban on the system yet

-Edit 2-
I can connect on the lan at 51389 so the port forwarding was definitely and issue, thanks for the help on fixing that now it’s the registration not showing on jpsip to resolve.

edit -3-
sngrep reports the registration attempt as:
114 REGISTER [email protected] [email protected] 29 yyy.yyy.yyy.yyy:6240

Does yyy.yyy.yyy.yyy:6240 mean the attempt is on 6240 and not 5060?

Grasping at straws :slight_smile:

I now have sngrep producing an OPTIONS line
124 OPTION [email protected] 1 yyy.yyy.yyy.yyy:6240
115 REGISTER [email protected] [email protected] 29 yyy.yyy.yyy.yyy:6240

I also tried to force the softphone to use SIP transport UDP and forced SIP port range to 5060 and RTP to 9000-10000. however I believe above show it is using 6240 on this attempt. Now trying with both Bria and Zoiper individually

One More data port, when registering on the Lan the softphone uses 5060

187 OPTIONS [email protected] 4
188 REGISTER [email protected] [email protected] 12
189 OPTIONS [email protected] [email protected] 2
190 OPTIONS [email protected] [email protected] 2
191 NOTIFY [email protected] [email protected] 2
192 NOTIFY [email protected] [email protected] 2
193 OPTIONS [email protected] [email protected] 2

Suspect an ALG (SIP “helper” ) sort of thing doing the re-writing, They can help a single phone behind a firewall but mostly will eff-up any PBX’ behind the same firewall

Thanks for the idea!
Unfortunately, OPNsense comes without ALG helpers natively installed, though there is siproxd… which I’ve stayed away from to this point.
I’m where I might even try it :slight_smile:

I’m going to dig and see if I can find something else that would modify the port of an incoming transmission and report back. I don’t think there is, my implementation of OPNsense is pretty generic, though after my last two comments, that seems to be the most plausible answer.

Consider siproxd as a"SIP helper" it will rewrite traversing SIP traffic to the confusion of a PBX behind it, it it is beneficial when you have several disparate local extensions registering to external servers though,

Please don’t use words like “at” or “on” when referring to port numbers. Each UDP or TCP packet has a source port and a destination port. Saying “from” or “to” will make it clear what you are talking about.

This means that sngrep (and presumably Asterisk) saw a packet from the remote address port 6240 to its local address port 5060. Most likely, the remote router/firewall rewrote the source port number. Normally, this doesn’t cause any trouble, because Asterisk will send the response to remote address port 6240 and the router there will forward it on to the Zoiper address port 5060. Note that this behavior is necessary if there were more than one Zoiper running at the same remote location, because you can’t have multiple devices using the same address and port at the same time. Also note that because of remote source port rewriting, the SIP forwarding rule in your OPNsense should allow any source port (though you can restrict the source address as you desire). Don’t even think about siproxd at this point.

Assuming that pjsip now does see the incoming REGISTER request, please post that request and any replies, so we can see whether any ALG butchered the traffic and whether Asterisk replied correctly. If the request is present but there are no replies, there is likely some error logged by Asterisk; please post that.

Hi Stuart1 -
Apologies for my language, thanks for correcting me and teaching me.

I’m looking at sngrep and all I get are the two lines:
73 OPTIONS [email protected] 1
74 REGISTER [email protected] [email protected] 5

in pjsip logger I only see tylnex and my server passing what I think are Keepalive messages.

In the asterisk log (FreePBX Admin → Reports -->Asterisk Logfiles I see the same logs.

fwiw, I’ve done a search in the logs for my iphone’s IP, and the iphone doesn’t show up in the logs. even just the first 3 of the iphone’s address doesn’t show up. Also, the trunk and this soft phone are the only devices trying to work with FreePBX at this time. this to keep the logfiles, etc. clean and not cluttered. I’m currently using Bira and Zoiper to take quirks of the soft phone out of the equation. I don’t have the two softphones enabled at the same time.

When I’m on the LAN Bria or Zopier register just fine and I can see this in the logs.

you need to ‘drill down’ (press enter) on the REGISTER sessions to see ‘more stuff’ .

Ah, that works.
more stuff:

Via: SIP/2.0/UDP;branch=z9hG4bK-524287-1—cb4f357161bc215e;rport
Max-Forwards: 70
Contact: sip:[email protected]:5060;+sip.instance=“urn:uuid:a35c16af-00b7-41cb-a68e-a4f5c8cdc6a4”;reg-id=1;expires=3600
To: sip:[email protected]
From: sip:[email protected];tag=e6d8941c
Call-ID: [email protected]
Expires: 3600
User-Agent: Push Server 3.5.0 (24864)
Content-Length: 0

dumb question, why is the CALL-ID address @10.138.x.x when my network is 192.168.x.x?

one more -
2024/02/24 19:26:47.738588 →
Via: SIP/2.0/UDP;branch=z9hG4bK-524287-1—44de4412503bd321;rport
Max-Forwards: 70
Contact: sip:[email protected]:5060;+sip.instance=“urn:uuid:a35c16af-00b7-41cb-a68e-a4f5c8cdc6a4”;reg-id=1;expires=3600
To: sip:[email protected]
From: sip:[email protected];tag=e6d8941c
Call-ID: [email protected]
Expires: 3600
User-Agent: Push Server 3.5.0 (24864)
Content-Length: 0

and an OPTIONS
any IP I didn’t mask in any of these aren’t my phones public or my internal IPs

Via: SIP/2.0/UDP;branch=z9hG4bK-524287-1—ba60fa41a31bac4c;rport;alias
Max-Forwards: 0
Contact: sip:[email protected]:5060;ob;+sip.instance=“urn:uuid:a35c16af-00b7-41cb-a68e-a4f5c8cdc6a4
From: "me"sip:[email protected];tag=ddfa0bec
Supported: outbound, path
User-Agent: Bria Mobile iOS release 6.15.1 stamp 52086.52086
X-Connectivity-Probe-V4: 1
Content-Length: 0