Request Time out (408) phone on internet ,Freepbx behind OPNsense firewall -

dpedersen13 · February 25, 2024, 2:40am

some more random information -
A cable company is my ISP.
They have stated:
Sparklight reserves the right to employ network management practices (e.g., to prevent the distribution of viruses or other malicious code) as well as to block the transfer of unlawful content. As such, Sparklight blocks ports 135, 136, 137, 138, 139 & 445. In addition, SMTP Port 25 and SSDP Port 1900 are restricted for residential customers. Our technical support agents are unable to unblock these ports.

dicko · February 25, 2024, 3:02am

Is

real, or are you masking information (which will not behoove you if you seek help)

dpedersen13 · February 25, 2024, 3:06am

masking, was nervous about trolls pulling addresses and then doing brute force attacks.
voip.redshirt.net

dicko · February 25, 2024, 3:21am

UDP/5060 is open, so does the INVITE generate a response? if not, then the server is not getting the traffic, if it does, to whom is it sending it to?

dpedersen13 · February 25, 2024, 3:40am

Thanks for checking. I have a Tylnex trunk that connects to the FreePBX server via 5060 and is active, so I think that confirms 5060 TCP/UDP goes to the server. correct?

I also just confirmed the port forwards for 5060, 5061 and a range of 9000-20000 is UDP for RTP communication is also going to the server. anything I’m missing or should add something?

Apologies, I don’t know enough about the process, does INVITE come from the soft phone or the server? sngrep shows an OPTIONS line then a REGISTER line for the phone.

Stewart1 · February 25, 2024, 6:45am

OK, so apparently correct REGISTER requests are seen by sngrep but not by pjsip logger.
If you’re not in agreement with that, please explain.

Is this using UDP or TCP? Zoiper is set for UDP and if the Telnyx trunk was set up using TCP then it’s possible that pjsip’s UDP transport is not set up correctly.

Next, in Asterisk SIP Settings, pjsip tab, under Transports (assuming defaults), you should see:
udp - 0.0.0.0 - All : Yes
and under 0.0.0.0 (udp) you should have
Port to Listen On: 5060
and the other four settings left blank.
If this is not the case, explain your settings.

If we get this far, I am guessing that a software firewall is blocking the traffic.

Is it disabled now? Possibly, something else was wrong then, which you have since fixed, but the FreePBX firewall or fail2ban is now causing trouble. Confirm that the remote IP is not banned and that disabling the firewall doesn’t help.

Otherwise, perhaps some other software firewall somehow got installed. At a root shell prompt and with FreePBX firewall disabled, type
iptables -vL
and post the output.

dpedersen13 · February 25, 2024, 8:02am

Hey Stewart1 -
you nailed it! there is an iptable running. I told it to accept everything and boom, registration city!

Thank you!!!

I of course rebooted to remove the entry and restore the firewall

I unwittingly withheld what looks to be an important bit of information that probably wasted your time- I am soooo sorry for this, it didn’t cross my mind. I’m running FreePBX for the Raspberry Pi
https://wRaspberry-Pi ww.dslreports.com/forum/r30661088-PBX-FreePBX-for-the-

As you can see below, it looks like the iptable is crafted to let in various trunk providers in, and a couple standard home internet configurations. After the last attempts I focused on the OPNsense being the issue, it felt like a firewall issue but I was stuck. I was looking to buy a netgear to test with tomorrow.

Now that you’ve solved that one, how should my iptable be structured? The device sits behind a router / firewall, as you know, and will never be exposed directly to the internet, only the previously stated ports.

For your interest, I present Chain INPUT (policy DROP pkts bytes target prot opt in 9903 949K ACCEPT all – lo 868 71815 ACCEPT tcp – any any 53 9575 ACCEPT all – any any 0 0 ACCEPT all – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT icmp – any any 0 0 ACCEPT icmp – any any 0 0 ACCEPT icmp – any any 0 0 ACCEPT icmp – any any 0 0 ACCEPT icmp – any any 0 0 ACCEPT tcp – any any 0 0 ACCEPT tcp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT tcp – any any 0 0 ACCEPT tcp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT tcp – any any 715 142K ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT udp – any any 0 0 ACCEPT tcp – any any 0 0 ACCEPT all – any any 0 0 ACCEPT all – any any 0 0 ACCEPT all – any any 647 91040 ACCEPT all – any any to you the default table setup in a FreePBX raspberry pi -
140 packets, 105K bytes)
out source destination
any anywhere anywhere
anywhere anywhere tcp flags:ACK/ACK
anywhere anywhere state ESTABLISHED
anywhere anywhere state RELATED
anywhere anywhere udp spt:domain dpts:1024:65535
anywhere anywhere icmp echo-reply
anywhere anywhere icmp destination-unreachable
anywhere anywhere icmp source-quench
anywhere anywhere icmp time-exceeded
anywhere anywhere icmp parameter-problem
anywhere anywhere tcp dpt:auth
anywhere anywhere tcp dpt:1723
anywhere anywhere udp dpt:iax
anywhere anywhere tcp dpt:32976
anywhere anywhere tcp dpt:4445
anywhere anywhere udp dpt:ntp
anywhere anywhere udp dpt:tftp
anywhere anywhere tcp dpt:9022
anywhere anywhere udp dpt:mdns
64.2.142.215 anywhere multiport dports sip:5069,iax
64.2.142.216 anywhere multiport dports sip:5069,iax
64.2.142.9 anywhere multiport dports sip:5069,iax
64.2.142.17 anywhere multiport dports sip:5069,iax
64.2.142.18 anywhere multiport dports sip:5069,iax
64.2.142.29 anywhere multiport dports sip:5069,iax
64.2.142.87 anywhere multiport dports sip:5069,iax
64.2.142.106 anywhere multiport dports sip:5069,iax
64.2.142.107 anywhere multiport dports sip:5069,iax
64.2.142.109 anywhere multiport dports sip:5069,iax
64.2.142.111 anywhere multiport dports sip:5069,iax
64.2.142.187 anywhere multiport dports sip:5069,iax
64.2.142.188 anywhere multiport dports sip:5069,iax
64.2.142.189 anywhere multiport dports sip:5069,iax
64.2.142.190 anywhere multiport dports sip:5069,iax
64.2.142.214 anywhere multiport dports sip:5069,iax
64.2.142.26 anywhere multiport dports sip:5069,iax
at-14003.dc-c37.l-R91U28.sp-5.p-4.uisvcs.com anywhere multiport dports sip:5069,iax
174.34.146.162 anywhere multiport dports sip:5069,iax
cpshared02-chi.ubiquityclients.com anywhere multiport dports sip:5069,iax
b2.36.364a.static.theplanet.com anywhere multiport dports sip:5069,iax
ev1s-209-62-1-2.theplanet.com anywhere multiport dports sip:5069,iax
unassigned.quadranet.com anywhere multiport dports sip:5069,iax
us4.voipinterface.net anywhere multiport dports sip:5069,iax
69.147.236.82 anywhere multiport dports sip:5069,iax
68-233-226-97.static.hvvc.us anywhere multiport dports sip:5069,iax
67.205.74.184 anywhere multiport dports sip:5069,iax
67.205.74.187 anywhere multiport dports sip:5069,iax
174.137.63.206.16clouds.com anywhere multiport dports sip:5069,iax
174.137.63.202.16clouds.com anywhere multiport dports sip:5069,iax
server.zimbabwewebdesign.com anywhere multiport dports sip:5069,iax
199.87.144.0/21 anywhere multiport dports sip:5080,iax
204.11.192.0/22 anywhere multiport dports sip:5080,iax
scottshelton.clientshostname.com anywhere multiport dports sip:5069,iax
node24.174.136.64.voipinnovations.com anywhere multiport dports sip:5069,iax
node24.174.136.64.voipinnovations.com anywhere multiport dports sip:5069,iax
did.voip.les.net anywhere multiport dports sip:5069,iax
magnum.axvoice.com anywhere multiport dports sip:5069,iax
future-nine.com anywhere multiport dports sip:5069,iax
85.17.148.32 anywhere multiport dports sip:5069,iax
63-211-239-14.teliax.com anywhere multiport dports sip:5069,iax
atlantanew1.voip.ms anywhere multiport dports sip:5069,iax
lax.teliax.net anywhere multiport dports sip:5069,iax
8-14-120-23.leap.tel anywhere multiport dports sip:5069,iax
8-17-37-23.teliax.net anywhere multiport dports sip:5069,iax
66.54.140.46 anywhere multiport dports sip:5069,iax
66.54.140.47 anywhere multiport dports sip:5069,iax
node07.dns-hosting.info anywhere multiport dports sip:5069
node11.dns-hosting.info anywhere multiport dports sip:5069
2.b6.e443.ip4.static.sl-reverse.com anywhere multiport dports sip:5069
www.freenum.org anywhere multiport dports sip:5069
024-211-064-206.res.spectrum.com anywhere multiport dports sip:5069
199.30.56.194 anywhere multiport dports sip:5069
209.216.15.70 anywhere multiport dports sip:5069
bser1.bingotelecom.com anywhere multiport dports sip:5069
pbx30.rentpbx.com anywhere multiport dports sip:5069
gw1.sip.us anywhere multiport dports sip:5069
gw2.sip.us anywhere multiport dports sip:5069
e.65.1632.ip4.static.sl-reverse.com anywhere multiport dports sip:5069
67.212.84.21 anywhere multiport dports sip:5069
static.206.39.9.176.clients.your-server.de anywhere multiport dports sip:5069
25.prd1.tms.anveo.com anywhere multiport dports sip:5069
f2.66.1632.ip4.static.sl-reverse.com anywhere multiport dports sip:5069
c-98-254-157-185.hsd1.fl.comcast.net anywhere multiport dports sip:5069
sip.didlogic.net anywhere multiport dports sip:5069
c-98-254-157-185.hsd1.fl.comcast.net anywhere multiport dports sip:5069
64.2.142.26 anywhere multiport dports sip:5069
node04.dns-hosting.info anywhere multiport dports sip:5069
node04.dns-hosting.info anywhere tcp dpts:sip:5069
10.0.0.0/8 anywhere
127.0.0.0/8 anywhere
172.16.0.0/12 anywhere
192.168.0.0/16 anywhere

dpedersen13 · February 25, 2024, 11:18pm

@Stewart1 @dicko Thank you for your great help and education. I learned a lot and am grateful for your time.

Bottomline on this one. I had a distro for a raspberry pi that had a firewall running on it. I never expected it, I never checked. The firewall is built to only allow certain trunk traffic from providers and internal ip addresses. After all this running around, that was the issue, the appropriate ports weren’t open to the internet.

I’ve spent the day re-writing the firewall and it works well. The server is in my home LAN with only the ports needed for voip forwarded so I’m not too worried about mistakes, but if someone wants to check it or use it, DM me.

system · March 27, 2024, 11:19pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.