Sangoma Paid Support


(Jae) #1

Hi Guys,

Will Sangoma’s paid support troubleshoot my firewall, switch, DSL modem, Yealink phones along with my FreePBX or will they only help with their products? I have a complicated issue and I need someone that can look at the entire picture. I have only used Sangoma paid support once and it was for an issue on the PBX. Does anyone know this before I pay $400 for a support call only to find out they won’t look at my other equipment. Thanks.


(Sergio Lobera) #2

Hi!
We do not support firewalls, switch or modems, we can try to give you a hand with your Yealink phones.


(Jae) #3

OK, thanks but it is mainly a firewall (Sophos) issue. Is there any other resources you can recommend? I have tried the forms already with no luck. Thanks.


(Sergio Lobera) #4

I don’t know which is your issue, can you give us more information ?


(Jae) #5

I have a double NAT issue with a new FreePBX install in Australia, I am in the US. Our ISPs modem is set to forward all ports to our firewall (Sophos). That creates the first network 15.x then on the other side of the firewall sits our FreePBX server on 4.X network. The PBX registers with Sipstation and passes the firewall test. Outbound calls ring through but have no audio. Inbound calls do not go through. Phone to phone calls in the building work so I know the PBX is fine. It is a Firewall/Modem issue regarding the RTP packets not passing through the two networks properly.


(Sergio Lobera) #6

Can’t you use two nic interfaces? one for your sip trunk connected to your ISP modem and the other one to your own firewall ?


(Jae) #7

I have not tried that yet but I did put the PBX on the other side of the firewall on the 15.x side and lost communication to the modem and the PBX. I had an employee move it back behind the firewall. The reason I don’t think the two nics will work is that all ports are being forwarded to the firewall. It will be hard to seperate the traffic for the firewall and the PBX using the ISPs limited settings in the modem.


(christrati) #8

For troubleshooting, have you tried hooking the PBX directly to the ISP modem and see if you can make calls? It sounds like there is an issue with NAT translation. Sophos XG is a little complicated, when it comes to NAT, so I would eliminate it out of the equation and see if that is causing the issue.

Chris


(Jae) #9

Yes, last night I plugged the PBX into the modem directly and port forwarded the appropriate ports to the PBX. The PBX is still not working. No inbound or outbound audio. The modem must be affecting the packets somehow.


(christrati) #10

Then that’s where I would troubleshoot. Is there a DMZ feature in the modem itself? And for the port forwarding, are you forwarding UDP 10,000-20,000?

And are you able to see the WAN IP in your modem? Is it a public IP or is a private IP as well?

Chris


(Jae) #11

Yes, I tried the DMZ feature with no luck. I finally got it to work this morning with a lot of setting changes on the modem, PBX and phones. The PBX is now sitting outside the Sophos firewall, no double NAT and all the proper phone ports are forwarded to the PBX and all the other ports are forwarded to the firewall. The only question will be if the phones work in the building as I am configuring this from home. if the phones don’t work internally I will install a second NIC on the PBX and plug it into our switch so the PBX will be on both networks. Thank you for all the help everyone!!


(Jae) #12

I just wanted to follow up on this thread with what finally worked in case someone else has the same issue. I moved the PBX outside the firewall and plugged it into the modem directly. Next I forwarded the proper ports to the PBX and all other ports to my firewall. I then added a second IP address to the single network card for the other subnet. So the PBX is now on the 15.x network, 4.x network. Then I ran a network cable from the modem to the switch. Without this cable users behind the firewall (4.x network) could not see the PBX.


(Tony B) #13

Can you please draw a network topology so i can see what are u trying to do thanks


(Jae) #14

OK, so here is the deal. This was a double NAT install. A single NAT is bad enough with SIP but add a second one in the mix and forget it. Packets get all screwed up and changed going through the 2 NATs and a firewall. No matter what I did calls wouldn’t go through or would have one way audio issues. I also need my phones to work outside the network as well as inside. So I port forwarded all the SIP and Media ports from the modem to the PBX and all the rest of the ports go to the firewall. This worked for phones outside of the network but the phones inside the network could not see the PBX because they were on the other side of the firewall. The DSL Modem has 4 ports on it so I plugged the firewall into 1 port and the PBX into another. This helped but the calls were still not going through because they got confused with the firewall being the gateway. I added the second IP to the PBX for the first NAT and again this helped but did not fix everything. The final solution was to put another wire from the modem to the switch and now everything can see each other. I hope this makes more sense now.


(Tony B) #15

Can you explain why your internal switch is connecting to your DSL modem.
I would move everything behind firewall so it would go DSL MODEM >> FIREWALL >> your switch then your pbx and your internal devices.


(Jae) #16

Originally everything was behind the firewall and the firewall was behind the modem. This created a double NAT situation and the packets had to pass through the 15.x network (modem) then through to the 4.x network (internal). With all the proper ports forwarded through the modem and firewall the PBX would not work properly, one way audio, no inbound calls and other issues. I needed to eliminate one of the NATs and the best way to do this was to put the PBX outside of the firewall. This worked fine but the internal phones now had to go through the firewall to connect to the PBX and would not work (again a double NAT for the phones now, not the server). By placing a wire from the modem to the switch the internal phones could now see the PBX directly and have an outbound path through a single NAT. Believe me I worked on this for weeks and tried every scenario I could think of. This was the only way to make it work.


(Tony B) #17

What kind of Firewall you are using,
And i would not recommend to put your PBX before firewall from you DSL modem go to you Wan port on your firewall forward all your ports from DSL modem to firewall then you control everything from Firewall


(Jae) #18

I am using a Sophos XG firewall. I am not happy with the setup but it was the only way that worked. I had all ports forwarding from the modem to the firewall, no restrictions, no firewall on the modem. I opened the proper ports on the firewall to the PBX and it just could not transverse the double NAT properly despite all ports being allowed by the modem to the firewall. The issue is the packets are expected by the PBX to have a certain IP when they are transmitted or received. When the packets pass through a double NAT the IPs are changed in the header and the PBX thinks it is a bogus packet and drops them. Some people have been successful with a double NAT and FreePBX but not many and they probably had a different firewall that is not a strict as Sophos XG.


#19

You are talking in generalities about an issue where details are critically important.

A NAT does not normally modify the payloads of any packets; of course it does modify addresses in the IP header (that’s what NAT is) and may modify port numbers in the UDP or TCP headers, so multiple LAN devices can share a single public IP.

Some NAT devices include a SIP ALG that does modify the SIP payload, which often causes trouble for Asterisk and other VoIP servers. There is generally a way to disable it; for example see https://community.sophos.com/kb/en-us/123523 . If not, it can usually be worked around, by using nonstandard port numbers or SIP over TCP or TLS.

Since you have it working, there is probably no reason to mess with it anymore. However, it’s IMO not a clean solution. If possible, I would have put the modem in bridge mode so that the Sophos could receive a public IP, or forwarded all required ports to the Sophos. Then, with proper configuration there, it should be possible to have the PBX, all phones and the computers on the same LAN.


(Jae) #20

Sorry for the generality on my last post. Yes, you are right Stewart the payload is not modified because I have ALG turned off on the firewall (this didn’t help by the way). The IP header though is being modified with different IPs as it passes through the two NATs and in my opinion this is causing an issue with the PBX and or the SIP provider (Sipstation). I did not try modifying the SIP ports or another idea was to setup a VPN between the two networks. Both of these might work but seemed more complicated than it was worth. The modem in this situation acts as a firewall as only the ports I specified are being forwarded to the PBX. I also have the FreePBX firewall on for additional protection. Regarding bridge mode the modem doesn’t support it and the ISP will not let me use my own modem (Telstra in Australia). Again it is not a pretty solution but it now works and users on this site have a solution in case they run into a strange setup like this.