Sip phones cant connect to freepbx when phones behind nat

Hi,

I have a case where i have a double nat. I know your not supposed to do that but i have no way around it in this case because one company is behind one nat and the other 2 companies are behind another nat.
I have control of the entire network.

We cant really change the structure of the network because there are 3 company’s involve here and each wants to be behind its own network.

networklayout

So Router2 wants a freepbx system and as you can see by my little diagram they would be behind 2 nats.
If i have their freepbx system behind router2 then I can received calls but cant place calls. If i switch to iax instead of sip trunk then i can place calls but not receive.

I also tried placing the freepbx behind 192.168.4.0/24 but the sip phones cant reach freepbx then. the freepbx system is not double nated then but the sip phones cant reach the freepbx system.
Any help? Thank you in advance.

Maybe you can utilize Sangoma phones and the built in VPN?

The problem is that the phones are already purchased so i might not be able to convince them to buy new ones. But thats good to know.

Another option if your Microtik supports it would be to consider a vlan for your voip traffic: https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN

With the PBX on 192.168.4.x (behind Router1), you can configure it as if it’s on a ‘public IP’ whose address is 192.168.4.x, and set nat=yes for all extensions. You need to be careful that the NAT associations in Router2 are not lost (using NAT keepalive in the phones and/or qualify=yes in the PBX). Your trunking provider choices will be limited to those that do server-side NAT traversal and proxy media, i.e. those that a phone could register to without special settings. I don’t recommend this option unless you run into a show stopper on the other.

With the PBX behind Router2 on 192.168.2.x, configured as behind NAT with the actual public IP of Router1, and with the RTP and SIP ports forwarded across both Router1 and Router2, the system should be fully functional. (For security, the SIP forwarding can be limited to the addresses of trunking providers, or as desired.) If you have no administrative control over one or both routers, it should still be possible to make it work, though your trunking provider selection will be limited as above, and trunk-to-trunk connections (e.g. follow-me to mobile phones) will require some special tweaks.

I recommend starting by troubleshooting why outbound calls fail in your first setup. Please post:
Using pjsip or chan_sip?
ISP?
Trunk provider?
SIP phone type?
Does called phone ring? If so, is there audio in either direction? If not, what error, if any, is reported?
Does Router1 have a public IP on its WAN interface? If not, please explain.
Also, post a (suitably redacted) SIP trace of a failing call.

reconwireless,
I will look into that. thanks.

Stewart1,
chan_sip
trunk voip.ms
Yealink T46S
Router1\Mikrotik has its on Static Public IP on its own wan interface, from Rogers fibre.

With PBX behind Router2 with chan_sip incoming calls works fine both ways, but cannot make outbound calls.
If you attempt to place a call “all circuits are busy now please try your call again later.”

Let me know if i can give you anything else that might help in trouble shooting.

Router2 is a TP-Link Router

Chan_Sip Registry status for that trunk says “Registered”
Chan_Sip Peers for that trunk says: “Unreachable”

[2018-05-26 16:05:38] WARNING[18177][C-00000012] app_dial.c: Unable to create channel of type 'SIP' (cause 20 - Subscriber absent)
[2018-05-26 16:05:38] VERBOSE[18177][C-00000012] app_dial.c: Everyone is busy/congested at this time (1:0/0/1)
[2018-05-26 16:05:38] VERBOSE[18177][C-00000012] pbx.c: Executing [[email protected]:25] NoOp("SIP/333-00000035", "Dial failed for some reason with DIALSTATUS = CHANUNAVAIL and HANGUPCAUSE = 20") in new stack
[2018-05-26 16:05:38] VERBOSE[18177][C-00000012] pbx.c: Executing [[email protected]:26] GotoIf("SIP/333-00000035", "1?continue,1:s-CHANUNAVAIL,1") in new stack
[2018-05-26 16:05:38] VERBOSE[18177][C-00000012] pbx_builtins.c: Goto (macro-dialout-trunk,continue,1)
[2018-05-26 16:05:38] VERBOSE[18177][C-00000012] pbx.c: Executing [[email protected]:1] NoOp("SIP/333-00000035", "TRUNK Dial failed due to CHANUNAVAIL HANGUPCAUSE: 20 - failing through to other trunks") in new stack
[2018-05-26 16:05:38] VERBOSE[18177][C-00000012] pbx.c: Executing [[email protected]:2] ExecIf("SIP/333-00000035", "1?Set(CALLERID(number)=333)") in new stack
[2018-05-26 16:05:38] VERBOSE[18177][C-00000012] pbx.c: Executing [[email protected]:7] Macro("SIP/333-00000035", "outisbusy,") in new stack
[2018-05-26 16:05:38] VERBOSE[18177][C-00000012] pbx.c: Executing [[email protected]:1] Progress("SIP/333-00000035", "") in new stack
[2018-05-26 16:05:38] VERBOSE[18177][C-00000012] pbx.c: Executing [[email protected]:2] GotoIf("SIP/333-00000035", "0?emergency,1") in new stack
[2018-05-26 16:05:38] VERBOSE[18177][C-00000012] pbx.c: Executing [[email protected]:3] GotoIf("SIP/333-00000035", "0?intracompany,1") in new stack
[2018-05-26 16:05:38] VERBOSE[18177][C-00000012] pbx.c: Executing [[email protected]:4] Playback("SIP/333-00000035", "all-circuits-busy-now&please-try-call-later, noanswer") in new stack
[2018-05-26 16:05:38] VERBOSE[18177][C-00000012] file.c: <SIP/333-00000035> Playing 'all-circuits-busy-now.ulaw' (language 'en')
[2018-05-26 16:05:40] VERBOSE[18177][C-00000012] file.c: <SIP/333-00000035> Playing 'please-try-call-later.ulaw' (language 'en')
[2018-05-26 16:05:42] VERBOSE[18177][C-00000012] pbx.c: Executing [[email protected]:5] Congestion("SIP/333-00000035", "20") in new stack
[2018-05-26 16:05:42] WARNING[18177][C-00000012] channel.c: Prodding channel 'SIP/333-00000035' failed
[2018-05-26 16:05:42] VERBOSE[18177][C-00000012] app_macro.c: Spawn extension (macro-outisbusy, s, 5) exited non-zero on 'SIP/333-00000035' in macro 'outisbusy'
[2018-05-26 16:05:42] VERBOSE[18177][C-00000012] pbx.c: Spawn extension (from-internal, 5191239999, 7) exited non-zero on 'SIP/333-00000035'
[2018-05-26 16:05:42] VERBOSE[18177][C-00000012] pbx.c: Executing [[email protected]:1] Macro("SIP/333-00000035", "hangupcall") in new stack
[2018-05-26 16:05:42] VERBOSE[18177][C-00000012] pbx.c: Executing [[email protected]:1] GotoIf("SIP/333-00000035", "1?theend") in new stack
[2018-05-26 16:05:42] VERBOSE[18177][C-00000012] pbx_builtins.c: Goto (macro-hangupcall,s,3)
[2018-05-26 16:05:42] VERBOSE[18177][C-00000012] pbx.c: Executing [[email protected]:3] ExecIf("SIP/333-00000035", "0?Set(CDR(recordingfile)=)") in new stack
[2018-05-26 16:05:42] VERBOSE[18177][C-00000012] pbx.c: Executing [[email protected]:4] NoOp("SIP/333-00000035", " monior file= ") in new stack
[2018-05-26 16:05:42] VERBOSE[18177][C-00000012] pbx.c: Executing [[email protected]:5] AGI("SIP/333-00000035", "attendedtransfer-rec-restart.php,,") in new stack
[2018-05-26 16:05:42] VERBOSE[18177][C-00000012] res_agi.c: Launched AGI Script /var/lib/asterisk/agi-bin/attendedtransfer-rec-restart.php
[2018-05-26 16:05:42] VERBOSE[18177][C-00000012] res_agi.c: <SIP/333-00000035>AGI Script attendedtransfer-rec-restart.php completed, returning 0
[2018-05-26 16:05:42] VERBOSE[18177][C-00000012] pbx.c: Executing [[email protected]:6] Hangup("SIP/333-00000035", "") in new stack
[2018-05-26 16:05:42] VERBOSE[18177][C-00000012] app_macro.c: Spawn extension (macro-hangupcall, s, 6) exited non-zero on 'SIP/333-00000035' in macro 'hangupcall'
[2018-05-26 16:05:42] VERBOSE[18177][C-00000012] pbx.c: Spawn extension (from-internal, h, 1) exited non-zero on 'SIP/333-00000035'

To see the SIP dialog, at the Asterisk command prompt type
sip set debug on
then retry a failing call. The outbound INVITE and subsequent replies will appear in the Asterisk log, interspersed with the normal logging entries. Depending on what we see, there are several options:

The TP-Link router may have SIP ALG setting that you can disable.

VoIP.ms offers connections on alternate ports, which could be a workaround for any unwanted SIP logic in the routers; see https://wiki.voip.ms/article/FAQ#Do_you_offer_alternative_ports_besides_5060.3F . There is also a NAT setting that you can try both ways: https://wiki.voip.ms/article/Account_Settings .

Though I hope we don’t have to resort to it, the Yealink phone supports OpenVPN.

So it finally works! I’m not quite sure what fixed it but i think it was a firewall rule on my mikrotik router. Several months ago i was having alot of problems getting voip.ms trunks to register properly and tried everything under the sun and eventually it just worked and one of the things i did was forward 5060 to the internet ip address of the pbx system with a problem. It did not cause any trouble with my other pbx system so i did not give it any thought.

I disabled that nat rule and now i have a pbx system working just fine behind double nat!

Thank you for your help!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.