I currently have a working system - FreePBX 12 and many Polycom IP phones.
Right now, everything is on the default VLAN 1 (192.168.1.x).
For testing purposes, I moved 1 phone to a different VLAN 12 (192.168.12.x). At this point, communication between VLAN 1 and 12 is wide open. There are no restrictions and everybody can communicate with everybody else.
When I boot the test phone on VLAN 12, it grabs the right IP address, it can connect to the provisioning server, grabs the correct settings, it gets the phone background, and it grabs the current time. The only thing it will not do is register the line.
I can ping the phone from VLAN 1 and even connect to the phones web interface. I hooked up a laptop on VLAN 12 and I can ping the FreePBX server and login to the admin interface.
I have 192.168.1.x and 192.168.12.x listed as local networks under Settings -> Asterisk SIP Settings -> General SIP Settings -> NAT Settings -> Local Networks
If I switch the phone back to VLAN 1, the line registers fine.
I can register a softphone on VLAN 1, but not VLAN 12. I get Request Timeout code 408. But nothing shows in the full log during the registration attempt.
I feel like this âopen|filteredâ result in nmap has something to do with it.
I can SSH into the server from VLAN 12, I can telnet into the server on port 81.
I tried using PortQry to connect to UDP port 5060 and the result was also âListening or Filteredâ
Double-checked 192.168.1.0/24 and 192.168.12.0/24 are both listed under Local Networks in the SIP Settings page.
Changed the extension to nat = yes
Restarted asterisk using amportal restart. During the restart, âStopping fail2banâ failed and âStarting fail2banâ failed. But, asterisk started anyways.
The FreePBX server had iptables running and only listed the 192.168.1.0/24 network.
I added the 192.168.12.0/24 network with the following command and now everything connects fine.
iptables -I INPUT 2 -s 192.168.12.0/24 -j ACCEPT
As a note, when nmap says âopen|filteredâ this does NOT mean open. All it means is that it didnât specifically get denied. It sent a request and nothing came back. So itâs assuming that itâs open. In this case, iptables was filtering the requests from anything other than the network listed.
The last rule in iptables was to DROP all non-matching port 5060 packets. If this rule was set to REJECT instead, nmap might of listed the port as âclosedâ instead of âopen|filteredâ. I would test this theory but I have already spent too much time on this anyways.
Hopefully this post helps somebody else out in the future.