[SOLVED] Cannot register when connecting via a VLAN

BrianTullio · July 30, 2019, 10:30pm

I currently have a working system - FreePBX 12 and many Polycom IP phones.

Right now, everything is on the default VLAN 1 (192.168.1.x).

For testing purposes, I moved 1 phone to a different VLAN 12 (192.168.12.x). At this point, communication between VLAN 1 and 12 is wide open. There are no restrictions and everybody can communicate with everybody else.

When I boot the test phone on VLAN 12, it grabs the right IP address, it can connect to the provisioning server, grabs the correct settings, it gets the phone background, and it grabs the current time. The only thing it will not do is register the line.

I can ping the phone from VLAN 1 and even connect to the phones web interface. I hooked up a laptop on VLAN 12 and I can ping the FreePBX server and login to the admin interface.

I have 192.168.1.x and 192.168.12.x listed as local networks under Settings -> Asterisk SIP Settings -> General SIP Settings -> NAT Settings -> Local Networks

If I switch the phone back to VLAN 1, the line registers fine.

What am I missing?

PitzKey · July 30, 2019, 10:48pm

Might have got banned under intrusion detection.
If it is, whitelist 192.168.12.0/24 and restart the service.

If not, what do you see in the logs when it attempts to register?

BrianTullio · July 31, 2019, 11:49pm

Intrusion detection is currently turned off.

The log on the phone shows:
sip |4|03|Registration failed User: 100, Error Code:480 Temporarily not available

I looked at freepbx.log but didn’t see anything that looked useful. And nothing mentioning registration failure, or the specific extension or IP.

Is there another log I should be looking at?

PitzKey · August 1, 2019, 12:04am

/var/log/asterisk/full

Assuming the PBX firewall is disabled as well

BrianTullio · August 1, 2019, 3:14pm

I couldn’t find anything in the “full” log. Although, I am not sure exactly what I am looking for.

Does FreePBX 12 have a firewall? I couldn’t find it. Wasn’t it introduced in a later version?

PitzKey · August 1, 2019, 3:48pm

cd /var/log/asterisk

ll | grep full

Does that return anything?

No it does not.

BrianTullio · August 1, 2019, 4:59pm

Sorry, I wasn’t clear. I can access the full log, I just couldn’t find anything in there that looked useful.

I can see in the log an entry when I change from VLAN 1 to VLAN 12. “Peer ‘100’ is now UNREACHABLE! Last qualify: 14”

But after that, nothing about ext 100 or registration errors, etc.

PitzKey · August 1, 2019, 5:05pm

Then your phone isn’t reaching the PBX for some reason.

Can you put the Laptop on the VLAN 12 network again and run nmap against the PBX IP and see if the PBX responds on 5060?

You can also try to setup a softphone on your Laptop (X-lite and Zoiper are free) and try a manual registration.

BrianTullio · August 1, 2019, 5:40pm

Port 5060 (UDP) is open, but nmap lists it as “open|filtered”. The other TCP ports are just listed as “open”

PitzKey · August 1, 2019, 5:45pm

Can you register a softphone?

Monitor the full log while you do so.

BrianTullio · August 1, 2019, 6:10pm

I can register a softphone on VLAN 1, but not VLAN 12. I get Request Timeout code 408. But nothing shows in the full log during the registration attempt.

I feel like this “open|filtered” result in nmap has something to do with it.

I can SSH into the server from VLAN 12, I can telnet into the server on port 81.

I tried using PortQry to connect to UDP port 5060 and the result was also “Listening or Filtered”

PitzKey · August 1, 2019, 6:17pm

Double check if 192.168.12.0/24 exists in the Asterisk SIP Settings.

Next I would try two things:
In the extension set nat = Yes.
Try a Asterisk restart.

BrianTullio · August 1, 2019, 6:28pm

Double-checked 192.168.1.0/24 and 192.168.12.0/24 are both listed under Local Networks in the SIP Settings page.

Changed the extension to nat = yes

Restarted asterisk using amportal restart. During the restart, “Stopping fail2ban” failed and “Starting fail2ban” failed. But, asterisk started anyways.

Still can’t register from VLAN 12

PitzKey · August 1, 2019, 6:34pm

Correct me if I’m wrong, if the PBX would reject the registration you’d get a different error, not a 408.

So I assume there’s a routing misconfiguration on your network.

The next step would be to use Wireshark on your Laptop or tcpdump on the PBX. (Or if you have sngrep installed use that)

BrianTullio · August 2, 2019, 3:06pm

It’s solved.

The FreePBX server had iptables running and only listed the 192.168.1.0/24 network.

I added the 192.168.12.0/24 network with the following command and now everything connects fine.

iptables -I INPUT 2 -s 192.168.12.0/24 -j ACCEPT

As a note, when nmap says “open|filtered” this does NOT mean open. All it means is that it didn’t specifically get denied. It sent a request and nothing came back. So it’s assuming that it’s open. In this case, iptables was filtering the requests from anything other than the network listed.

The last rule in iptables was to DROP all non-matching port 5060 packets. If this rule was set to REJECT instead, nmap might of listed the port as “closed” instead of “open|filtered”. I would test this theory but I have already spent too much time on this anyways.

Hopefully this post helps somebody else out in the future.

system · August 9, 2019, 3:06pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.