All the phones worked without a hitch, but now I have some people working remotely, so I placed the FreePBX server on the dmz and enabled the firewall. I modified the sip settings in the phone with the public IP address on the router where the server is and set the phone for NAT. SIP connects just fine, and the phones ring in and out, but there is no audio either way.
I did some troubleshooting and for some reason, rtp keeps trying to connect to the spa942 on itās private IP address in the satellite office. SIP routes fine, but RTP doesnāt. Any suggestions?
The SIPSTATION firewall test fails. I can see the phone on the correct IP address in the endpoint manager. Thsi phone used to be on the inside with the others, itās now on a completely different network. The inside network is 192.168.1.x and the phone is on 192.168.254.x
The phones are set for chan_SIP, but chan_sip settings, it says itās working on port 5160 even though the phones are at 5060 (in the office). But I put this phone on 5160 which is the way the system provistioned it.
quite strange. Be aware that you may open extentions and your pbx to the world.
If using chan_sip (5160), the phones register for such a long time, until the other one registers. Therefore the registered phones change e.g every 300 secs.
You should use pjsip for the respective extension and increase the number of possible phones/connects from 1 to - lets say - 3. I usually set 5 during the corona home-office situation. Latest registrations are usually not cleared immediately. It takes some minutes until max contacts is free again. Set allowed IP-ranges on the extension-settings to reduce the risk of hacking a little bit. However better solution maybe:
Allow home-users a VPN-connect to the router, which is in front of your pbx and define IP-ranges the home-user can get, once connected via VPN. And leave your PBX behind the routers firewall and not in demilitarized section. So, external users come in like internal users.
The VPN-connect should be configured between home-users router and your office router. So you do not need not to make specific settings on the physical phone. Just plug it in, and the routers will handle the connection. PJSIP on 5060 is better since more than one phone can register at the same time.
VPN isnāt an option. I donāt have control over their routers/modems and some of them donāt have the VPN capability. Iām on Frontier and the modem they gave me doesnāt have VPN. I donāt know how good the firewall in freePBX works, but Iāve been using a couple of publicly hosted machines without an issue.
Iāve never had any luck with PJSIP, but Iāll give that a try.
Same issue with PJSIP. No audio. This has to be a routing issue but I canāt find any setting where RTP doesnāt follow the same route that SIP follows. I turned on rtp debug. I can see it routing all the RTP traffic to the private IP address of the phone, but thereās no path without a VPN. It should be going to the public IP address of the remote phone so NAT translation can take place, but it isnāt.
It confuses me why one port goes one way and the other port goes another.
If the phone isnāt properly set up for NAT, or canāt be, Asterisk will not be able to send media to it until it has received media from it, and even then, for that to work, symmetric_rtp must be enabled. Asterisk will, initially, obey the standards, and send media to the address in the c= line in the SDP. Only with the conditions above will it violate the standards and use the address from which it is receiving media.
Note if Asterisk is behind NAT and its media address and local networks are not properly set, you will end up with a stalemate, even if the other side has the equivalent of symmetric RTP enabled. One side has to send a usable address in its c= line for media to work when both are behind different NATs (ignoring the possibility of using ICE).
Iām using a STUN server on both the server and the phone. NAT is enabled on both ends and symmetric
RTP is enabled on the phone. RTP traffic continues to be routed to the private IP address of the phone. Iām using the public google stun server.
Actually it is best if you provide the complete INVITE, 200 OK and ACK message, as you may be getting away with private addresses for more than just the media. You can replace the addresses with public-phone-ip, private-phone-ip, public-asterisk-ip, and private-asterisk-ip.
As @david55 said. Until you can upgrade to at least Asterisk 16, I donāt recommend switching to pjsip, unless we discover a specific problem where it might help.
Please confirm that in Asterisk SIP Settings (General tab), External Address and Local Networks are correctly set. Media Transport Settings should all be blank. On the chan_sip tab, you should have NAT set to yes, IP Configuration set to Static IP, Override External IP left blank. If you change any of these, after Submit and Apply Config you must restart Asterisk.
In the router on the server side, forward UDP ports 10000-20000 to the LAN address of the PBX.
If no luck, at the Asterisk command prompt, type sip set debug on
make a failing test call, paste the Asterisk log for the call at pastebin.freepbx.org and post the link here. If you are too new to post links, just post the last eight hex characters of the URL.
Actually, Iām only halfway there. I was able to dial into voicemail which I couldnāt do before, but trying to call an outside line, I still couldnāt hear audio either way. Still troubleshooting.
I set everything up as you suggested. I havenāt looked at the RTP debug info since the phones started working between extensions and to voicemail. Hereās my log SIP log
The remote extension is 102. I dumped everything to a file during the test so thereās other activity in the log.
Ok. So, either no one knows whatās going on with my routing issue or I said something to make everything think I fixed itā¦ Not sure which but I can see this is a dead thread.
As I continue to update this job. I have updated my FreePBX server to 16
PBX Version:16.0.19
PBX Distro:12.7.8-2204-1.sng7
Asterisk Version:13.38.3
With no change in operation. I converted my one extension to PJSIP. I even deleted the extension and re added it which required the newly generated password to be saved in the phone and the phone connects. I can call voicemail and I can call other extensions in the office, but I canāt get any audio when Iām making calls to public numbers. No in bound audio and no outbound audio, but the phone Iām dialing does ring.
The only think I thought was odd, but I donāt know whatās going on anyway, is when the phone Iām calling answers (Iām letting it go to voicemail so I can see if there is any outbound audio), the FreePBX server takes over the line and creates a bridge?? from the phone number on the FreePBX server to the number I called. I assume thatās normal, but this is what I get using sngrep,
Those IP addresses arenāt associated to my phone or to FreePBX at all. I donāt know where they came from. They arenāt my private IP address and they arenāt my public addresses on the server or my phone.
I figured it out. My router in DMZ mode was not properly NATāing traffic. When I turned off DMZ and used port forwarding the phones worked to make calls to outside numbers and inside numbers.
My intent was to make the server available to phones on the public internet. Iāve been using this system for about 6 years, but all the phones were on the local network with the server. I didnāt want to expose 5060 to the outside world because of hackers, but now I needed to.
So, that port forwarding worked for the phones on the inside but, following recommendations in FreePBXās firewall instructions, I put the server in the DMZ thinking all the forwarding would be taken care of. That isnāt what happened. All of this would be avoided if I had just added 5060 to port forwarding.
Iām not sure how this will affect other things I setup. for example, Iām pretty sure my letās encrypt updates will fail because port 80 is not exposed and of course, I can no longer administer the server from outside because the 443 isnāt exposed and provisioning wonāt work now either (even though the phone never provisioned from the server from the outside. Since I have the phone with me, I was able to provision it manually which isnāt always an easy task.
I hope that answers your question.
On second reading, I see that you recommended that. I didnāt do that because my server was on a DMZ, what purpose would port forwarding serve? Does port forwarding work even if the server is on the DMZ? I never thought of that.
99.9% of all āhacksā are directed at UDP/5060, There are 100 reasons NOT to use that for registrations and invites and pretty well 0 FOR using it.
To use HTTP-01 as a protocol for LE is required but only for a few seconds of exposure every 60 days and that to a relatively easily protected URL Switching to DNS-01 if feasible requires no exposure ever to port 80,
Given a proper certification port 443 is relatively protected but a few firewall rules can further protect.
Given that certification, switching to TLS/5061 is recommended for your external endpoints, failing that using TCP/(random unused port in the high thousands) will further limit access