PBXinaFlash on eth0 w/ 172.24.10.0/23 (255.255.254.0) ==> NET1
Endpoint/Phones on 172.30.50.0/22 (255.255.252.0) ==> NET2
PROBLEM SUMMARY:
Unable to Connect to PBX when Endpoint/phone is on a separate subnet.
PROBLEM:
If the endpoint/phone is on the same subnet as the PBX itself, I can
successfully connect; However, if the endpoint is on a separate subnet,
the connection attempt fails (X-Lite error log included below)
Verified:
- Endpoint/PCs on NET2 can successfully ping, traceroute, access FreePBX
- For troubleshooting purpose, the IPTABLES/firewall was disabled
- Under FreePBX Web => Extenstions =>
* deny field set to the default: 0.0.0.0/0.0.0.0
* allow field set to the default 172.24.10.0/255.255.255.0
I had also tried several permutations for the value of the above two
fields (eg: deny=, allow=0.0.0.0/0.0.0.0
deny=0.0.0.0/0.0.0.0 allow=172.30.50.0/255.255.252.0
deny=0.0.0.0/0.0.0.0 allow=172.30.50.0/255.255.255.0
- The User account/credentials are verified/correct by looking at the
password/secret for the given extension.
ERROR LOG (X-LITE V4):
=> "SIP registration failed; reason: 'SipError'; SIP error-code: 403; error-phrase: 'Forbidden (Bad auth)'"|psi::AccountImpl::OnRegistrationStatusChanged
Any help/guidance would be greatly appreciated.
- The externhost is verified & correct. That is, the FQDN specified in the
Externhost field resolves to the correct IP.
- There is no ALG between the two subnets.
- A Layer-3 switch exists between the two subnets for inter VLAN routing.
- No Firewall exists (at present) between the two subnets (other than the one
installed on the PinaF itself during installation). For testing purposes,
I had even disabled iptables on the PBX server. But no go.
How can I enable detailed debugging logs to see what’s happening (something more than the SIP 403)?
Note, if I put a laptop w/ X-Lite on the same subnet as the PBX – I can successfully login & make/receive calls. In this scenario, I do not get any auth/403 errors. It’s only when I move the sipclient/laptop to another subnet I get auth errors.
This is caused by NAT between the subnets. If you have an externip defined make sure you create another localnet statement for the adjacent private network.
As per suggestion, I added the localnets information from FreePBX GUI (Submitted & Applied Changes). However, still no go. That is, I am not able to connect to the PBX across subnet.
One interesting observation was that even though I made changes through the FreePBX->Tools->Asterisk SIP Settings, it doesn’t look like the underlying file: /etc/asterisk/sip.conf got changed with the localnet entries. I’m guessing that localnet entries are saved some place else as the FreePBX GUI does show the added localnets; it’s just the sip.conf file that doesn’t have the localnet entries.