OPNsense Forum
Archive => 21.7 Legacy Series => Topic started by: bringha on October 28, 2021, 10:21:09 am
-
Hi,
I am going to rebuild my OPNsense installation using
Draytek 167<-->Opnsense 21.7.4<-->(LAN) Gigaset GO Box 100; Provider is Telekom
No Fritz!Box, no sipproxd, the GO Box is directly connected to LAN. Everything is running so far, I implemented the outbound NAT rules (yes static ports is set ;), Portforwardings (UDP) SIP and (UDP) RTP, WAN and LAN Firewall rules.
When you configure the GO Box, you have to this with the config wizard, select the Telekom profile and the Box is then configured. After that, the box registers and I can make calls, voice path OK. So far so good.
The problem is now that some time (between 10 and 60 min.), the box looses registration und can be brought back ro re-register only by deleting the complete connection setup and restart the config wizard. Then the device works for 10-60 min again.
Searching through different forum contribs, I have optimized:
- setting firewall optimization to conservative (ie NAT refresh) and set it on the Box to 10 sec
- setting SIP refresh from the suggested Telekom value of 600 to 300 sec
- exactly use the configured SIP port range from the Telekom profile also in NAT/FW rules (5060-5076)
- Reset all states when IP address changes is set
Has someone perhaps an advice for me what else to check?
Looking forward to any suggestions
Br br
-
I had this running for 2 years until we moved 2 days ago:
Draytek 130<-->Opnsense various releases<-->(LAN) Gigaset GO Box 100; Provider is Easybell
Worked out of the box, I did not set up special firewall rules or port forward.
-
I have similar setup, same GIGASET set and so forth but it is connected into a switch with Auto VOIP configured (VOIP VLAN & Native but shouldn't make any difference).
However, I remember a few initial problems with using the GIGASET wizard and ended up going to my VOIP provider (SIPGATE) and setting up with their recommended settings and NO stun set. Give that ago cause I think the wizard doesn't complete the job properly.
-
Thanks for your reply
@pugs Did you also have NO FW rules/Nat set on Opnsense for your setup?
Br br
-
Thanks for your reply
@pugs Did you also have NO FW rules/Nat set on Opnsense for your setup?
Br br
Hi, nope not until the other day cause sometimes a call would drop out. I now have an outbound NAT rule WAN\VOIP but not convinced it is needed. I also changed some of the settings as you righly pointed out in your first post in case it was timing out.
I do have VOIP on its own VLAN and nothing fancy in its FW rule set (allow ping\dns to lan, allow everything = !RFC1918 out)
-
So ....
Still no solution in sight >:( ::) ::) ::) Meanwhile I managed to expand the stable registration time to up to 4h; I managed to convince the bloody GO Box to
- register with enabled DNS SRV
- I put protocol hard to TCP
- I reduced the refresh rate for SIP to 18 sec
- I activated Auto-VOIP for the Phone port on my switch
- (... and many combinations ...)
No success; btw. could someone tell me in what Nat refresh rate results (in sec) when putting firewall optimisation to conservative? Any further Idea?
Br br
-
The problem is now that some time (between 10 and 60 min.), the box looses registration
did you manage to figure out why registration is lost at the beginning?
-
Nope - the box is not providing any speaking logs…
And capturing THE SIP packet which signs accountable with opnsense internal Traffic capturing I could not manage so far :'(
As ALL functions properly work during registration and the loss of registration time widely varies (between 10min. And 4h) I assume a timing issue with some random coincidence (NAT refresh, SIP refresh, ….) …. But in fact: no clue how and what…..
Br br
-
sorry, imho before trying to find ways to solve the problem, you need to find out what exactly the problem is (first registration loose).
Box starts sending requests to another server? Server is closing the connection? something else?
I don't know the intricacies of Telekom's work, I just heard that they may have specific requirements for DNS resolution and advise using only their DNS servers in the settings and the equipment should be able to work with DNS SRV records (I think that a gigaset shouldn't have any problems with the latter if it officially supports Telekom)
-
Sure -
so: I finally wiresharked now the SIP traffic between my most beloved Supplier Telekom and the device.
192.168.1.20 is my GO Box in the LAN. The 217.0. ... is the Telekom Server, the 148.251.... Server is the SIP server from the Gigaset.net service. The DNS-SRV requests all work fine and is properly answered from my configured DNS server. There are rather some pecularities in the SIP conversation between the GO Box and Telekom SIP server:
After a one hr period of nice SIP REGISTER requests to the Telekom SIP server and related answers from there with Status 200 OK, out of a sudden I get then a fragmented UDP packet from the SIP server. The Box is then trying to do something with that, somehow reports status ringing but nothing rang, 140 sec later, the box sends a regular SIP REGISTER, followed by a SIP SUBSCRIBE which is answered with a 489 BAD EVENT. (As many of these subscribe requests before).
There are many of these 4 bytes data packets sent from the box to both SIP SP (Telekom and Gigaset), however 330 sec after the last SIP register, the Box stops sending the 4 bytes packets to Telekom and only proceeds sending them to Gigaset; and shows on the display of the mobiles 'Anmeldung beim provider nicht möglich'. As these 330 sec are close to the SIP refresh interval of 300 sec I assume that the Box for what reasons ever (fragmented UDP packet ?!) stops sending the Register requests ....
[EDIT]
:) A step further .... :)
I deactivated the Gigaset connection and have now only my main Telekom connection profile active. Longest stable registration connection since then (5h) ... Lets hope that this is the right step to the RC. To the Wireshark log: I have continued the packet capture and now it behaves like a clockwork. All 300 sec a new SIP register, all 20 sec the 4 bytes data packets which serve obviously as NAT refresh. Only the SIP SUBSCRIBE still gets a 489 consistently (however I have also not booked any network services ...)
-
A step further ....
it's funny ) please write whether stable work will continue
-
Hi there,
After about 7hr of stable connection to SIP I set this to solved.
Nevertheless I assume there might be a bug on the GO Box to be followed up with the supplier. According to the manual, there is no hint that such a parallel set of active connection should not be possible.
Even the fragmented UDP packet I mentioned above turned out to be normal, this is the format how information about an incoming call is signalled to the SIP port (from whom, branch id, tag of the caller is in the payload ...).
Family SLA has now a chance to recover ... (if it stays stable - fingers crossed ;D)
Thanks for all reading and comments to the issue, was not with Opnsense ...
BR br