OPNsense Forum

Hello all,

I'm having a devil of the time trying to get my PBX to talk through the router. My belief is that the root cause is my lack of understanding NAT. Any help would be appreciated.

* PBX (10.10.20.20/24) is on the LAN network
* phone (10.10.20.30/24) is on the LAN network
* external/Internet SIP service provider (SIPstation) appears to see/talk to the PBX
* calls ring from my cell (outside network) to PBX phone (inside network)
* calls ring from PBX phone (inside network) to cell (outside network)
* no audio either way
* I've added NAT port forward; in this 11.22.33.44 is my WAN address
Interface  Proto    Address    Ports    Address             Ports             IP                     Ports    Description    
LAN    TCP    *             *            LAN address    80, 443              *                   *             Anti-Lockout Rule    
WAN    UDP    *             *           11.22.33.44    5060 - 5061       10.10.20.20      5060 - 5061    IncredPBX
WAN    UDP    *             *           11.22.33.44    10000 - 20000   10.10.20.20  10000 - 20000  IncredPBX


* doing that auto-added the Firewall Rules
Protocol    Source    Port    Destination    Port    Gateway    Schedule    Description    
IPv4 UDP    *    *    10.10.20.20    5060 - 5061       *         *    IncredPBX 1.1    
IPv4 UDP    *    *    10.10.20.200    10000 - 20000    *         *    IncredPBX 1.2


* I've read some that suggest set NAT Outbound to Hybrid then build a manual rule; I built this but I'm not sure it's valid
- Destination = SIPstation which is an alias to trunk.freepbx.com + trunk1.freepbx.com + trunk2.freepbx.com
- Destination Port = SIPports which is an alias to UDP 5060:5061 + UDP 10000:20000
Interface   Source    Source Port  Destination  Destination Port       NAT Address  NAT Port  Static Port  Description    
WAN     LAN net    udp/ *    SIPstation     udp/ SIPports    Interface address    *      NO        IncredPBX

I've tried a number of variations - FreePBX vs Incredible PBX and pfSense vs OPNsense. Since the end result is always the same (calls ring+pick but no audio), I figure it has to be me.

I also found these instructions in pfSense docs


Manual Outbound NAT

For Manual Outbound NAT, navigate to Firewall > NAT, Outbound tab, switch from Automatic Outbound NAT to Manual Outbound NAT and press Save. Then at the top of the list, create a rule that looks like so:

*    Interface: WAN
*    Protocol: UDP
*    Source: Network, PBX
*    Source Port: [blank]
*    Destination: Network, SIP_Trunks – Or Any for the type if the SIP trunk IP addresses are not known
*    Destination Port: PBX_Ports (or leave blank)
*    Translation: Interface address if using the WAN IP address, or the external VIP for the PBX
*    Port: [blank]
*    Static Port: CHECKED

Which I interpreted this way

Interface   Source    Source Port   Destination   Destination Port   NAT Address   NAT Port   Static Port  Description    
WAN     10.10.20.20/24  udp/ *    *               udp/ *                   11.22.33.44    *              YES    IncredPBX 1.4 

And I've set

Firewall> Settings> Advanced> Firewall Optimization to Conservative

What router do you have in front of your Opnsense?

Thanks, but no other router. My OPNsense connects to my cable modem.

Here's my working setup...

* I'm running Incredible PBX on a Raspberry Pi4
* I use SIPstation as my SIP provider
* I have an OPNsense router
* I have a static WAN (public) IP
* these are the settings for OPNsense and Incredible PBX

In OPNsense
NAT> Port Forward
* this auto-creates the Firewall> Rules entries
* IncredPBX is an OPNsense Alias pointing to my PBX which uses a static LAN IP

                                Source    Destination                  NAT    
Interface   Proto    Address    Ports    Address          Ports          IP                 Ports             Description    
LAN    TCP    *            *        LAN address     80, 443          *                 *                Anti-Lockout Rule    
WAN    UDP    *            *        WAN address    5060 - 5061     IncredPBX     5060 - 5061   IncredPBX 1.1    
WAN    UDP    *            *       WAN address    10000 - 20000  IncredPBX     10000 - 20000    IncredPBX 1.2


NAT> Outbound
* set to Hybrid then add the following rule
* the rule could probably be tightened up a bit

                                Source                       Destination      NAT                 NAT      Static       
Interface  Source     Port      Destination      Port              Address            Port      Port       Description    
WAN    LAN net      *                *                    *              WAN address     *         YES       IncredPBX 1.4



In Incredible PBX
Settings> Asterisk SIP Settings> Nat Settings
* make sure your External Address is accurate
* make sure your Local Networks is accurate

Connectivity> SIPstation
* obviously only if your are using SIPstation
* make sure your Primary SIPstation Server is talking, at times you may need to refresh
* make sure your Secondary SIPstation Server
* test External Connectivity
** the Firewall Status will Fail; lots of reason for this - you are not using FreePBX's firewall/you're using OPNsense/your PBX is not directly on the Internet>>> don't worry about it
** External IP should be accurate



The fix was one of those FM (fricking magic) fixes. It just started working. The real fix was one or more of these...
* I was making changes one at at time but not resetting my States
* my Outbound Static Port = Yes was one of my last changes
* Asterisk SIP Settings> NAT was not accurate there although the SIPstation said things were good