OPNsense Forum
English Forums => General Discussion => Topic started by: enrico.cicconi@netgen.it on September 18, 2023, 05:34:12 pm
-
Hi to everibody and thanks to have accepted me.
I'm Enrico and after years with pfSense I've started to use OPNsense since last year, til now succesfully, I'm not a rookie but surely I'm even not an expert cause there are always something to learn.
This is the question, I've configured an OPNsense 23.7.1_3 with a failover dual wan and all goes correctly, if the primary gateway goes down the system switch on the secondary and all the client behind the FW can continue to works. The only problem is the one for which I'm writing here, I explain.
I've a Freepbx in the LAN of the firewall with a SIP trunk connected to our cloud platform, when the primary goes down, from it I can continue to ping outside, make updates and so on, the only things that doesn't go is the SIP Trunk so I've made some checks and with a packet capture I noted that the request to register that the PBX sends to its gateway (the OPNsense above) are still managed by the primary gateway WAN even if it is down and not by the one 'active' like the other traffic.
Which may be the problem ? I really don't understand why only the SIP packets follow this flow while the other not.
Thanks for your support
Enrico
-
Hi there,
Is the LAN of the PBX the same network as the lcientes network?
Rgds
-
Thanks for your reply,
I don't understand what you mean with lcientes network, could you please explain ??
-
If I understand you correctly:
SIP Trunk VLAN, say 101 uses 192.168.168.0/24 GW 192.168.168.1.
If that's the case then all should work with one question is that does the SIP trunk on the Internet know about the other ISP WAN IP?
-
Yes is correct,
the PBX is in the 192.168.68.0/24 Lan with is gateway (OPNsense dual wan with failover).
Why the trunk must know the second ISP Wan IP ?!? If you mean the provider server with which the trunk is connected it has no problem to accept us, otherwwise I can't understand.
Anyway I've made a test, same PBX, same LAN, same wan connection using a simple Mikrotik routerboard and all gone fine after a 5-6 step of configuration. When the primary wan fail the traffic (and the trunk too) route to the secondary and when it returns available all the traffic re route on it.
But I'd like to do it with OPNsense if possible.
Thanks
Enrico
-
Then this could be related to the firewall rules that is configured only for the WAN1 and not WAN2.
-
Thanks for your reply.
Could you please show me where I'm wrong making a misconfiguration of the firewall ? I ask only because only the SIP doesn't route to wan 2 til I restart the trunk and not return on wan 1 til I restart the trunk if the interface return functional. All the other kind of traffic route between the wan without problem.
In any case the trunk is managed by the PBX that knows only the internal IP of the gateway to which it sends the packets, the PBX not control which interface the Firewall uses to route the traffic to the endpoint.
Thanks again
Enrico
-
Let's try to work this out.
1st -- Are there any PC's on the same network/VLAN as the PBX. If yes, do they have any issues to get to the internet.
2nd -- Are the Firewall Rules for WAN interface exact as the WAN2 interface? (they should be for PBX at least)
3rd -- Are there any Port Forwarding for WAN and WAN2?
-
Hi, thanks again,
1. there are other system behind the OPN and none of them has problems.
2. yes, same rules for both the wan
3. yes, same rules for both the wan
-
can you put together a simple diagram about your OPNsense firewall for the network. you can use draw.io for that if you'd like
https://app.diagrams.net/
-
Here to you the diagram, hoping all will be simplified.
Thanks
Enrico
-
Thanks. Oh so after seeing the diagram and rereading the thread, it looks like the SIP trunk is a one time auth deal. which is why it does not work unless you restart the trunk. you can do a couple of things.
- you can set yout trunk to re-login every few seconds/minues
- use monit plugin and configure it so that once WAN1 fails, it would restart the SIP Trunk. ( this would require the SIP interface be connected to the OPNsense...)
you know this does not work if WAN2 was primary and if it failed, SIP would stop working on WAN1 with the same cause.
-
Thanks a lot for your time, I'll do tests next week !!!
Anyway it seems a workaround, better would be to understand why with OPNsense there's this kind of problem and with a simple Mikrotik routerboard not.
-
Mikrotik is a router. OPNsense has a stateful firewall and your SIP trunk state change will not allow to be processed unless you reregister.