OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: cwynd on April 24, 2017, 06:13:19 pm
-
Hi All, we cut over to OPNsense a few days ago, and everything is fine now, with one exception - asterisk IAX2.
Brief background: we have two asterisk servers one inside OPNsense (LAN) and one outside, and we have full control of both ends. There is (should be) an IAX trunk between them, which was working fine for several years with old pfSense box.
For starters I copied over the pfSense rules that were working, which were only:
NAT Port Forward
Interface: WAN
Proto: TCP/UDP
Source: outside-asterisk:4569
Dest: WAN-address:4569
NAT IP: inside-asterisk:4569
-with an autogenerated firewall inbound pass rule to match.
I have tried tweaking / adding to this rule many different ways with no progress. Here's the current 'state of play':
* Outbound calls work fine (inside ~> outside)
* Inbound calls ring until timeout on outside-asterisk with no evidence of any hit on inside-asterisk
* Inside-asterisk shows as registered with outside asterisk but with a high port #, not 4569
* Outside-asterisk shows inside-asterisk registered on same high port#
I am thinking that what is happening is that when a call comes in, outside-asterisk tries to contact inside on that same high port #, and is getting blocked at the firewall, since there is no NAT state (UDP) for it to key into. I dont have the old firewall still in the loop, but if I remember correctly the IAX2 traffic was not getting NATed on the way out, so it was all 4569 end-to-end.
Would really appreciate any hints or advice - or even ideas on what to try next. Thanks!!
-
Have you tried a one-to-one NAT? Perhaps the source/destination IP change is confusing the external Asterisk.
Bart...
-
Thanks for quick reply. I just tried that, and restarted asterisk at both ends. I am still seeing inside registered to outside on a high port # (which seems odd to me). So unfortunately it did not work. Both ends are static IPs btw.
cw
-
Can you try editing your outbound NAT (needs to be set to manual) and tick 'static port'?
Bart...
-
Thanks for responding Bart. I'm afraid I ran out of time for working on this (after a couple more hours of trying numerous NAT settings including no nat and static port). As well this firewall is now running in production (maybe prematurely on my part!) so I cannot kill all the states, and try different things too much.
So I have dropped in a point to point tunnel (vtun) which solved my immediate problem right away. I was unable to get a NAT-based solution to work. Honestly I was surprised the pfSense config worked when I looked at it, but it did, so I did not explore why obviously. I seem to remember seeing "somewhere on the internet" that pfSense had included some code tweaks to make VoIP work...
I know this is not an ideal solution, and when I have time I will try to investigate some more, but for now I've "fixed the problem" (to quote Office Space). Thanks again for your help.
As well, if there are any OPNsense users out there with VoIP running (either SIP or preferably IAX2) I would love to learn about working configs.
cw