Messages

1

24.7 Production Series / Re: VOIP on Fritzbox behind OPNSense not working

« on: September 08, 2024, 06:48:51 pm »

I understand.

Did you try to add another Internet telephone number with the tel.voip.inexio.net SIP address? That's what I recommend. It seems, that the sip.inexio.net is no longer working.

2

24.7 Production Series / Re: VOIP on Fritzbox behind OPNSense not working

« on: September 08, 2024, 06:20:15 pm »

@all. It's working again. 

I set up two new telefone numbers in the Fritzbox and it was crucial, that the options "use phone number for login" was activated and that the "Transport protocol" was set to Automatic and not to TCP.

@Peter68: Since the SIP address sip.inexio.net is no longer valid, I recommend you to do the same. You can check the settings I mentioned above and for everything else it should be straight forward. If you have questions feel free to ask.

Don't forget to check your "telephones" concerning incoming and outgoing telephone number.

3

24.7 Production Series / Re: VOIP on Fritzbox behind OPNSense not working

« on: September 08, 2024, 01:30:39 pm »

Yes I have that option activated.

I changed the option "Transport Protocol" from TCP to automatic and now the fritzbox can successfully register the numbers with the tel.voip.inexio.net sip.

Since all my people at home are sleeping at the moment, I will try later and report back.

4

24.7 Production Series / Re: VOIP on Fritzbox behind OPNSense not working

« on: September 08, 2024, 01:02:34 pm »

Yes, I'm aware of that how GeoIP works.

Where would you recommend to look at SIP registrations?

I have interesting news:

I made tests with the software PhonerLite. I setup two profiles, one with sip.inexio.net as registrar and one with tel.voip.inexio.net as registrat. The first one was used from the ISP to first setup the fritzbox we got from them and the second one I got from Inexio some days ago.

Interestingly, for the profile with tel.voip.inexio.net, both calls work fine, incoming and outgoing calls.

But for sip.inexio.net only outgoing calls work.
In the annex you can find parts of the debug log of PhonerLite. Can you tell something about them?

5

24.7 Production Series / Re: VOIP on Fritzbox behind OPNSense not working

« on: September 08, 2024, 12:27:00 pm »

I tried the existing rules with the "Pass" option but that did not solve the problem, unfortunately.

The Outbound NAT rule I have.

Geoblocking is no issue, since the SIP Server is located in Germany and in OPNSense I block traffic from outside Germany. So that should not be an issue.

6

24.7 Production Series / Re: VOIP on Fritzbox behind OPNSense not working

« on: September 08, 2024, 12:01:35 am »

I assumed, that the OPNSense causes the problems.

Thank you for the screenshots.
Can you also make a screenshot of what you have under "advanced settings"? Its at the lower end of your settings. Thank you.

7

24.7 Production Series / Re: VOIP on Fritzbox behind OPNSense not working

« on: September 06, 2024, 04:58:05 pm »

@Peter68: Can you post a screenshot of your settings of your telephone number? If you go into the WebGUI of the Fritzbox to "Telephone", "Own Numbers" and click on the pen beside your telephone number. That would be interesting. I can't register our numbers with the new sip address, so your settings would be interesting.

8

24.7 Production Series / Re: VOIP on Fritzbox behind OPNSense not working

« on: September 03, 2024, 09:51:38 pm »

@Peter68 Thank you for your reply and thank god, that I'm not the only one with this issue.

I was told by a Inexio technician, that the Registrar address changed to tel.voip.inexio.net.

Here's the most interesting part of the last answer from Inexio:

"Die automatische Rufnummer Konfiguration der FRITZ!Box erfolgte durch unser System. Diese Rufnummern können Sie anschließend auch nicht löschen.

Um alle Rufnummern zu bereinigen ist ein Laden der Werkseinstellungen nötig.

Anschließend können Sie die Internet und Telefonie Zugangsdaten manuell einrichten.

In der Regel wird die Telefonie auf dem ersten Router eingerichtet und dann an das Endgerät, an dem die Telefoniegeräte angemeldet sind weitergeleitet.

Bei der Einrichtung von Ihrem Kundeneigenen Router kann ich Sie leider nicht unterstützen. Wenden Sie sich für diese Art der Hausverkabelung bitte an den Hersteller oder an Fachpersonal vor Ort."

Not really helpful.

I try to solve this with IT guys that know OPNSense better than me and I will post the solution here, if I got it working.

Greetings

9

24.7 Production Series / VOIP on Fritzbox behind OPNSense not working

« on: August 21, 2024, 07:59:46 pm »

Hi guys,

I have question concerning VOIP on a Fritzbox (FritzOS 7.5) behind my OPNSense (24.7.1).
What I observe is, that VOIP doesn't work and our telephone is not reachable. When I dial our number, I get the message "The number you have called is temporarily not available".

In the Fritzbox, everything looks good, our telephone numbers are available and the Fritzbox shows no errors in the log.
In the OPNSense, I have Zenarmor on the LAN and Suricata on the WAN net. Both systems show no blocked queries. In the Zenarmor log I can see A, AAAA, SRV and UNKNOWN queries from the Fritzbox (10.20.1.2) to the sip provider (see screenshot Sensei log). Query type A is answered with an IPv4 address, query type AAAA is answered with NXDOMAIN and SRV and UNKNWN query gets no answer.

Could this be the problem, why our VOIP is not working?

To give you some background:
At first, this fritzbox was our internet facing router and VOIP was successfully set up. I then switched to a Sophos UTM Firewall and before the switch, I took a screenshot of the required ports for VOIP (see screenshot "Required ports for VOIP"). I forwarded neccessary ports to the fritzbox and everything worked fine.
Now I switched from the Sophos to OPNSense and I tried to "copy" the NAT and firewall rules from the Sophos to the OPNSense. Unfortunately, VOIP doesn't work as described above.
I attached a screenshot of the Firewall and NAT rules. Are they correct? Since Zenarmor gives NXDOMAIN for the AAAA query, I'm not sure, if IPv6 is configured correctly.

From a Facebook group, I got the hint to set up an outbound NAT rule with the following settings:
Interface: WAN
TCP/IP Version: IPv4
Protocol: TCP/UDP
Source address: IP_of_Fritzbox
Source port: any
Destination address: any
Destination port: any
Translation / target: WAN address
Static port: checked

Can you guys help me getting VOIP? If you need more information, I can give you what you need.

Thank you very much for your help!

Maginos

10

General Discussion / Re: OPNSense setup in rented apartment

« on: August 18, 2022, 09:12:34 am »

Thank you for the tip, I have enabled the two options.

11

General Discussion / Re: OPNSense setup in rented apartment

« on: August 17, 2022, 06:29:54 pm »

Got it.
Enable "Services --> Unbound DNS --> Query Forwarding --> Use System Nameservers"

12

General Discussion / Re: OPNSense setup in rented apartment

« on: August 17, 2022, 05:49:17 pm »

Enable logging for the default "allow all" rule and see the firewall logs in real time as you ping from a client machine on LAN.

There were no entries, where traffic was blocked.

I kind of solved it. If I disable unbound dns and switch to DNSmasq DNS, DNS works as expected and I can browse the web regularly. If I switch then back to unbound, DNS no longer works.
Seems to be a problem for the experts.

13

General Discussion / Re: OPNSense setup in rented apartment

« on: August 17, 2022, 08:39:32 am »

I will check when I’m back from work.

14

General Discussion / Re: OPNSense setup in rented apartment

« on: August 17, 2022, 08:19:25 am »

I think, I already have such a rule, as you can see from the picture of my last post. Unfortunately, the "Default allow LAN to any" rule doesn't seem to be the problem.

15

General Discussion / Re: OPNSense setup in rented apartment

« on: August 17, 2022, 07:47:46 am »

Since all the tenets in your building are on the same subnet your situation is like logging into a hotel WiFi where all of your traffic is visible to anyone else staying in the hotel. No need to panic but just be more vigilant when you see anything odd in the logs or IDS services.

At the very least, disable OPNSense GUI from WAN, disable root login into OPNSense and disable HTTP redirect for GUI (under System ==> Settings).

As for the problem you posted, did you create any firewall rules for LAN? The default is "block all" and that is what seems to be happening in your case.

The IP I get from my landlord is 10.46.number_of_my_flat.129. I hope that every flat has its own subnet and there's no routing between the subnets.

If I am able to get the sense working, I will disable OPNSense GUI from WAN, the root login and the HTTP redirect for the GUI. Thanks for the tips.

Please find my firewall rules in the picture. Looks fine to me.