Messages

1

23.7 Legacy Series / Re: Inbound SIP Traffic Suddenly Blocked

« on: November 28, 2023, 04:57:06 am »

@trumee and @sja1440 thank you so much for your replies and help.  For reference, I've attached a screenshot of the SIP trunk settings in FreePBX.  I'm pretty sure these are the defaults, and they have not been changed.

I may fiddle around with them some as time permits, but at least I have the customer back up and working for now with the NAT rule.

2

23.7 Legacy Series / Inbound SIP Traffic Suddenly Blocked

« on: November 24, 2023, 07:55:32 pm »

I deployed FreePBX on-premise for a customer a few months ago.  Everything had been working fine until a few days ago.  Because the SIP trunk provider uses "Outbound" for Authentication, and "Send" for Registration, I never had to create any inbound NAT rules for the SIP traffic to pass without issue.  I just figured since the session was already established outbound, that inbound traffic would flow, and that had been my experience until a few days go.

Now, when I look at the firewall logs in OPNSense, I'm seeing the "Default Deny / State Validation Rule" for inbound traffic from the SIP trunk provider's IP on SIP port 5060.

I tried a lot of things to resolve the issue...
1) I upgraded OPNSense: I was previously on the 22.7.x release, so, I upgraded all the way to 23.7.9 to see if it would fix the issue.  It did not.
2) After doing some research, under Firewall > Settings > Advanced, I changed Firewall Optimization to "Conservative."  That also did not fix the issue.
3) After continuing my research, I ran across people talking about disabling "source port rewriting."  Since the PBX is not hosted in the cloud with a bunch of phones behind the OPNSense firewall, but rather FreePBX is hosted on-premise, I decided there would be no harm in disabling it.  I couldn't find the exacting wording, but on my primary Outbound NAT rule, I found "Static-Port," and I checked it to enable it.  That also did not fix the issue.
4) Continuing my research, some people said they had issues after their public WAN IP changed.  The business has a GPON fiber connection using PPPoE for authentication.  The public IP had changed recently.  Some referenced a deprecated setting; "Dynamic State Reset."  I could not find that setting, but I did run the command "pfctl -s state -vv | grep <ip of the FreePBX server> | grep :5060" from the shell and the public IP that came back was correct.  So, that was also not helpful.

So, finally I created an inbound NAT rule to send all UDP port 5060 traffic from the public IP of the trunk provider to the internal IP of the FreePBX server.  That resolved the issue.  But, I'm not satisfied with that, because it should work without an inbound NAT rule because the SIP trunk is Authenticated outbound with Send registration, so there should already be an outbound session to match the inbound traffic.  I use several Ubiquiti EdgeRouter 4's for other businesses, and I do not have to create any inbound NAT rules for their FreePBX to work great using the same SIP trunk provider.

Any help would be greatly appreciated to better understand what broke or changed to suddenly cause this issue.

Thanks,

Kevin