Question: WAN failover losing SIP trunk registration

[int_ar]

Good morning,

actually I don't get my head around this problem. I am aware that this also might be a provider issue, but I'd like to solve this "the opnsense way"

Basics:
I have an OPNSense  23.7.1-amd64 on bare metal with 5 NICs, 2x WAN, 1x LAN, 1x DMZ and 1x guest network.
The WAN sides are 2x fiber with a /29 and a /28 network IPv4 network and a /64 and a /48 IPv6 network.
I have a 2nd virtualized OPNSense (23.7.2-amd64) with the same NICs (just virtualized) on Hyper-V (if that matters)

The whole configuration as a HA cluster with CARP addresses. This works so far, even with outgoing NAT, so that my external IP is always the CARP address of one of the WAN connections (depending on which one is active) and also incoming services that are on the CARP addresses. So far so good


There is a PBX in the network that connects to a SIP trunk, using a single CARP IP from the /28 IPv4 network for incoming and outgoing traffic. No other services are incoming and/or outgoing on this IP, but only the NAT ports forwarded that are necessary according to the manufacturer are incoming (i.e. no 1:1 NAT).
This works very well, BUT

Basically, the system works as long as the primary firewall is active. If the secondary (i.e. the virtualized one) takes over, the telephone system loses connectivity. It has internet access and all, but it takes about 20-25min before she can log on to the SIP trunk again - I assume that's the way the SIP trunk provider (Vodafone, if that matters, fiber optic connections (both) also Vodafone) does this is wanted, since the MAC address changes on the WAN connection. I had a similar issue on another site where I changed firewall from Sophos to OPNSense (and back to sophos for other reasons) - after each change the SIP trunk registration was unavailable for 20 to 25 minutes

How to deal with this? Just for fun, I set the MAC address of the failover WAN interface to the MAC of the WAN interface of the primary firewall with the result that nothing worked at all on the failover, I assume because both firewalls connect to the same modem.
Does anyone have an idea? Or am I on the wrong track?
I am aware, in case of a failover that connections might drop, but not the whole registration - I mean providing (internet) telephony was kind of a target by making the internet high availabe.

Greetings from Germany

[Monviech (Cedrik)]

Maybe you are wrong with the MAC address being the culprit.

Each time a packet is processed by a Router (Layer 3), the MAC addresses change, because the router strips the ethernet header (Layer 2).

Your provider shouldn't be able to base the SIP Registration on the MAC address of your physical WAN NIC.

https://learningnetwork.cisco.com/s/question/0D53i00000Kt3VcCAJ/what-is-frame-rewrite

[i.schmidt]

True, but only if the dialup connection is handled by another router instead of the opnsense firewall.
If opnsense does the dialup, the provider will see the MAC of that interface on their endpoint.