troubleshooting assistance with fresh install and Motorola RF repeaters

[Dillio]

setup:  Protectli 4 port unit with 23.7 installed on it fresh.  Only setup done is LAN side address and DHCP scope.  all to all rule from LAN to WAN.  Internet and everything else, SIP phones, etc work fine.

I'm an RF engineer, and I'm working on a Motorola DMR IP Site Connect setup.  It uses a master repeater in a colocation facility with a remote firewall with UDP ports 50000-50015 port forwarded to it from the internet.  There are 4 other remote sites currently connected to it, and working great.

I'm trying to setup a 5th site at my home using the Protectli.  My home Motorola repeater refuses to connect to the master site despite my best efforts when using OPNsense.  I put the home unit directly onto the internet, and it connects and works fine.  I have one of those GL Inet Opal travel routers that I use when I'm on the road, so I installed that instead, and it actually worked using this!

This got my brain going a little bit, so I tried Untangle on the Protectli, which I really don't like, but it worked, too.  So, I wiped the unit and tried pfsense.  This did NOT work.

I'm looking for some thoughts on next troubleshooting steps.  This one has me stymied.  Thanks for any thoughts or direction, I'm at a loss.

[Seimus]

Those ports mentioned "50000-500015" you sure about that? Cause we have only 65535
Shouldn't be it 50000-50015?

When you had OPNsense installed, did you use and self configured rules or NAT configuration?
Did only SIP not work or were you at all not able to reach internet?
Did you try on OPN check the live sessions tab and see what is OPN doing when a packet is hitting the INGRESS and EGRESS interface?

Regards,
S.

[Dillio]

Those ports mentioned "50000-500015" you sure about that? Cause we have only 65535
Shouldn't be it 50000-50015?

When you had OPNsense installed, did you use and self configured rules or NAT configuration?
Did only SIP not work or were you at all not able to reach internet?
Did you try on OPN check the live sessions tab and see what is OPN doing when a packet is hitting the INGRESS and EGRESS interface?

Regards,
S.

definite fat finger on the port range.  I fixed that.

Everything worked except the repeater.  I was able to use my SIP phone and the internet with no problem.  It is using the NAT rules there were setup by default when the installation was done.

I will take a look at that live sessions tab and update. 

[Dillio]

Those ports mentioned "50000-500015" you sure about that? Cause we have only 65535
Shouldn't be it 50000-50015?

When you had OPNsense installed, did you use and self configured rules or NAT configuration?
Did only SIP not work or were you at all not able to reach internet?
Did you try on OPN check the live sessions tab and see what is OPN doing when a packet is hitting the INGRESS and EGRESS interface?

Regards,
S.

okay, I didn't have Zenarmor installed so I had to go through the process to do so.  All that I see in there from the IP of the repeater is a DHCP request to the firewall.  Nothing else is showing at all, which doesn't make much sense.

[Seimus]

You dont need explicitly Zenarmor in order to use OPN. Zenarmor is L7 FW where core OPN is L4 packet FW. They work independently from each other depending on the direction:

Ingress: 1st ZEN match then OPN match
Egress: 1st OPN match then ZEN match

So as you are looking for Ingress, 1st should be inspected ZEN, to see what is hitting, then you need to inspect OPN.

But you say when you check ZEN you dont see any traffic/packets on INGRESS for SIP?
What about OPN INGRESS?
What about classic HTTP/HTTPs traffic when you try to access the internet using the phone?

I was asking to check Ingress due to the fact that you should see 2 hits at least from the pure OPN prespective
Ingress: in LAN >
Egress: out WAN > with NAT

as mentioned as you use ZEN, there should be 4 hits 2 for OPN 2 for ZEN.

Regards,
S.