NAT and RTP stream not working

[_seb_]

Hello,

I'm having trouble getting voice communication (nothing in either direction) to work with an IP PBX (Asterisk) using OPNsense 25.7.1_1-amd64.

I have the following rule in WAN: IPv4 UDP * * WAN address 10000 - 20000 * *
Same thing when modifying the WAN rule: IPv4 UDP * * VOIP_SVR 10000 - 20000 * *
I have the following rule in NAT: WAN UDP * * WAN address 10000 - 20000 VOIP_SVR 10000 - 20000

I can register a phone using port 5060 without any problems.
WAN rule: IPv4 TCP/UDP * * VOIP_SVR 5060 (SIP) * *
NAT rule: WAN TCP/UDP * * * 5060 (SIP) VOIP_SVR 5060 (SIP)

Thank you for your help

[hharry]

your SIP / RTP application, will need it's own NAT helper, to translate the internal private ip, to the discovered public ip, in SIP header RTP SDP ( session description protocol ) handshake.

AFAIK, OPNsense doesn't have an out of the box SIP/RTP NAT helper....

There's plenty of STUN/ICE ALG helper discussion over at Asterisk forum....

Other possible solutions is to establish a VPN to the SIP G/W / SBC, and route your SIP + RTP traffic over the tunnel, no NATing required.

[_seb_]

On Asterisk I configured the WAN IP address of the OPNsense precisely to avoid having a problem. This does not work either...

I'm surprised it doesn't work normally with OPNsense because I don't use STUN/ICE. No problem with other commercial FWs to make VOIP work.

[hharry]

you'll likely need to have a hybrid NAT, with manual NAT entry(s) added on OPNsense NAT F/W policy, with static-port, to avoid PAT ( Port address translation ), particularly for the RTP traffic. Without a SIP/RTP NAT ALG helper, you MUST ensure SIP/RTP traffic is not subjected to PAT...if traffic is subjected to PAT, that breaks the RTP session, that was determined from SIP SDP handshake etc...

Obviously your LAN F/W policy, also needs to allow the PBX(LAN) -> WAN SIP trunk / SBC traffic as well.

Outbound NAT options are all explained here -> https://docs.opnsense.org/manual/nat.html#outbound

To summarize:

. Outbound NAT Configuration:
Mode:
Set the outbound NAT mode to "Hybrid outbound NAT rule generation" in Firewall > NAT > Outbound.
Static Port:
Create a new outbound NAT rule for your VoIP device (PBX or IP Phone).
Interface: WAN
TCP/IP Version: IPv4
Source address: IP address of your internal VoIP device.
Source port: any or udp/*
Destination address: any or the specific IP address/alias of your SIP provider.
Destination port: any or the specific SIP/RTP ports used by your provider.
Translation/target: Interface address (WAN IP) or a specific Virtual IP (VIP) if you are using one for your PBX.
Static Port: CHECK THIS BOX. This is crucial for SIP/RTP, as it prevents OPNsense from changing the source port of outbound RTP packets, which is expected by the SIP provider.

Or configure a 1-to-1 NAT setup....you'll need a dedicated WAN public ip address for it however....

[_seb_]

Yes I tried to do this configuration but it does not work:

Firewall > NAT > Outbound :

Hybrid outbound NAT rule generation is checked
https://ibb.co/m5Mh3J1b

Firewall > Rules > WAN :
https://ibb.co/zV79gnVD

[hharry]

is your LAN F/W Policy allowing the outbound LAN -> WAN traffic ?

You can use

1. Firewall: Diagnostics: Sessions

To view the sessions ( if they been allowed by your LAN F/W Policy), and it will also show the SNAT entry as well, so you can determine that PAT is indeed disabled. Enter in your LAN side IP PBX | IP Phone in the search box...if you have a decent number of sessions, it's take forever to load, it's a recent 25.7 regression...

2. inspect the Firewall: Log Files: Live View to see is the packets are being dropped. Make sure you have the 'Log packets matched from the default block rules' option enabled in Firewall: Settings: Advanced.

Better still, if you have your OPNsense filterlog logs exported to a syslogd server, you can just tail the log file, and use egrep etc to filter on whatever you want etc...

3. if your Asterisk is configured to have directrtpsetup=yes, then you'll also need to include the IP phone IP or prefix to the VOIP_SVR Alias

 

[_seb_]

Yes the policy allowing the outbound LAN.

Firewall > Rules > LANSERVERS :
https://ibb.co/RpngVLVV

I think I understand the problem but I don't know how to solve it...

Log Files : In destination I see the local IP address of my phone and not the public IP of the internet connection where the phone is located...

[hharry]

Yes the policy allowing the outbound LAN.

Firewall > Rules > LANSERVERS :
https://ibb.co/RpngVLVV

I think I understand the problem but I don't know how to solve it...

Log Files : In destination I see the local IP address of my phone and not the public IP of the internet connection where the phone is located...

It sounds like it might be a LAN side ( or floating ) F/W, what interface is listed in the packet drop, LAN or WAN interface ? And in live view, it will also give the specific policy rule (LABEL)  dropping the packets.

[_seb_]

Here is the capture concerning a call test : https://ibb.co/qFrmcwRQ

[_seb_]

Hello,

I've tried several configurations and it doesn't work (hybrid mode, creating manual rules for RTP). I'm really stuck...

Any ideas ?

Thanks