Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
NAT issue with VoIP/SIP/RTP
« previous
next »
Print
Pages: [
1
]
Author
Topic: NAT issue with VoIP/SIP/RTP (Read 2105 times)
xerse
Newbie
Posts: 7
Karma: 0
NAT issue with VoIP/SIP/RTP
«
on:
March 22, 2023, 11:15:28 am »
Hello, I really hope someone may help in somethig is struggling me:
Unfortunately I had to reinstall some VM. I moved from an old ESXi 6.5 to ESXi 7u2 and I installed a new OPNsense VM from the scratch as my old v22 VM where damaged and I've not a backup.
Than OK There are many things that I could miss or that I could configured wrong, but something works really strange.
In brief I've a SIP server on an OPT network. I configured two port forward rules from one VirtualIP to the Server IP (one for SIP 5060 port, the other for voice RTP range 10000:65535)
They looks like:
WAN TCP/UDP VoIP_Auth * pub.pub.pub.181 5060 (SIP) opt.opt.opt.181 5060 (SIP)
WAN UDP VoIP_Auth * pub.pub.pub.181 Ports_RTP opt.opt.opt.181 Ports_RTP
At the same time I have an Outbound NAT rule, to be sure that my server communicate thru the Public IP I use for incoming:
Interface Source Src Port Dest Dst Port NAT Address NAT Port Static Port
WAN opt.opt.opt.181/32 * * * pub.pub.pub.181 * NO
I'm pretty sure this setup worked on version 22 but I eperiencing a lot of problems in RTP audio from when I'm using the new installation v23.
After spending a lot of time and a lot of nights on this issue It seems related to something wrong in NAT operations.
First, from packet captures made on both WAN and OPT interfaces, I could decode audio streams and confirm that two-way audio is present.
Just to make everything complex, sometime (rarely) audio looks works (i.e 1 test call over 50 calls)
Anyway, after many other tests and nights I found that as soon as I create a 1:1 NAT rule like the followinig, Voice pass correctly.
Interface External IP Internal IP Destination IP
WAN pub.pub.pub.181/32 opt.opt.opt.181 *
My problem is that I'm not able to understand why Nat forward+Nat outbound does not works. It have no sense. It have no sense also because nothing strange appear analyzing packets
And, of course, using a NAT 1:1 introduce potential security risks.
In brief even if the signaling SIP works correctly, the voice sent from my internal server to the outside does not arrive if I did not introduce the NAT 1:1 rule.
Please help me.
Thanks
«
Last Edit: March 23, 2023, 12:01:24 am by xerse
»
Logged
meyergru
Hero Member
Posts: 1700
Karma: 167
IT Aficionado
Re: NAT issue with VoIP/SIP/RTP
«
Reply #1 on:
March 22, 2023, 10:27:49 pm »
Try enabling the outbound NAT rule 'static-port' setting. Also, the voice RTP port range seems excessively large to me. Are you sure these are correct?
And should the NAT address of the outbound NAT rule not match the pub.pub.pub.181 address that is in the incoming rules? Or the other way around, if pub.pub.pub.178 is your VIP.
«
Last Edit: March 22, 2023, 10:35:06 pm by meyergru
»
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
xerse
Newbie
Posts: 7
Karma: 0
Re: NAT issue with VoIP/SIP/RTP
«
Reply #2 on:
March 23, 2023, 12:09:39 am »
Hi Meyergru,
The RTP port range is a bit larger than configured but yes it's correct.
I misswrite the oubound rule (now I corrected it) it's not .178 but .181.
I'll try the static port suggestion, but anyway on previous v22 I'm sure I necer used it as I'm pretty sure I never used the 1:1 NAT.
To describe better, when voice left my server and reach the provider something goes wrong. While I'm able to capture voice packets on the WAN interface, my provider seems not receiving them.
This have sense if something in NAT doees not works as epected and packets looks bad from provider's firewall point of view.
But understand what is wrong is hard.
Suggestion or opinion from others may help
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1614
Karma: 176
Re: NAT issue with VoIP/SIP/RTP
«
Reply #3 on:
March 23, 2023, 02:25:41 pm »
Here is my working configuration with DNAT/SNAT for the PBX I use.
The things that make it work are "static port" on the SNAT side, as well as a Firewall rule with a Gateway set for the WAN IP Adress the PBX should use.
I've provided screenshots.
Logged
Hardware:
DEC740
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
NAT issue with VoIP/SIP/RTP