SIP NAT Issue?

Started by shtech, April 15, 2020, 05:16:40 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 15, 2020, 05:16:40 AM
Two opnsense firewalls. Both on latest update. One at Home and one at the office

SIP Client can register just fine using cellular data.

On wifi at my house, it will not.

Office has Nat Port forward The IP's listed are fake.
Protocol     Source       Port        Address      Ports               Destination       Ports
TCP/UDP     *                 *           5.5.5.5        5060-5090       192.168.1.10    5060-5090
UDP             *                 *           5.5.5.5        16384 - 32768  192.168.1.10  16384 - 32768

I can see the traffic getting to the server behind the office firewall. I can see traffic coming back...it just doesn't connect. Unless i use Verizon's Data signal. So it's something in the NAT between the firewalls, i just can't figure out what.

This has been a problem for a while, i've just ignored until this covid stuff. Am i forgetting something? I have to be. the 16 hour days are getting to me, very tired.
April 15, 2020, 08:53:24 AM #1
Sorry, I cannot help, I'm just seing a similar problem here.

In the office I'm running a conference server (audio, video, whiteboard, chat and so on) behind an OPNsense firewall.
I can connect to the system itself just fine (well at least I could until I ran into the problems mentioned here yesterday).
No matter what connection path login works and whiteboard can be used. Chat system works.
But audio (SIP/RTP) and video (WebRTC) do not work when I try to connect from my home office where I am behind a AVM DSL router (Fritzbox).
Neither PC, nor iPad or iPhone can use audio/video when connected to the Fritzbox WIFI.
That same iPhone works fine when I shutdown WIFI and connect via LTE.
And the iPad works fine as soon as I use the iPhone as mobile hotspot with the phone.
The PC can connect from my homeoffice WIFI if I connect to the company network via OpenVPN (OPNsense road warrior setup).

In short everything using TCP works. UDP is the problem.
The problem looks very similar to yours. Difference being my homeoffice is just behind a AVM Fritzbox instead of a second OPNsense.

Just my 2 cents.

Stay safe everyone
Stefan
April 15, 2020, 10:46:15 AM #2
Do you have a STUN server configured?

Bart...
April 15, 2020, 11:56:48 AM #3
Bart,
don't know if your question goes in my direction but anyways, here I go:
According to the documentation of my conference system (BigBlueButton) I do not need a STUN server if the firewall's WAN interface has a fixed IP. In that case I can hardcode that IP in one of the configuration files instead of STUN server address and port. That's what I have done. Maybe that is not enough if clients are behind a router.

Stefan
April 15, 2020, 12:31:15 PM #4
Quote from: StP on April 15, 2020, 11:56:48 AM
Bart,
don't know if your question goes in my direction but anyways, here I go:
According to the documentation of my conference system (BigBlueButton) I do not need a STUN server if the firewall's WAN interface has a fixed IP. In that case I can hardcode that IP in one of the configuration files instead of STUN server address and port. That's what I have done. Maybe that is not enough if clients are behind a router.

Stefan

The only time I have this problem, is when I'm home. It also works behind other firewalls. If I join my neighbors wireless, it works just fine as well. I've never had to use a STUN server.
April 15, 2020, 12:34:35 PM #5
Hi Stefan,

Best way to determine that is to run a packet trace on the WAN interface limited to the public IP range of your conference system provider.

If you see a lot of RTP addressed to the internal address, you'll need STUN.

A trace will help regardless - Wireshark is your friend ;-)

Bart...
April 15, 2020, 01:06:38 PM #6
Bart,
maybe I did not express myself as clear as I should...
We host the conference system ourselves. On company premise on our own hardware behind OPNsense.
Right now I can't do any further tests because of this:
https://forum.opnsense.org/index.php?topic=16764.0

Thanks for your help
  Stefan
April 15, 2020, 01:48:54 PM #7
Sorry Stefan, I did misread your post.

Probably best to work with Deciso under your support arrangement with them, although I would still run packet traces to get a better handle myself.

Bart...
April 15, 2020, 06:53:49 PM #8
Quote from: bartjsmit on April 15, 2020, 01:48:54 PM
Sorry Stefan, I did misread your post.

Probably best to work with Deciso under your support arrangement with them, although I would still run packet traces to get a better handle myself.

Bart...

Unfortunately, that is where SIP ALG would probably help. We typically disable it on any firewalls we manage and use to pass voip traffic, but we've had rare occurences where it works. Unfortunate opnsense doesn't have it as an option to test with atleast. it overwrites the SIP header which I think is my problem.
April 15, 2020, 10:01:40 PM #9
Did you try the os-siproxd plugin?
April 30, 2020, 02:50:06 PM #10
Quote from: StP on April 15, 2020, 11:56:48 AM
Bart,
don't know if your question goes in my direction but anyways, here I go:
According to the documentation of my conference system (BigBlueButton) I do not need a STUN server if the firewall's WAN interface has a fixed IP. In that case I can hardcode that IP in one of the configuration files instead of STUN server address and port. That's what I have done. Maybe that is not enough if clients are behind a router.

Stefan

Just getting back to this. I tried several stun servers (which we've used for clients in the past) and it didn't help.
Print
Go Up Pages1
User actions