How to enable SIP Inspection?

[sjjh]

Hi! I couldn't find any information in the docs on how to activate SIP inspection on the OPNsense. Can anybody help me out? :)

Background (as far as I understood it): We're using an internal PBX via a SIPtrunk. Normal calls work fine. But a call forwarding if an external party calls in and is then forwarded again out to an external extension has initially no audio, because apparently OPNsense doesn't inspect the SIP invite and thus doesn't open the dynamic port. Thus the RTP stream does not work. It takes 15 seconds until the keep alive package from the PBX kicks in and opens the desired ports. Obviously no good solution if the caller and called person have to wait 15 seconds before hearing each other. ;)

Thanks in advance!
Simon

[mimugmail]

There is non fro PBX to Trunk.
There is siproxd but this is for multiple internal clients to one provider.

Maybe you can statically define RTP ports and just allow them?

[sjjh]

Thanks for your fast reply!

There is non fro PBX to Trunk.

Oh, I didn't expect that. I cannot believe, that we're the only set-up that uses OPNsense and a PBX...?
Shall I fill a github issue as feature request?

Maybe you can statically define RTP ports and just allow them?

I would need to double check for this specific setup, but normally RTP uses afaik some random UDP port in the range between 10,000 and 20,000. I'm not a real network expert, but it feels a little "wrong" to just open 10,000 ports permanently on the firewall. This cannot be best practice, can it?

Simon

[mimugmail]

Usually there is no helper needed.
At our office we also have a OPNsense behind a VoIP server with SIP trunk. No problems ...

You have to check which packets are blocked, for me it seems the external one is also only a fixed IP

[firewall]

Code Select Expand

for me it seems the external one is also only a fixed IP

Indeed, this is how I've managed PBX behind OPN. Whitelisting many thousands of ports to a single internal host is less of an issue when the external trunk originates from a specific range of addresses.

[sjjh]

Thanks for your feedback. So if I understood you two correctly, you both just open the needed port range statically, limiting it to the internal PBX IP address and external SIPtrunk provide addresses. If that's the only way to go currently, I'll try it.
And I posted additionally a feature request at github: https://github.com/opnsense/core/issues/4477
Simon

[sjjh]

@mimugmail or @firewall Could you please show me an example of your configuration? I added a rule in the NAT settings, but must have done something wrong as it doesn't work...  :-\
Thanks in advance!
Simon

[mimugmail]

No, you should show your Screenshots of portforward and outbound

[sjjh]

No, you should show your Screenshots of portforward and outbound

Sure, here you go:

[mimugmail]

Dont use multiple Interfaces in forwards and dont use source ports :)

[sjjh]

Dont use multiple Interfaces in forwards and dont use source ports :)

I changed it accordingly, but I must have missed something as it still does not work... :-/

[mimugmail]

Portforward Ziel should be gateway2 address. And beside rtp Ports dont forget sip itself.

[sjjh]

So I changed the gateway to the Gateway2 (WAN) and also added an extra rule for the SIP ports (although I thought that they were already working, as the call is started, just the audio is missing). Unfortunately it's still not working. :-/ Any idea what else I missed?








I used the IP adresses and ports as mentioned in the help of our SIP provider for SIPgate trunk: https://teamhelp.sipgate.de/hc/de/articles/203571242-IP-und-Port-Bereiche-von-sipgate