Intersite routing issue - driving me mad!

[g33kphr33k]

Hey folks

I have just replaced a router at a site that I believed to be configured okay, and it turns out it isn't working as intended. I've attached the diagram of the network and connections.

The OPN router has a WAN and 1Gb Dark Fibre to another site, so copying the previous config (which worked fine!) I have set the WAN to default GW and weighted it. IGB2 is Intersite and has 10.1.50.2 with a Gateway of 10.1.50.1 which is a pfSense at HQ. There are no issues getting from the site to the public internet via the WAN.

Here is where it gets weird. I've added the static routes for the other sites and allowed IPv4 any/any across the Intersite. I can ping everything at HQ and HQ can ping everything at the London/OPNSense site, it looks okay. Remote Desktop works, as do file shares. However, UDP from the Phone System SIP trunk hosted at HQ is filtered out for calls; we can hear the other person, but they cannot hear us. It is like the outbound is filtered out, but the inbound works. This is backed up with the fact that I cannot ping anything in the USA sites from OPNSense, but the USA sites CAN ping and see things at the London/OPNSense site.

Any ideas? I've been at this since 4am this morning, it's now almost 10pm at night. It has to be something to do with firewall rules. I know it's not the other routers as the Draytek that was removed worked fine.

I have bought a DEC3840 so I will contact Sales for support in this matter if you guys cannot shed any light on where I am going wrong.

[bartjsmit]

SIP often breaks firewall state. Any mileage in running a separate PBX on each site and running something like AIX between them for trunk calls? https://en.wikipedia.org/wiki/Inter-Asterisk_eXchange

Bart...

[g33kphr33k]

Thank you for the reply, but that won't work.

The outbound is broken using Intersite. It just will NOT route correctly. It should be able to use the Intersite as a secondary WAN as well as route between my sites. It cannot PING or connect to anything past the first hop to HQ, but everything further out such as the USA can ping and connect back.

It's definitely something routing or firewall related.

[MoonbeamFrame]

If you are getting call establishment then the SIP part of the process is working as expected.

The audio path would be carried over the ports configured for RTP.

[lilsense]

It may QoS related. Do you have any QoS set up or when you are testing across the WAN how much data is on?

[g33kphr33k]

It's 100% a routing issue.

Everything to WAN works fine. Trying to route out via IGB2 (Intersite) for defined routes means that it will send traffic only as far as HQ, then drop. Phone system is at HQ, so it hits it and the system makes the outbound call. Any traffic thereafter should flow in and out but IN works, OUT halts at HQ.

It's NOT the HQ router. With the old router in place, it works fine.