NAT issue with VoIP/SIP/RTP

Started by xerse, March 22, 2023, 11:15:28 AM

Previous topic - Next topic
March 22, 2023, 11:15:28 AM Last Edit: March 23, 2023, 12:01:24 AM by xerse
Hello, I really hope someone may help in somethig is struggling me:

Unfortunately I had to reinstall some VM. I moved from an old ESXi 6.5 to ESXi 7u2 and I installed a new OPNsense VM from the scratch as my old v22 VM where damaged and I've not a backup.

Than OK There are many things that I could miss or that I could configured wrong, but something works really strange.

In brief I've a SIP server on an OPT network. I configured two port forward rules from one VirtualIP to the Server IP (one for SIP 5060 port, the other for voice RTP range 10000:65535)

They looks like:

WAN   TCP/UDP  VoIP_Auth    *   pub.pub.pub.181   5060 (SIP)    opt.opt.opt.181   5060 (SIP)
WAN   UDP         VoIP_Auth    *   pub.pub.pub.181   Ports_RTP     opt.opt.opt.181   Ports_RTP     


At the same time I have an Outbound NAT rule, to be sure that my server communicate thru the Public IP I use for incoming:

Interface   Source                    Src Port  Dest  Dst Port          NAT Address        NAT Port   Static Port      
WAN          opt.opt.opt.181/32        *         *     *           pub.pub.pub.181         *            NO


I'm pretty sure this setup worked on version 22 but I eperiencing a lot of problems in RTP audio from when I'm using the new installation v23.

After spending a lot of time and a lot of nights on this issue It seems related to something wrong in NAT operations.

First, from packet captures made on both WAN and OPT interfaces, I could decode audio streams and confirm that two-way audio is present.

Just to make everything complex, sometime (rarely) audio looks works (i.e 1 test call over 50 calls)


Anyway, after many other tests and nights I found that as soon as I create a 1:1 NAT rule like the followinig, Voice pass correctly.

Interface   External IP           Internal IP                Destination IP         
WAN          pub.pub.pub.181/32   opt.opt.opt.181            *               


My problem is that I'm not able to understand why Nat forward+Nat outbound does not works. It have no sense. It have no sense also because nothing strange  appear analyzing packets 
And, of course, using a NAT 1:1 introduce potential security risks.

In brief even if the signaling SIP works correctly, the voice sent from my internal server to the outside does not arrive if I did not introduce the NAT 1:1 rule.

Please help me.
Thanks

March 22, 2023, 10:27:49 PM #1 Last Edit: March 22, 2023, 10:35:06 PM by meyergru
Try enabling the outbound NAT rule 'static-port' setting. Also, the voice RTP port range seems excessively large to me. Are you sure these are correct?

And should the NAT address of the outbound NAT rule not match the pub.pub.pub.181 address that is in the incoming rules? Or the other way around, if pub.pub.pub.178 is your VIP.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 440 up, Bufferbloat A+

Hi Meyergru,

The RTP port range is a bit larger than configured but yes it's correct.
I misswrite the oubound rule (now I corrected it) it's not .178 but .181.

I'll try the static port suggestion, but anyway on previous v22 I'm sure I necer used it as I'm pretty sure I never used the 1:1 NAT.

To describe better, when voice left my server and reach the provider something goes wrong. While I'm able to capture voice packets on the WAN interface, my provider seems not receiving them.
This have sense if something in NAT doees not works as epected and packets looks bad from provider's firewall point of view.

But understand what is wrong is hard.
Suggestion or opinion from others may help




Here is my working configuration with DNAT/SNAT for the PBX I use.

The things that make it work are "static port" on the SNAT side, as well as a Firewall rule with a Gateway set for the WAN IP Adress the PBX should use.

I've provided screenshots.
Hardware:
DEC740