VOIP on Fritzbox behind OPNSense not working

[Maginos]

Hi guys,

I have question concerning VOIP on a Fritzbox (FritzOS 7.5) behind my OPNSense (24.7.1).
What I observe is, that VOIP doesn't work and our telephone is not reachable. When I dial our number, I get the message "The number you have called is temporarily not available".

In the Fritzbox, everything looks good, our telephone numbers are available and the Fritzbox shows no errors in the log.
In the OPNSense, I have Zenarmor on the LAN and Suricata on the WAN net. Both systems show no blocked queries. In the Zenarmor log I can see A, AAAA, SRV and UNKNOWN queries from the Fritzbox (10.20.1.2) to the sip provider (see screenshot Sensei log). Query type A is answered with an IPv4 address, query type AAAA is answered with NXDOMAIN and SRV and UNKNWN query gets no answer.

Could this be the problem, why our VOIP is not working?

To give you some background:
At first, this fritzbox was our internet facing router and VOIP was successfully set up. I then switched to a Sophos UTM Firewall and before the switch, I took a screenshot of the required ports for VOIP (see screenshot "Required ports for VOIP"). I forwarded neccessary ports to the fritzbox and everything worked fine.
Now I switched from the Sophos to OPNSense and I tried to "copy" the NAT and firewall rules from the Sophos to the OPNSense. Unfortunately, VOIP doesn't work as described above.
I attached a screenshot of the Firewall and NAT rules. Are they correct? Since Zenarmor gives NXDOMAIN for the AAAA query, I'm not sure, if IPv6 is configured correctly.

From a Facebook group, I got the hint to set up an outbound NAT rule with the following settings:
Interface: WAN
TCP/IP Version: IPv4
Protocol: TCP/UDP
Source address: IP_of_Fritzbox
Source port: any
Destination address: any
Destination port: any
Translation / target: WAN address
Static port: checked

Can you guys help me getting VOIP? If you need more information, I can give you what you need.

Thank you very much for your help!

Maginos

[Peter68]

Habe seit ein paar Tagen das gleiche Problem, Nummer ist nicht erreichbar. Nach draußen Telefonieren geht, es kommen aber keine Anrufe an (Rufnummer derzeit nicht erreichbar). Die Fritz!Box lief 1 Jahr Problemlos hinter opnsense. Diese Regeln haben die ganze Zeit gereicht. Inexio ist mein Anbieter, OPNsense 24.7.3_1

[Maginos]

@Peter68 Thank you for your reply and thank god, that I'm not the only one with this issue.

I was told by a Inexio technician, that the Registrar address changed to tel.voip.inexio.net.

Here's the most interesting part of the last answer from Inexio:

"Die automatische Rufnummer Konfiguration der FRITZ!Box erfolgte durch unser System. Diese Rufnummern können Sie anschließend auch nicht löschen.

Um alle Rufnummern zu bereinigen ist ein Laden der Werkseinstellungen nötig.

Anschließend können Sie die Internet und Telefonie Zugangsdaten manuell einrichten.

In der Regel wird die Telefonie auf dem ersten Router eingerichtet und dann an das Endgerät, an dem die Telefoniegeräte angemeldet sind weitergeleitet.

Bei der Einrichtung von Ihrem Kundeneigenen Router kann ich Sie leider nicht unterstützen. Wenden Sie sich für diese Art der Hausverkabelung bitte an den Hersteller oder an Fachpersonal vor Ort."

Not really helpful.

I try to solve this with IT guys that know OPNSense better than me and I will post the solution here, if I got it working.

Greetings

[Peter68]

Meine 3 Rufnummern sind grün also Verbunden und wenn ich es auf tel.voip.inexio.net umstelle, bekomme ich leider keine Verbindung. Werkseinstellung habe ich schon 2 mal geladen 

Sollte sich was bei mir ändern, werde ich mich auch melden

Gruß

[Maginos]

@Peter68: Can you post a screenshot of your settings of your telephone number? If you go into the WebGUI of the Fritzbox to "Telephone", "Own Numbers" and click on the pen beside your telephone number. That would be interesting. I can't register our numbers with the new sip address, so your settings would be interesting.

[Peter68]

Ich hatte heute die FritzBox direkt angeschlossen um zu sehen ob es an Inexio oder der opnsense liegt. Telefonieren ging dann sofort raus und rein. Hab dann die Fritz wieder hinter die opnsense angeschlossen und wieder das gleiche, raus telefonieren ja, rein nein.

Da mein System 1 Jahr funktioniert hat, muss sich etwas bei einem der letzten Update der opnsense verändert haben. Es handelt sich um eine eigene FritzBox 7490. Es läuft auch nur mit dem Registrar sip.inexio.net

[Maginos]

I assumed, that the OPNSense causes the problems.

Thank you for the screenshots.
Can you also make a screenshot of what you have under "advanced settings"? Its at the lower end of your settings. Thank you.

[meyergru]

Obviously, Inexio does not use IPv6 (as seen by the negative DNS replies). Thus, IPv6 rules would never apply but you need DNAT rules.

I do not know if this is the problem, but I just use a "pass" setting in the DNAT rules themselves and (if needed) create separate firewall rules for IPv6 only.

So, for SIP to work, I have:

Port forwards:

Port 5060 TCP/UDP NAT inbound for WAN -> IPv4 of Fritzbox with "Pass" filter rule.
Ports 7078-7109 UDP NAT inbound for WAN -> IPV4 of Fritzbox with "Pass filter rule.

Outbound (with Hybrid rules):

WAN from IPv4 of Fritzbox tcp/udp/* with static port = YES

Rules (not needed for IPv4 only):

Inbound TCP/UDP for dynamic IPv6 of Fritzbox on destination port 5060 pass
Inbound UDP for dynamic IPv6 of Fritzbox on destination port 7078-7109 pass

Of course, there must be no rules that could block that traffic before these rules (I saw some geoblocking). You can enable logging and look at the traffic when a call comes in.

[Maginos]

I tried the existing rules with the "Pass" option but that did not solve the problem, unfortunately.

The Outbound NAT rule I have.

Geoblocking is no issue, since the SIP Server is located in Germany and in OPNSense I block traffic from outside Germany. So that should not be an issue.

[meyergru]

You know how geoblocking works? There are lists of IP ranges that are thought to be associated to a country. Given the scarcity of IPv4 these days, sometimes, IP blocks are being sold and change location while the databases still lag behind. I admit that this is unlikely, however.

The safe way to see what is going on is to actually look at what is going on. That is why there are means to debug these things on OpnSense. You can look at the SIP registrations, because they are unencrypted and you can take a look at incoming SIP packets (RTP is not interesting if your phone does not ring in the first place).


Apart from that, there are a few other possibilities: SIP messages actually can get too long - they must fit into the MSS/MTU, otherwise they will be dropped. Depending on your WAN setup, you should checkt that your WAN MTU actually gets through via tools like this: https://www.baeldung.com/linux/maximum-transmission-unit-mtu-ip

Also, you can look at the outgoing SIP calls via tcpdump - there just was an incident where the VOIP client had too many codecs configured such that the SIP message was too long.

[Maginos]

Yes, I'm aware of that how GeoIP works.

Where would you recommend to look at SIP registrations?

I have interesting news:

I made tests with the software PhonerLite. I setup two profiles, one with sip.inexio.net as registrar and one with tel.voip.inexio.net as registrat. The first one was used from the ISP to first setup the fritzbox we got from them and the second one I got from Inexio some days ago.

Interestingly, for the profile with tel.voip.inexio.net, both calls work fine, incoming and outgoing calls.

But for sip.inexio.net only outgoing calls work.
In the annex you can find parts of the debug log of PhonerLite. Can you tell something about them?

[meyergru]

Obviously, sip.inexio.net is outdated. Also, their Interface Description shows tel.voip.inexio.net as registrar. And now you tried with another client and see the same.

So, something in your Fritzbox seems off (at least the registrar). Did you set "Portweiterleitung des Internet-Routers für Telefonie aktiv halten"?

From the Inexio documents, one can directly tell that they use "Deutsche Glasfaser" as underlying service provider. You should try to set that ISP in the list for your calling numbers in the Fritzbox. More often than not, Fritzbox uses tweaked settings for different providers. (cannot do that, because they have different registrars)

[Maginos]

Yes I have that option activated.

I changed the option "Transport Protocol" from TCP to automatic and now the fritzbox can successfully register the numbers with the tel.voip.inexio.net sip.

Since all my people at home are sleeping at the moment, I will try later and report back.

[Maginos]

@all. It's working again. 

I set up two new telefone numbers in the Fritzbox and it was crucial, that the options "use phone number for login" was activated and that the "Transport protocol" was set to Automatic and not to TCP.

@Peter68: Since the SIP address sip.inexio.net is no longer valid, I recommend you to do the same. You can check the settings I mentioned above and for everything else it should be straight forward. If you have questions feel free to ask.

Don't forget to check your "telephones" concerning incoming and outgoing telephone number.

[Peter68]

Freut mich das es bei dir jetzt geht 

Wenn ich die Fritz direkt an mein Modem anschließe geht telefonieren wunderbar und auch nur mit sip.inexio.net

Hängt die Fritz wieder hinter der OPNsense geht nur der Ruf raus aber nicht rein. Ports habe ich alles nach Anleitung freigegeben. Das komische ist ja, dass es 1 Jahr lang funktioniert hat, auch ohne Port forwards.

Gruß