Source Destination NATInterface Proto Address Ports Address Ports IP Ports Description LAN TCP * * LAN address 22, 80, 443 * * Anti-Lockout Rule WAN UDP SIP_IPv4 5060 (SIP) 123.45.6.789 * 192.168.20.21 5062 SIP IPv4 redirect WAN UDP SIP_IPv4 5060 (SIP) 123.45.6.789 * 192.168.20.22 5064 SIP IPv4 redirect WAN UDP RTP_IPv4 * 123.45.6.789 49252 - 49262 192.168.20.21 49252 - 49262 RTP IPv4 Redirect WAN UDP RTP_IPv4 * 123.45.6.789 49272 - 49282 192.168.20.22 49272 - 49282 RTP IPv4 Redirect
~ # pfctl -s nat[snip ...]rdr on pppoe0 inet proto udp from <SIP_IPv4> port = sip to 123.45.6.789 -> 192.168.20.21 port 5062rdr on pppoe0 inet proto udp from <RTP_IPv4> to 123.45.6.789 port 49252:49262 -> 192.168.20.21 port 49252:49262rdr on pppoe0 inet proto udp from <RTP_IPv4> to 123.45.6.789 port 49272:49282 -> 192.168.20.22 port 49272:49282
I think that you must not have port translation. For the RTP ports, this is mandatory, since the SIP signalisation done by the phones tells the registrar on which ports the RTP connection must be done. If the firewall interferes with that via port translation, it would not work.
So, just like with the RTP ports, you would have to use ports 5062 and 5064 on the WAN interface as well.
rdr on pppoe0 inet proto udp from <SIP_IPv4> port = sip to 123.45.6.789 port = 5062 -> 192.168.20.21 port 5062rdr on pppoe0 inet proto udp from <SIP_IPv4> port = sip to 123.45.6.789 port = 5064 -> 192.168.20.22 port 5064rdr on pppoe0 inet proto udp from <RTP_IPv4> to 123.45.6.789 port 49252:49262 -> 192.168.20.21 port 49252:49262rdr on pppoe0 inet proto udp from <RTP_IPv4> to 123.45.6.789 port 49272:49282 -> 192.168.20.22 port 49272:49282
Also, I would not limit the rule to some known IPs of the SIP registrar, as they could change in the future. If you want to secure the ports, use the ASN of the registrar.
You did use "static port" for the connectiions?
I've had a similar issue with Verizon and outgoing calls over "wifi calling." I have yet to find any setting I can change to make it work, but this has persisted for a very long time and isn't new in 24.7 for me.
Quote from: meyergru on September 01, 2024, 11:35:56 pmYou did use "static port" for the connectiions?Sorry, I am not familiar with many opnsense configuration options - are you referring to the Outbound NAT option to enable a "static port"? I have not changed the Outbound NAT from 'auto'. I only have one IPv4 public address at this moment.Also, the SIP registrar responds to the correct ports for each phone, each phone registers successfully and incoming calls can be answered. It is the outgoing calls which fail.
nat on pppoe0 inet proto udp from 192.168.20.21 to <SIP_IPv4> -> (pppoe0:0) static-portnat on pppoe0 inet proto udp from 192.168.20.22 to <SIP_IPv4> -> (pppoe0:0) static-port[snip ...]rdr on pppoe0 inet proto udp from <SIP_IPv4> port = sip to 123.45.6.789 port = 5062 -> 192.168.20.21 port 5062rdr on pppoe0 inet proto udp from <SIP_IPv4> port = sip to 123.45.6.789 port = 5064 -> 192.168.20.22 port 5064rdr on pppoe0 inet proto udp from <RTP_IPv4> to 123.45.6.789 port 49252:49262 -> 192.168.20.21 port 49252:49262rdr on pppoe0 inet proto udp from <RTP_IPv4> to 123.45.6.789 port 49272:49282 -> 192.168.20.22 port 49272:49282
Source Destination NATInterface Proto Address Ports Address Ports IP Ports Description WAN UDP SIP_IPv4 5060 (SIP) 123.45.6.789 * 192.168.20.21 5062 SIP IPv4 redirect WAN UDP SIP_IPv4 5060 (SIP) 123.45.6.789 * 192.168.20.22 5064 SIP IPv4 redirect
Source Destination NATInterface Proto Address Ports Address Ports IP Ports Description WAN UDP SIP_IPv4 * 123.45.6.789 5062 (SIP) 192.168.20.21 5062 SIP IPv4 redirect WAN UDP SIP_IPv4 * 123.45.6.789 5064 (SIP) 192.168.20.22 5064 SIP IPv4 redirect
Source Destination NATInterface Proto Address Ports Address Ports IP Ports Description WAN UDP SIP_IPv4 5060 (SIP) 123.45.6.789 5062 192.168.20.21 5062 SIP IPv4 redirect WAN UDP SIP_IPv4 5060 (SIP) 123.45.6.789 5064 192.168.20.22 5064 SIP IPv4 redirect
Source Destination NATInterface Proto Address Ports Address Ports IP Ports Description WAN UDP SIP_IPv4 * 123.45.6.789 5062 192.168.20.21 5062 SIP IPv4 redirect WAN UDP SIP_IPv4 * 123.45.6.789 5064 192.168.20.22 5064 SIP IPv4 redirect
Thanks meyergru,I added two Outbound rules one for each phone. I now have:Code: [Select]nat on pppoe0 inet proto udp from 192.168.20.21 to <SIP_IPv4> -> (pppoe0:0) static-portnat on pppoe0 inet proto udp from 192.168.20.22 to <SIP_IPv4> -> (pppoe0:0) static-port
nat on pppoe0 inet proto udp from 192.168.20.21 to <SIP_IPv4> -> (pppoe0:0) static-portnat on pppoe0 inet proto udp from 192.168.20.22 to <SIP_IPv4> -> (pppoe0:0) static-port
Normally, it shouldn't be necessary to create manual NAT rules for SIP Phones. They should register with SIP, which also creates a dynamic NAT translation and Firewall Pinhole (if not restricted). In an INVITE, there would also be signalling information about what ports and IP's to be used for RTP (the actual Audio) and those should also be the real IP addresses. The best suggestion I have is to leave that process to be handled automatically.I as a VoIP engineer find OPNSense and PFsense a most excellent Edge Firewalls straight out the box.