Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VoIP (SIP) through a VPN tunnel has WAN source address

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 1 Posters 660 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W Offline
      Webcrusader
      last edited by

      OK, I've been beating my head against the desk for a few days on this one...

      I have two pfSense boxes with a OpenVPN tunnel between them. At the 'far' (server) end there is a FreePBX VoIP server and at the 'near' end is an IP phone. The IP phone is configured to retrieve its provisioning info. from the PBX server via FTP and communicate via SIP over UDP for VoIP service.

      The phone boots and pulls the config. data from the PBX server fine, but then refuses to connect (SIP REGISTER) with the VoIP server. According to pkt captures the traffic is flowing over the tunnel just fine - but here comes the really weird bit - when the SIP requests go over the tunnel the IP source address switches to the WAN address of the near end pfSense box. And it gets better... When I capture the traffic on the LAN where the phone lives the IP source address of the connection packets correctly show the phone LAN IP.

      Somewhere, within the giant brain that is pfSense it is replacing the source IP of the phone with the WAN address of the pfSense box and then routing it over the OpenVPN tunnel to the far end. It never makes it to the PBX server as I believe the far end pfSense box is, reasonably, throwing the packet on the floor. Upon further inspection it is also replacing the source port (5060) with a randomize high port.

      And just because it wasn't yet weird enough, I have a softphone on my PC, on the same LAN as the phone, that connects just fine with the PBX server. Pkt. captures of its traffic show no source IP replacement on that traffic. I can access all other devices on the remote network just fine; SSH, FTP, NFS, HTTP(s), etc. from any device on my local LAN.

      Far End: Netgate appliance running v22.01, FreePBX on linux host
      Local End: pfSense v2.3.6 (yeah, I know), Polycom IP 335, no VLAN

      I'm going to upgrade the near end to the current rev. of pfSense with fingers crossed but I know it's rather a long shot.

      After that I'm going to have a dozen adult beverages, and curl up into a fetal position for a bit. ANY insights/brain storms/magic beans are welcome!

      1 Reply Last reply Reply Quote 0
      • W Offline
        Webcrusader
        last edited by

        UPDATE: IT WORKS!
        I did a clean install of v2.6 and selectively imported sections from the prior config.; specifically the OpenVPN, System, FW aliases (NOT rules), DHCP and DNS forwarder services. I did add an 'allow any-any' rule to the OpenVPN interface, but the WAN and LAN interfaces were left at default (basically empty).

        I did add DHCP options 066 and 160 to specify a provisioning server rather than manually entering it on the phone. A factory reset of the phone did the expected; downloaded a config. and registered with the PBX at the remote site. It can make and receive calls normally.

        I can't honestly say what the root cause was so it will just have to remain a mystery.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.