Asterisk/SIP behind NAT
-
Hi all,
I seem to have an issue with incoming calls to my PBX behind NAT
pfsense has a static IP and NAT is set to Hybrid with a rule just for the PBX with static ports on top
Port forwarding is also set up for all ports, and as far as I can tell (tested netcat listening on a random forwarded port and some port test website) it is working correctly.
Outbound calls are working without issue, but inbound calls have no Sound in either direction.
I did a packet capture on the WAN interface and on a monitoring port on the LAN side at the same time with an inbound call.
I can see an outbound RTP stream, same originating ports on both sides of the FW (so I assume static port is working) and I also can see RTCP receiver reports coming back, also same port on both sides of the Firewall. So I'd expect at least outbound audio, but no luck.
The provider of the sip peer point at the firewall, but I can't really see what I can change. Port Forwarding seems to be working correctly, the PBX is configured for NAT (it also works with a different sip provider) including the static IP as external IP, and I can see at least the outbound rtp stream going out seemingly correctly. The peer is also not blocked by snort.
I'm kinda running out of ideas on what to try next.The Flow in Wireshark looks like this:
|Time | 85.25.203.230 | 192.168.1.3 | | | | xx.xxx.xxx.xxx | |9.819592 | INVITE SDP (g711A g7 | |SIP INVITE From: <sip:+<callerid>@sip.voip2gsm.de To:<sip:+<did>@xx.xxx.xxx.xxx:5060 Call-ID:1505320316@sip.voip2gsm.de CSeq:2119745 | |(5060) ------------------> (5060) | | |9.824128 | 100 Trying| | |SIP Status 100 Trying | |(5060) <------------------ (5060) | | |9.913198 | 200 OK SDP (g711U g7 | |SIP Status 200 OK | |(5060) <------------------ (5060) | | |9.931079 | ACK | | |SIP Request INVITE ACK 200 CSeq:2119745 | |(5060) ------------------> (5060) | | |10.434927| RTP (g711U) | |RTP, 50 packets. Duration: 4294956.862s SSRC: 0x6591D615 | |(17698) <------------------ (28208) | | |11.491686| RTP (g711A) | |RTP, 505 packets. Duration: 4294955.805s SSRC: 0x6591D615 | |(17698) <------------------ (28208) | | |21.597939| INVITE SDP (g711A g711U GSM telephone-ev |SIP INVITE From: <sip:+<callerid>@sip.voip2gsm.de To:<sip:+<did>@xx.xxx.xxx.xxx:5060 Call-ID:1505320316@sip.voip2gsm.de CSeq:2119745 | |(5060) --------------------------------------> (5060) | |21.602215| 100 Trying| | |SIP Status 100 Trying | |(5060) <-------------------------------------- (5060) | |21.603498| RTP (g711A) | |RTP, 31 packets. Duration: 4294945.693s SSRC: 0x6591D615 | |(17698) <------------------ (28208) | | |21.691227| 200 OK SDP (g711U g711A GSM telephone-ev |SIP Status 200 OK | |(5060) <-------------------------------------- (5060) | |21.709359| ACK | | |SIP Request INVITE ACK 200 CSeq:2119745 | |(5060) --------------------------------------> (5060) | |22.212878| RTP (g711U) | |RTP, 1 packets. Duration: 4294945.084s SSRC: 0x6591D615 | |(17698) <-------------------------------------- (28208) | |22.223466| RTP (g711A) | |RTP, 1 packets. Duration: 4294945.073s SSRC: 0x6591D615 | |(17698) <------------------ (28208) | | [...] | |(17698) <-------------------------------------- (28208) | |23.183392| RTP (g711A) | |RTP, 1 packets. Duration: 4294944.113s SSRC: 0x6591D615 | |(17698) <------------------ (28208) | | |23.192735| RTP (g711U) | |RTP, 1 packets. Duration: 4294944.104s SSRC: 0x6591D615 | |(17698) <-------------------------------------- (28208) | |23.203363| RTP (g711A) | |RTP, 605 packets. Duration: 4294944.093s SSRC: 0x6591D615 | |(17698) <------------------ (28208) | | |23.401373| BYE | | |SIP Request BYE CSeq:2119747 | |(5060) ------------------> (5060) | | |23.402732| 200 OK | | |SIP Status 200 OK | |(5060) <------------------ (5060) | | |35.179363| BYE | | |SIP Request BYE CSeq:2119747 | |(5060) --------------------------------------> (5060) | |35.180573| 200 OK | | |SIP Status 200 OK | |(5060) <-------------------------------------- (5060) |</sip:+<did></sip:+<callerid></sip:+<did></sip:+<callerid>