Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] HTTPs response from VoIP to LAN subnet is rejected or dropped

    Firewalling
    2
    7
    655
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      regexaurus
      last edited by regexaurus

      I have a fairly basic config with several subnets including one for VoIP and one for default LAN. Ping is successful from PC on LAN to phone on VoIP. Phones have built-in network diagnostic features, including ping. Ping from phone on VoIP subnet to PC on LAN subnet is also successful. Attempts to access phone web (https) interface from PC on LAN fails/times out. From a couple packet captures, I see that https requests reach phone and phone responds, but from capture on LAN side, https responses do not reach PC. From a VM connected to VoIP subnet for testing purposes, I can access phone web interface with no problem. I tried accessing a phone web interface from a different device on LAN subnet, just in case, but the trouble persists. Firewall rules appear in order (allow all from VoIP net on LAN...). I don't have ICMP/ping-specific rules for VoIP net <-> LAN. Any suggestions for further troubleshooting?

      Thank you!

      R 1 Reply Last reply Reply Quote 0
      • R
        rcoleman-netgate Netgate @regexaurus
        last edited by

        @regexaurus Anything in the System->Status Log->Firewall for this?

        Ryan
        Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
        Requesting firmware for your Netgate device? https://go.netgate.com
        Switching: Mikrotik, Netgear, Extreme
        Wireless: Aruba, Ubiquiti

        R 1 Reply Last reply Reply Quote 0
        • R
          regexaurus @rcoleman-netgate
          last edited by

          @rcoleman-netgate I monitored System Logs > Firewall > Dynamic View while attempting to access a phone web interface from PC on LAN, but I see no related entries...

          R 1 Reply Last reply Reply Quote 0
          • R
            rcoleman-netgate Netgate @regexaurus
            last edited by

            @regexaurus OK.

            Can you ping the interface?
            Where are you doing the captures from?

            When troubleshooting routing issues do PCAPs on the interfaces (all of them) in order of the path from Source to Destination. Filter for ports/protocols and one of the IPs related to the search.

            I have found often times that if traffic isn't hitting the last interface it's likely due to a blown route (maybe a dormant VPN connection as was the case with my Wireguard issue last week) or if it hits that last interface and doesn't come back then it's the destination system simply ignoring the request because it's not in its approved network range.

            Ryan
            Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
            Requesting firmware for your Netgate device? https://go.netgate.com
            Switching: Mikrotik, Netgear, Extreme
            Wireless: Aruba, Ubiquiti

            R 1 Reply Last reply Reply Quote 0
            • R
              regexaurus @rcoleman-netgate
              last edited by regexaurus

              @rcoleman-netgate
              From phones on VoIP subnet, I can ping:

              • VoIP net interface IP (pfSense)
              • LAN net interface IP (pfSense)
              • PC IP on LAN net

              From PC on LAN subnet, I can ping

              • LAN net interface IP
              • Phone IP on VoIP net

              but attempt to ping VoIP net interface IP times out... 🤔

              Ping from pfSense (source: VoIP net interface IP) to PC on LAN net is successful tho. 🤨

              I did promiscuous PCAPs from pfSense, on the VoIP and LAN interfaces, filtering on phone IP, while attempting to access phone web interface. This is how I determined https requests from PC on LAN are reaching phone, and responses are reaching VoIP net interface on pfSense, but responses are not arriving back at PC...

              I was wondering about routes too, but haven't found anything out of order yet.

              R 1 Reply Last reply Reply Quote 0
              • R
                rcoleman-netgate Netgate @regexaurus
                last edited by

                @regexaurus said in HTTPs response from VoIP to LAN subnet is rejected or dropped:

                I did promiscuous PCAPs from pfSense, on the VoIP and LAN interfaces, filtering on phone IP, while attempting to access phone web interface. This is how I determined https requests from PC on LAN are reaching phone, and responses are reaching VoIP net interface on pfSense, but responses are not arriving back at PC...

                This suggests the devices you're trying to ping are actively ignoring the requests.

                Ryan
                Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                Requesting firmware for your Netgate device? https://go.netgate.com
                Switching: Mikrotik, Netgear, Extreme
                Wireless: Aruba, Ubiquiti

                1 Reply Last reply Reply Quote 0
                • R
                  regexaurus
                  last edited by

                  Turned out I had a forgotten legacy (no longer relevant) DHCP-assigned static route. No more trouble after this was removed from DHCP and DHCP release renewed...

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.