Upgrade CE 2.6 to CE 2.7 breaks VOIP
-
@brianjmc1 What PBX? We have several clients for which we host 3CX servers and have no issues, on various recent Plus versions. Though, the standard with 3CX is to use an SBC for phones to connect out to a hosted server.
Did you find https://docs.netgate.com/pfsense/en/latest/recipes/nat-voip-phones.html ?
-
@SteveITS
Freepbx in the cloud. Again, I can confirm, ce2.6 no problem, just did another clean install of ce2.7 and phones will not register. Then did cl an install of ce2.6 on same hardware and all is fine. So there has to be some difference between 2.6 and 2.7. I can ping pbx in cloud fine....Thanks,
Brian -
What states do you see opened when the phones try to register?
-
S stephenw10 moved this topic from Problems Installing or Upgrading pfSense Software on
-
@stephenw10
what do you mean by "states"?? -
Go to Diag > States and filter by the IP address of the phone.
When the phone tries to connect out the traffic creates firewall states on the internal interface and firewall states with NAT on the WAN.
If something is not behaving as expected you may see it there. For example a missing state or incorrect NAT. -
Not using CE in prod but I can validate that I've never had VOIP issues at all during any of the more recent updates, I would definitely check the states etc.... to see what's going on.
Additionally, if you run 2.6 and register a phone, and then swap to 2.7 does the phone still work or does it un-register so to speak?
-
Re: Upgrade CE 2.6 to CE 2.7 breaks VOIP
Sorry, for not replying back, between work travel and sick kids been a rough 4 weeks...
Went to friends Office and swapped out router(same settings except current v2.6, new v2.7) outgoing calling does not work, busy signal. Swap LAN\WAN cables without rebooting modem, routers or phones, calling works fine(also rebooted everything with same outcome, v2.6 works fine, v2.7 no outgoing)
Office has static IP. Took v2.7 back to my Office, changed static IP(to one of mine) and gateway(and whitelisted my static IP), outgoing works fine...
aghhhhhhhhh
will do more testing and check states next time im in friends Office...
-
@brianjmc1 Yeah if it's working on 2.7 back at your office, then sounds like it's maybe not a pfSense specific issue, definitely odd though....
-
OK, i am actually onsite and found whats breaking VOIP traffic. I have three IPSEC VPN's setup. If I boot 2.7 router with them disabled, calls work fine. The minute i enable on ANY IPSEC VPN, calls fail outgoing.
any idea? Same setup with 2.6 and VPN's on, call still work fine....
so its something different with 2.7Thanks for any help!
-
The VoIP doesn't actually go over the VPNs? Or shouldn't presumably but maybe some of it does?
What do you have set in System > Advanced > Firewall in the VPN Processing section. Some of that applies on to the subnets defined in the IPSec config when it's enabled. Specifically MSS clamping.
-
@stephenw10 nothing, again, exact same setup on two routers 2.6 and 2.7. 2.6 with IPSEC VPN's enabled, no problem...
2.7, no IPSEC enabled, no problem, minute i enable on any IPSEC VPN, no outbound calls. also, only way i can get phones to work after that is reboot, so turning off ipsec vpn on 2.7 still wont let calls out. Only a reboot will work... -
@brianjmc1 So 2.6 setup, with VPN's enabled works
2.7 with VPN's disabled works, minute they are turned on, outgoing calls fail. Only way to get working again on 2.7 is reboot... -
OK, back in my office. I have 5 Static IP's to play with.
reconfigured 2.7 router to VPN to my main Static IP. As long as the IPSEC VPN is off - outgoing calls work. The minute i enable the IPSEC vPN - outgoing fails....
Again, and I know I am repeating my self, same setup does work on 2.6
-
And none of the IPSec P2 policies conflict with the VoIP traffic?
-
@stephenw10 negative. I copied the EXACT same settings from 2.6 to 2.7....
-
Ok so reviewing the thread are phone still failing to register when using 2.7 with IPSec enabled? Or is it just that calls fail?
Either way look at the SIP traffic from a phone. Check the states and/or run packet captures. Where does it appear? Where doesn't it appear? Is it somehow going over the VPN?