VOIP: pfsense drops ACK package send from trunk provider.

Xanacas

Hi there,

I've got a problem with the combination of an unregistered trunk (IPDirections) and my PBX (SwyxWare).
Outgoing calls work fine, incoming calls just for 30 sec.

I figured out, that my PBX confirms the invite with "ringing" and finally with "ok" once the call is accepted. However the "ACK" which is then send to the PBX seems to be dropped without any notice by the PFsense.
I can see (using packet capture) the incoming ACK package on my WAN interface, but it does not appear on my LAN interface.
The package looks on the WAN interface like this:
128.140.150.200:5060 -> 62.154.242.220:65002
which seems to be correct as my PBX acts for external SIP connections on port 65002.
If got a NAT rule with an associated Firewall rule to forward all packages for 62.154.242.220:65002 to my internal PBX: 192.168.100.18:65002

However the ACK package is neither forwarded to my internal IP nor it is listet in the firewall logs as blocked traffic.

Swyxware                    IPDirections
            <<<<invite <<<<<br="">            >>>>Ringing >>>>
            >>>> OK >>>>
            <<< <ack <<<< =""  ="" <-="" lost!?<br="">I've read this post, which explains almost exactly my problem:
https://forum.pfsense.org/index.php?topic=45255.0

• however I've one additional port forwarding and the solutions mentioned in this thread do not work for me.
  As you can see on my screenshot, IPDirections sends the INVITE to port 5060 which is then forwarded by my NAT to 65002. The ACK is send directly to 65002. However as I have two NAT rules, one for 5060 -> 65002 and one for 65002 -> 65002 I think that should be an issue.

Does anyone has an idea on how to solve this issue?

many thanks in advance!
Christian



</ack></invite>

Derelict

What does the filter rule look like?

How do you know the packet is not being sent? You probably want to verify that with a packet capture on the inside interface going to the PBX.

You can have multiple outside ports forwarded to the same inside port.

Xanacas

@Derelict:

What does the filter rule look like?

Please have a look to the attached screenshot
@Derelict:

How do you know the packet is not being sent? You probably want to verify that with a packet capture on the inside interface going to the PBX.

thats what I did and how I figured out, that the packet seems to disappear at the firewall.
I can see the INVITE, the TRYING, the RINGING and the OK but the ACK packet is not included in the packet capture of my LAN interface.

Xanacas

Hi there,
it seems that this error is caused because the same source (128.140.150.200:5060) is sending packets to two different ports.

I've asked IPDirections to start the communication directly on 65002, which means all communication from port 128.140.150.200:5060 is send to 65002. That did the trick, now all packets gets through to my PBX.
For me this issue is solved with a workaround, however I still believe  this is an pfsense/FreeBSD issue.

Many thanks for assistance!

Chris