SOLVED: Having a maddening time getting a SIP Codec to work correctly.

FTL_Ian

Thanks for the reply.

Here are the port forwards, which include 5060, 6014, and 6015 - what their SIP compatibility requires be forwarded to the Comrex unit.

Also, the WAN rules that were created automatically when the port forwards we made.

Finally, the LAN rules that I made to avoid load balancing for the Comrex unit.

Thanks for helping this non-IT-pro.

LAN_RULES.png_thumb

WAN_Rules.png_thumb

Port_Forwards.png_thumb

KOM

Your NATs look OK unless I've missed something. I would temporarily disable pfBlocker and test again.

FTL_Ian

I'll try that, but pfBlocker was installed after this problem started. I just happened to discover that package as I was trying to figure all this out.

Just tried disabling it, but no change.

The radio station unit is no longer available for testing, so I'm using a program called Linphone (it's an Android SIP client) to connect to the Comrex. As before, it connects, but no data is transmitted or received by the Comrex.

I know the Linphone is setup correctly because the Comrex company has one of their units on the public internet that I can connect to with Linphone. Linphone is on 4G, so not the same network as the Comrex, which is on my Time Warner WAN.

I'm attaching two screenshots of the states that are active for the IP of my cell phone while I connect to the Comrex through PFSense router via Linphone. I connect successfully, but no audio data is transferred, and after 30 seconds or so, Linphone crashes.

When I capture packets associated with the Cell Phone IP it shows packets leaving my WAN IP from port 6014 and going to the Cell Phone IP port 7076.

When I use my Comrex to connect to Comrex's test unit via SIP, it works fine. Packet capture shows packets leaving and coming, states show multiple states on ports 6014 and 6015 whereas as you can see when I dial into my Comrex from Linphone those ports show single/no traffic.

I'm so confused. Thanks for any insights and suggestions you might have!

Comrex_SIP_States_No_Static_Port.jpg_thumb

Comrex_SIP_States_Static_Ports.jpg_thumb

KOM

Anything related in the firewall log being blocked on WAN?

I use Polycom VoIP phones here and they just work without any voodoo. No port forwards required. They reach out and keep the states open for inbound signalling and data.

FTL_Ian

No entries for the Cell Phone IP in the firewall logs when I connect via Linphone.

If I turn off the port forwards, firewall blocks to the Cell Phone IP show up on port 5060, as they should.

KOM

It's probably an advanced network option like strict NAT or static source ports or something like that. Search these forums for keywords like SIP, VoIP, no audio as I've seen these types of cases before but I haven't paid them much attention.

chpalmer

Destination on your WAN firewall rules should be the IP address of the Comrex box.. or the IP subnet that covers multiple boxes.

Get rid of any port forwarding and see how that works out for you.

Broadcast stuff we use is all T-1 so this is out of the knowledge base. But ROIP and VOIP is usually visited once a week or so.

FTL_Ian

It is. "Comrex_Access_Rack" is an alias for the LAN IP for the Comrex box.

KOM

Again, no concrete help but some reading that may point the way.

https://doc.pfsense.org/index.php/VoIP_Configuration

https://doc.pfsense.org/index.php/Static_Port

https://forum.pfsense.org/index.php?topic=63424.0

FTL_Ian

@chpalmer:

Destination on your WAN firewall rules should be the IP address of the Comrex box.. or the IP subnet that covers multiple boxes.

Get rid of any port forwarding and see how that works out for you.

Getting rid of the port forward doesn't make sense, and doesn't work - that just makes Linphone not connect at all.

chpalmer

@FTL_Ian:

Getting rid of the port forward doesn't make sense, and doesn't work - that just makes Linphone not connect at all.

Just a test.

In the SIP world it does make sense because the client SIP device reports in its header its NAT address.

FTL_Ian

I did get rid of the 6014 and 6015 port forwards and that made no difference. It still connects, but no data is transferred.

I've tried all the troubleshooting links I can find. There must be something that will work, but I'm baffled as to what it is. Having spent nearly two weeks on this, I'm getting close to contacting support.

Derelict

Have any documentation from Comrex describing exactly what they need from a firewall - NAT in particular?

FTL_Ian

They say to forward ports 5060, 6014, and 6015 UDP to the unit and it needs a static IP. I've since assigned the unit to avoid load balancing as I'm on a dual-WAN, but that didn't solve the problem.

Here's their guide to connect Linphone SIP client with the Comrex:
http://www.comrex.com/wp-content/uploads/2016/01/Linphone-technote-for-ACCESS-and-BRIC-Link.pdf

Works fine when I connect to their test, works fine when I plug the Comrex directly into my cable modem, so it's definitely not a problem with Linphone or the Comrex - seems like something in PFsense is getting in the way.

Derelict

That's great but there is nothing to get in the way there.

I see no mention of outbound connections from the codec so delete any static port outbound NAT you have created. It won't help and might break something else.

What are the contents of all your aliases?

I see no mention of TCP in that document. Why is your SIP forward TCP/UDP?

You do not need to worry about Multi-WAN on inbound connections from clients. pf reply-to handles that and is automatic as long as that connection is set up as a WAN (Has a gateway set on the interface). That is unless the default gateway on the codec is not set to pfSense LAN in which case you'll have all sorts of asymmetric routing issues.

stephenw10

This right?
http://www.comrex.com/wp-content/uploads/2016/02/ACCESS-Rack-Manual.pdf

Are you running v3.0 firmware? If not then you need to be forwarding different ports.

In the case of SIP, this
must be three discrete ports (For Comrex codecs these are UDP 5060, 5014
and 5015)
<6014 and 6015 with 3.0 firmware>

Do you see any blocked traffic in the firewall log from the client IP you are trying to connect from?

Steve

FTL_Ian

Derelict:

I've tried static port on and off and neither worked, so it's off at this time.

I was forwarding TCP so a port checker would be able to verify the forwards. It's not necessary for the Comrex. Only UDP.

Do you want the full contents of my aliases on ports, or just those related to the Comrex?

FTL_Ian

@stephenw10:

This right?
http://www.comrex.com/wp-content/uploads/2016/02/ACCESS-Rack-Manual.pdf

Are you running v3.0 firmware? If not then you need to be forwarding different ports.

In the case of SIP, this
must be three discrete ports (For Comrex codecs these are UDP 5060, 5014
and 5015)
<6014 and 6015 with 3.0 firmware>

Do you see any blocked traffic in the firewall log from the client IP you are trying to connect from?

Steve

I'm running Comrex 4.0-p9 - the latest firmware. Ports 5060 and 6014 and 6015 are the proper ports, per the advanced settings in the unit.

I've checked the firewall, and no, I don't see any blocked traffic from the IP in question.

FTL_Ian

As you can see in the pic I posted in this post: https://forum.pfsense.org/index.php?topic=121139.msg671629#msg671629

There are states between my cell phone IP and all three ports in question. But no meaningful amount of audio data (like a 64kbps audio stream) is being transmitted.

FTL_Ian

(Going on the radio for a few hours - will check back later. Thanks for the help, all.)