PfSense IPsec FreePBX no audio times out after 30 seconds



  • Everyone has seen that title before and as much as I search I keep not finding an answer. Perhaps my setup is unique in some fashion so, here I go.

    I have a FreePBX box behind a pfSense (version 2.3 box. I'll call this one "location A". Connect via an IPSec tunnel is "location B" where I have three extension connected to the FreePBX at "location A". For several months everything worked fine, until yesterday.

    Last week I discovered that I was being probed by many blacklists VOIP ip address sites searching for a connection. This caused me to review my intital setup and change the "source address" from 'any' to the ip address for my SIP provider. Thereby ending the blacklist ip attack.

    However, I have now lost audio (both inbound and outbound) on all calls placed from the "location B" extensions and any calls to or from "location B" time out after 30 seconds. Calls from the extensions connect as well as calls to the extensions connect, just no audio and calls timeout after 30 seconds. (This is NOT a one way audio loose situation.)

    I have read and re-read many postings, searched the forums, searched (insert your favorite search engine name here) and still cannot get audio to connect. I will add here that until I replaced the 'any' source, everything worked fine.

    Packet captures reveal an "unknown@[ip address]" and this is where I think I am loosing RTP. But, I am not sure what I am looking for in the packet capture.

    What am I overlooking? Suggestions?



  • I'm really not a VoIP guru, but whenever I have this behavior (calls dropped after a time-out), it is when there is a wrong NAT behavior somewhere.  The PBX side would be receiving packets where the source IP at network & transport layer doesn't match the IP declared at the SIP application layer
    Could it be that it was working before because your PBX setting was "easy" and therefore you were not noticing this NAT issue?
    Can you check on the PBX to see the source IPs of the stations registering, and check the tables for the registered extensions, and see if there is a match?