SIP issue - NAT or Siproxd ?

corotte · Jan 21, 2018, 2:34 PM

Hi,

we are currently trying to change the router of one of our customer for a PfSense but get faced with an issue with the two ATA Bridge (Cisco SPA122). The customer also change his ISP at the same time.

The router to be replaced is an Asus RT-N12 with uPnP and SIP ALG active.

PfSense is at 2.4.1_1 version

The two ATA are configure as the following :
1rst ATA : both line (account 550 and 551) connected to a freepbx server
2nd ATA : 1rst line (552) to the freepbx and 2nd line to a FAX SIP Provider

Te FreePBX is hosted by a 3rd party.

All work flawleslsy with the RT-N12

However, PfSense get various issue depending of what we try to do.

1rst, it is not related to the ISP since we test the new ISP with the RT-N12 and it work.

2nd, we put all recommended settings (disable scrubbing, set firewall to conservative mode, enable siproxd)
all line register, the fax line and 550 work flwaleslly.
However, the 551 and 552 can receive call but cannot make outgoing call.
They receive a 403 forbiden message.
On the freepbx, the log show
[2018-01-18 11:44:29] WARNING[2659][C-0000c74b]: chan_sip.c:16376 check_auth: username mismatch, have <550>, digest has <552>
[2018-01-18 11:44:29] NOTICE[2659][C-0000c74b]: chan_sip.c:25534 handle_request_invite: Failed to authenticate device Anonymous sip:anonymous@localhost;tag=b6bd46f6765e83f4o0

siproxd settings
SIP port 5060
RTP enable with the port range

3rd, disabling siproxd and go with static port
only 550 register for a few second then go failed
all the other never register

static port setting
all TCP/UDP for 5060 and RTP Range

4th, the 3rd party change the extension type from FRIEND to PEER without success with both 2nd and 3rd setup.

The 3rd party already configured other customer PfSense for the same setup but this one is reluctant.

Any idea ??</sip:anonymous@localhost>

chpalmer · Jan 22, 2018, 2:36 AM

From scratch:

Do not do anything with NAT.

Simply make a firewall rule on your WAN with your PBX as the source and your ATA devices as the destination.

You can do it with two rules to single destination (one for each ATA) or one rule with your devices within the same range.

corotte · Mar 5, 2018, 6:05 PM

Hi.

sorry for late reply.

We did a temporary fix since we need phones working quite fast.

The temporary fix was keeping the old asus router and put the PfSense box rigth after with all the port redirected to the PfSense box.

This worked for quite a time but now we had to remove the Asus router due to other problems (IPSec related).

I tryed your suggestion to no avail.
A Strange thing is that when i removed the Asus router, all was working perfectly for a few minutes before the issue came back.

Settings are has follow (and where at that when it worked for a few minutes):

firewall set to conservative
scrubbing disabled
Outbound NAT in automatic
Sipproxd ON with
– SIP port 5060
-- RTP enable with the port range

Any other suggestion ?

Derelict · Mar 5, 2018, 6:43 PM

2nd, we put all recommended settings (disable scrubbing, set firewall to conservative mode, enable siproxd)

Where did you see such recommendations?

siproxd is almost never the right answer. Just delete that package unless you KNOW you need it and can enumerate exactly what it does and why.

I would also reenable scrubbing and undo any other changes you have made and start over.

Most SIP issues are solved by:

Specific outbound ports being set to static in outbound NAT. VoIP providers SUCK at telling you what THEIR SERVICE requires in this regard.

The correct inbound SIP/RTP ports being forwarded to the PBX. They SUCK at documenting this, too. With multiple ATAs whis should not be required. The SIP registration should be outbound and the PBX/Provider should tell the device where to connect for RTP.

It sounds like your scenario is ATAs making outbound connections to remote providers. That should "just work." The ATAs might need to be programmed to use the WAN IP address inside the SIP protocol if the PBX and FAX provider are too stupid to figure out what address the connections are coming from on their own.

corotte · Mar 5, 2018, 8:01 PM

Thanks Derelict for your answer.

i entirely agree with your statement : VoIP providers SUCK at telling you what THEIR SERVICE requires

following my post, i decided to disable siproxd and, while talking to the 3rd party, we decided to change the listening port of each ATAs port and each associated extensions in FreePBX (that's the PBX they use).

killed the state of each ATAs AND BAM !!! it work now.

current setting :

firewall set to conservative
scrubbing disabled
Outbound NAT in automatic
Sipproxd OFF (will never use that again!!)
set each ATAs port to a different listening port
NOTE: each ATAs connect to the 5060 of the PBX BUT they listen on a different port AND it need to be set in the extension settings of the PBX.

Thanks Derelict, you where right !!

AndrewZ · Mar 5, 2018, 8:08 PM

@Derelict:

2nd, we put all recommended settings (disable scrubbing, set firewall to conservative mode, enable siproxd)

Where did you see such recommendations?

They take it from here

Derelict · Mar 5, 2018, 8:45 PM

Right. And that page specifically states to use them only if you know what you are doing and know why they are needed. They are not the "recommended settings."

I would still re-enable scrubbing and set the firewall mode from conservative back to normal. Both of those are rarely necessary as well.