pfSense and Skype for Business SIP issue with Private IP

andrew.frowen · May 1, 2019, 5:16 PM

I hope someone can help with this. The issue is, we are about to migrate from Cisco ASA to pfSense, however we are unable to get the pfSense to handle SIP properly our upstream SIP trunk provider (GAMMA) is dropping the session as our Skype Media server private IP 192.168.30.x (sat in DMZ) is in the SIP packet and not the public IP as it should be. The IP headers are correct for the public IP and we are using 1:1 NAT so this works OK. We have seem some recommendations for SIPROXD but that does not seem to handle the specific issue and more related to multiple VOIP endpoints.

FROM: sip:XXXXXX38654@XX.XX.63.169;user=phone;tag=3765703331-138638
TO: sip:XXXXXX7787@XX.XX.63.169:5060;user=phone;tag=55dcbe161;epid=2221FEC018
CSEQ: 1 INVITE
CALL-ID: 64865922-3765703331-138631@MSX49.gammatelecom.com
VIA: SIP/2.0/TCP XX.XX.63.169:5060;branch=z9hG4bKa053eddb21f3351cc594c33abf577d37
CONTACT: sip:XX.intaforensics.com:5060;transport=Tcp;maddr=**192.168.30.XX**
CONTENT-LENGTH: 280
SUPPORTED: timer
SUPPORTED: 100rel
CONTENT-TYPE: application/sdp
ALLOW: ACK
SERVER: RTCC/6.0.0.0 MediationServer
Allow: CANCEL,BYE,INVITE,PRACK,UPDATE
Session-Expires: 1800;refresher=uac
Min-SE: 600
v=0
o=- 9 1 IN IP4 192.168.30.XX
s=session
c=IN IP4 192.168.30.XX
b=CT:1000
t=0 0
m=audio 56342 RTP/AVP 101 8 13
c=IN IP4 192.168.30.XX
a=rtcp:56343
a=label:Audio
a=sendrecv
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=rtpmap:8 PCMA/8000
a=rtpmap:13 CN/8000

Does anyone have any suggestions?

chpalmer · May 1, 2019, 5:51 PM

Do you have any WAN pass rules in place?

andrew.frowen · May 1, 2019, 6:24 PM

Hi Yes, We 1:1 NAT and firewall WAN pass rules, these are standard with no advanced config in addition to a DMZ rule, however we are new to this system so any guidance would be appreciated, is there a rule that can inspect SIP packets like the Cisco ASA?

chpalmer · May 1, 2019, 6:26 PM

What do your WAN rules look like?

They should have a destination of your intended LAN address. In your case 192.168.30.x

If you use SIProxd then you would not use 1:1 NAT and you would point to WAN rules destination to your "WAN Address"

andrew.frowen · May 1, 2019, 6:28 PM

Yes rule is to the internal IP in the DMZ of the Skype mediation server.

andrew.frowen · May 1, 2019, 6:30 PM

The issue is traffic flows with the correct NAT translation to the SIP trunk both directions and reaches provider, however the SIP packet has the private IP this is what we are trying to resolve. The trunk provider drops this obviously.

chpalmer · May 1, 2019, 6:33 PM

While I have a lot of experience with SIP client devices my only Skype experience is customers that use a Skype client on their desktops which they do quite successfully..

pfsense does not "inspect" the packets to see whats in them.. But passes them when told to do so.

Can you see any connections from Gamma to your Skype server in your State Table?

chpalmer · May 1, 2019, 6:37 PM

@andrew-frowen said in pfSense and Skype for Business SIP issue with Private IP:

The trunk provider drops this obviously.

Im not sure why they would want to drop this if your device is on that address.. They have to find you some way.

I never use any kind of port forwarding or 1:1 when it comes to SIP with my providers.. Just WAN rules as the fact that the LAN address is in the SIP header is how "they" reach my clients.

andrew.frowen · May 1, 2019, 6:38 PM

Hi, Thanks for your help. We have the box offline at the minute but yes we had some states when it was under test earlier. We have considered changing the private IP on the media server to public IP and bypassing NAT altogether.

andrew.frowen · May 1, 2019, 6:41 PM

the trunk provider has provided some packet traces and this shows on our original Cisco the IP in the SIP packat refers to the public IP but when we put this through the pfSense it does not change the private to public only for the IP header

chpalmer · May 1, 2019, 6:52 PM

SIP was not originally designed with NAT in mind.. It was added later as an afterthought when services like Vonage came around and started marketing to residential services.. So the way certain services implement their service can be different from provider to provider.. Vonage got sued for patent infringement which caused all the other services to do things a little different. Now they all have their own flavors of service.

There are a couple of things I would try..

Turn off the 1:1 NAT. Leave the WAN rules in place. Does this set up require RTP? If so rules?

Try static port on your outbound NAT tab. Set the source as your LAN device.

UDP or TCP?? How exactly are your WAN rules set up?

Good luck!

andrew.frowen · May 1, 2019, 6:54 PM

Thanks, I will give those suggestions a try and see how it goes!

andrew.frowen · May 1, 2019, 6:56 PM

Just to confirm our skype for business end users can call and the endpoint rings but no media flows when the call is answered, this is the same for inbound calls.

chpalmer · May 2, 2019, 4:16 AM

@andrew-frowen said in pfSense and Skype for Business SIP issue with Private IP:

Just to confirm our skype for business end users can call and the endpoint rings but no media flows when the call is answered, this is the same for inbound calls.

Normal SIP phones also need RTP. Id be watching firewall logs for blocked traffic while trying to make a call and add firewall rules accordingly.