[SOLVED] HTTPs response from VoIP to LAN subnet is rejected or dropped
-
I have a fairly basic config with several subnets including one for VoIP and one for default LAN. Ping is successful from PC on LAN to phone on VoIP. Phones have built-in network diagnostic features, including ping. Ping from phone on VoIP subnet to PC on LAN subnet is also successful. Attempts to access phone web (https) interface from PC on LAN fails/times out. From a couple packet captures, I see that https requests reach phone and phone responds, but from capture on LAN side, https responses do not reach PC. From a VM connected to VoIP subnet for testing purposes, I can access phone web interface with no problem. I tried accessing a phone web interface from a different device on LAN subnet, just in case, but the trouble persists. Firewall rules appear in order (allow all from VoIP net on LAN...). I don't have ICMP/ping-specific rules for VoIP net <-> LAN. Any suggestions for further troubleshooting?
Thank you!
-
@regexaurus Anything in the System->Status Log->Firewall for this?
-
@rcoleman-netgate I monitored System Logs > Firewall > Dynamic View while attempting to access a phone web interface from PC on LAN, but I see no related entries...
-
@regexaurus OK.
Can you ping the interface?
Where are you doing the captures from?When troubleshooting routing issues do PCAPs on the interfaces (all of them) in order of the path from Source to Destination. Filter for ports/protocols and one of the IPs related to the search.
I have found often times that if traffic isn't hitting the last interface it's likely due to a blown route (maybe a dormant VPN connection as was the case with my Wireguard issue last week) or if it hits that last interface and doesn't come back then it's the destination system simply ignoring the request because it's not in its approved network range.
-
@rcoleman-netgate
From phones on VoIP subnet, I can ping:- VoIP net interface IP (pfSense)
- LAN net interface IP (pfSense)
- PC IP on LAN net
From PC on LAN subnet, I can ping
- LAN net interface IP
- Phone IP on VoIP net
but attempt to ping VoIP net interface IP times out...
Ping from pfSense (source: VoIP net interface IP) to PC on LAN net is successful tho. 🤨
I did promiscuous PCAPs from pfSense, on the VoIP and LAN interfaces, filtering on phone IP, while attempting to access phone web interface. This is how I determined https requests from PC on LAN are reaching phone, and responses are reaching VoIP net interface on pfSense, but responses are not arriving back at PC...
I was wondering about routes too, but haven't found anything out of order yet.
-
@regexaurus said in HTTPs response from VoIP to LAN subnet is rejected or dropped:
I did promiscuous PCAPs from pfSense, on the VoIP and LAN interfaces, filtering on phone IP, while attempting to access phone web interface. This is how I determined https requests from PC on LAN are reaching phone, and responses are reaching VoIP net interface on pfSense, but responses are not arriving back at PC...
This suggests the devices you're trying to ping are actively ignoring the requests.
-
Turned out I had a forgotten legacy (no longer relevant) DHCP-assigned static route. No more trouble after this was removed from DHCP and DHCP release renewed...