Accessing Sip server over OpenVPN
-
Scenario
Site A : Pfsense 2.5.2 : Asterisk server
Site B : Pfsense 2.6 : x-lite client
Site A n Site B connected via OpenVPNRequirement:
Use xlite softphone to access Asterisk ServerConnectivity between Site A n Site B established. Can rdp to server in Site A.
Using packet capture at Site B, observed Xlite client sending packets for registeration to Site B Pfsense at udp 5060.
I want pfsense to reroute the packets received on port 5060 to firewall at site A which further route to Asterisk Server.
How do I go about this ?
Regards,
Ashima -
Since you have a site to site vpn established, x-lite clinet should be able to reach asterisk server directly with its ip
-
Yes you are right on that @netblues .
I remember trying it earlier, but it was not connecting.
But after getting reply from you, I realized that it's workingZapped myself.
Anyway thanks a ton. May be your reply gave me confidence and it started working.
-
Facing another issue.
The connection from xlite to asterisk server is established but the calls drop after 6 sec. Not experiencing any call drops when xlite is access Asterisk locally.
Checking the forum suggests NATing issue.
Need to clarify another point :
At Site A : Main Pfsense Box (A1) with multiple ISps : Another Pfsense box (A2) : Asterisk Server
Site B : Pfsense Box (B) : Xlite ClientSite 2 Site connection is made between Box A1 of site A and Box B for Site B.
Port forward of tcp/udp 5060 and 3478 done on Box A2 of site AIs this due to Port forward I am facing this issue.
Any Pointers, -
@ashima A network diagram would help
I guess you are firewalling asterisk and port forward internal traffic to it.
SO how about rdp port ranges? typical 10.000 to 20.000 udp?
-
Here is a rough diagram
(172.16.9.3) Pfsense Box A1 --- Pfsense Box A2 ----- Asterisk Server | | OpenVPN Connect | Pfsense Box B --- Xlite Client (192.168.7.5)
Yes Asterisk is behind firewall Box A2. I am port forwarding port (tcp/udp) 5060 n 3478
-
@ashima No rdp??
-
@netblues Yes I do rdp on port 3389 on Win server behind Box A2.
I have port forwarded 3389 on Box A2 to Win server
That is working fine. I am to able to rdp from site B to WIn Server at Site A
-
Here is a screenshot of Packet capture running on Pfsense box B
17:27:05.729114 IP 192.168.7.5.8400 > 172.16.9.3.3478: UDP, length 20 17:27:05.729167 IP 192.168.7.5.8401 > 172.16.9.3.3478: UDP, length 20 17:27:05.770056 IP 172.16.9.3 > 192.168.7.5: ICMP 172.16.9.3 udp port 3478 unreachable, length 56 17:27:05.770109 IP 172.16.9.3 > 192.168.7.5: ICMP 172.16.9.3 udp port 3478 unreachable, length 56 17:27:05.969331 IP 192.168.7.5.8400 > 172.16.9.3.3478: UDP, length 20 17:27:05.969359 IP 192.168.7.5.8401 > 172.16.9.3.3478: UDP, length 20 17:27:06.010368 IP 172.16.9.3 > 192.168.7.5: ICMP 172.16.9.3 udp port 3478 unreachable, length 56 17:27:06.010385 IP 172.16.9.3 > 192.168.7.5: ICMP 172.16.9.3 udp port 3478 unreachable, length 56 17:27:06.469273 IP 192.168.7.5.8400 > 172.16.9.3.3478: UDP, length 20 17:27:06.469303 IP 192.168.7.5.8401 > 172.16.9.3.3478: UDP, length 20 17:27:06.510091 IP 172.16.9.3 > 192.168.7.5: ICMP 172.16.9.3 udp port 3478 unreachable, length 56 17:27:06.510111 IP 172.16.9.3 > 192.168.7.5: ICMP 172.16.9.3 udp port 3478 unreachable, length 56 17:27:07.473528 IP 192.168.7.5.8400 > 172.16.9.3.3478: UDP, length 20 17:27:07.473562 IP 192.168.7.5.8401 > 172.16.9.3.3478: UDP, length 20 17:27:07.514075 IP 172.16.9.3 > 192.168.7.5: ICMP 172.16.9.3 udp port 3478 unreachable, length 56 17:27:08.473665 IP 192.168.7.5.8400 > 172.16.9.3.3478: UDP, length 20 17:27:08.473701 IP 192.168.7.5.8401 > 172.16.9.3.3478: UDP, length 20 17:27:08.514468 IP 172.16.9.3 > 192.168.7.5: ICMP 172.16.9.3 udp port 3478 unreachable, length 56 17:27:09.643209 IP 192.168.7.5.13124 > 172.16.9.3.5060: UDP, length 993 17:27:09.684850 IP 172.16.9.3.5060 > 192.168.7.5.13124: UDP, length 553 17:27:09.685543 IP 192.168.7.5.13124 > 172.16.9.3.5060: UDP, length 319 17:27:09.788606 IP 192.168.7.5.13124 > 172.16.9.3.5060: UDP, length 1153 17:27:09.899588 IP 172.16.9.3.5060 > 192.168.7.5.13124: UDP, length 504 17:27:10.377102 IP 172.16.9.3.5060 > 192.168.7.5.13124: UDP, length 830 17:27:18.814965 IP 172.16.9.3.5060 > 192.168.7.5.13124: UDP, length 602 17:27:18.919547 IP 192.168.7.5.13124 > 172.16.9.3.5060: UDP, length 546 17:27:18.919561 IP 192.168.7.5.13124 > 172.16.9.3.5060: UDP, length 4 17:27:22.514306 IP 172.16.9.3.5060 > 192.168.7.5.13124: UDP, length 816 17:27:22.613545 IP 172.16.9.3.5060 > 192.168.7.5.13124: UDP, length 816 17:27:22.813835 IP 172.16.9.3.5060 > 192.168.7.5.13124: UDP, length 816 17:27:23.214383 IP 172.16.9.3.5060 > 192.168.7.5.13124: UDP, length 816 17:27:24.013785 IP 172.16.9.3.5060 > 192.168.7.5.13124: UDP, length 816 17:27:25.614259 IP 172.16.9.3.5060 > 192.168.7.5.13124: UDP, length 816 17:27:28.813743 IP 172.16.9.3.5060 > 192.168.7.5.13124: UDP, length 816 17:27:28.933847 IP 172.16.9.3.5060 > 192.168.7.5.13124: UDP, length 577 17:27:29.033666 IP 172.16.9.3.5060 > 192.168.7.5.13124: UDP, length 577 17:27:29.036021 IP 192.168.7.5.13124 > 172.16.9.3.5060: UDP, length 387 17:27:29.036053 IP 192.168.7.5.13124 > 172.16.9.3.5060: UDP, length 387
-
When you test 'locally' is the test client also behind firewall A2?
SIP hates NAT but it should be configurable to work. The most common problem is the PBX handing out it's local IP to external clients to connect back to that they cannot reach.
It would be much better to remove NAT here and make it all routed if you can.
And/or have the remote client connect to an OpenVPN server on A2 directly.
Steve
-
@netblues Sorry I guess you mean rtp ports
Yes I have forwarded rtp ports : 10000:20000
-
Thank you @stephenw10 for replying.
Yes, the test was done locally behind the firewall A2.
I made the VPN connection to Firewall A2 from Firewall B and things started working.
I wish I could make it working using VPN firewall A1 as I have all my branches getting connected to firewall A1 for other services.
What settings do I need to do in Firewall A2 n B to make it work. I was reading following :
https://docs.netgate.com/pfsense/en/latest/recipes/nat-voip-phones.html
https://docs.netgate.com/pfsense/en/latest/recipes/nat-voip-pbx.htmlAlso bit confuse about settings in asterisk server. Adding another local network in sip.conf. (Not sure how to do that)
Any pointers on this.
-
I would convert Firewall A2 to be routed only (no NAT) if you can.
Does the call initially connect with audio both ways?
-
@stephenw10 As suggested I am connecting to A2 (No NAt).
Audio both ways ... I didn't really understand that.
We need to do make outbound calls and receive inbound calls. Need to do only call recordings.
-
You have converted Firewall A2 to route only? Or you switched the VPN to connect to A2?
So you are able to make and receive calls and you get audio in both directions but the calls are dropped after a few seconds? In both directions?
That does sound like route asymmetry but it's hard to see where that could be happening.
Try running a packet capture for the SIP traffic and see if one end is disconnecting the call intentionally.
Steve
-
Yes I have connected the vpn to A2. Every thing is working fine. No call drops. Audio is working in either direction.
Thank you for all the support.
-
Ok, well you likely could also correct it by converting A2 to routing only and leaving the VPN on A1 which might be easier for you with all the other clients.