• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Accessing Sip server over OpenVPN

Scheduled Pinned Locked Moved General pfSense Questions
17 Posts 3 Posters 1.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    ashima LAYER 8
    last edited by Jun 25, 2023, 4:10 PM

    Scenario
    Site A : Pfsense 2.5.2 : Asterisk server
    Site B : Pfsense 2.6 : x-lite client
    Site A n Site B connected via OpenVPN

    Requirement:
    Use xlite softphone to access Asterisk Server

    Connectivity between Site A n Site B established. Can rdp to server in Site A.

    Using packet capture at Site B, observed Xlite client sending packets for registeration to Site B Pfsense at udp 5060.

    I want pfsense to reroute the packets received on port 5060 to firewall at site A which further route to Asterisk Server.

    How do I go about this ?

    Regards,
    Ashima

    N 1 Reply Last reply Jun 25, 2023, 4:19 PM Reply Quote 0
    • N
      netblues @ashima
      last edited by Jun 25, 2023, 4:19 PM

      @ashima

      Since you have a site to site vpn established, x-lite clinet should be able to reach asterisk server directly with its ip

      1 Reply Last reply Reply Quote 0
      • A
        ashima LAYER 8
        last edited by Jun 25, 2023, 5:23 PM

        Yes you are right on that @netblues .

        I remember trying it earlier, but it was not connecting.
        But after getting reply from you, I realized that it's working

        Zapped myself.

        Anyway thanks a ton. May be your reply gave me confidence and it started working.

        1 Reply Last reply Reply Quote 2
        • A
          ashima LAYER 8
          last edited by ashima Jun 26, 2023, 11:36 AM Jun 26, 2023, 11:34 AM

          Facing another issue.

          The connection from xlite to asterisk server is established but the calls drop after 6 sec. Not experiencing any call drops when xlite is access Asterisk locally.

          Checking the forum suggests NATing issue.

          Need to clarify another point :

          At Site A : Main Pfsense Box (A1) with multiple ISps : Another Pfsense box (A2) : Asterisk Server
          Site B : Pfsense Box (B) : Xlite Client

          Site 2 Site connection is made between Box A1 of site A and Box B for Site B.
          Port forward of tcp/udp 5060 and 3478 done on Box A2 of site A

          Is this due to Port forward I am facing this issue.
          Any Pointers,

          N 1 Reply Last reply Jun 26, 2023, 11:39 AM Reply Quote 0
          • N
            netblues @ashima
            last edited by Jun 26, 2023, 11:39 AM

            @ashima A network diagram would help

            I guess you are firewalling asterisk and port forward internal traffic to it.

            SO how about rdp port ranges? typical 10.000 to 20.000 udp?

            A 1 Reply Last reply Jun 26, 2023, 12:31 PM Reply Quote 0
            • A
              ashima LAYER 8
              last edited by Jun 26, 2023, 11:42 AM

              @netblues

              Here is a rough diagram

                                    (172.16.9.3)    
                Pfsense Box A1  --- Pfsense Box A2 ----- Asterisk Server
                   |
                   |  OpenVPN Connect
                   |
                Pfsense Box B  --- Xlite Client (192.168.7.5)
              

              Yes Asterisk is behind firewall Box A2. I am port forwarding port (tcp/udp) 5060 n 3478

              N 1 Reply Last reply Jun 26, 2023, 11:45 AM Reply Quote 0
              • N
                netblues @ashima
                last edited by Jun 26, 2023, 11:45 AM

                @ashima No rdp??

                A 1 Reply Last reply Jun 26, 2023, 11:49 AM Reply Quote 0
                • A
                  ashima LAYER 8 @netblues
                  last edited by Jun 26, 2023, 11:49 AM

                  @netblues Yes I do rdp on port 3389 on Win server behind Box A2.

                  I have port forwarded 3389 on Box A2 to Win server

                  That is working fine. I am to able to rdp from site B to WIn Server at Site A

                  1 Reply Last reply Reply Quote 0
                  • A
                    ashima LAYER 8
                    last edited by Jun 26, 2023, 11:58 AM

                    Here is a screenshot of Packet capture running on Pfsense box B

                    17:27:05.729114 IP 192.168.7.5.8400 > 172.16.9.3.3478: UDP, length 20
                    17:27:05.729167 IP 192.168.7.5.8401 > 172.16.9.3.3478: UDP, length 20
                    17:27:05.770056 IP 172.16.9.3 > 192.168.7.5: ICMP 172.16.9.3 udp port 3478 unreachable, length 56
                    17:27:05.770109 IP 172.16.9.3 > 192.168.7.5: ICMP 172.16.9.3 udp port 3478 unreachable, length 56
                    17:27:05.969331 IP 192.168.7.5.8400 > 172.16.9.3.3478: UDP, length 20
                    17:27:05.969359 IP 192.168.7.5.8401 > 172.16.9.3.3478: UDP, length 20
                    17:27:06.010368 IP 172.16.9.3 > 192.168.7.5: ICMP 172.16.9.3 udp port 3478 unreachable, length 56
                    17:27:06.010385 IP 172.16.9.3 > 192.168.7.5: ICMP 172.16.9.3 udp port 3478 unreachable, length 56
                    17:27:06.469273 IP 192.168.7.5.8400 > 172.16.9.3.3478: UDP, length 20
                    17:27:06.469303 IP 192.168.7.5.8401 > 172.16.9.3.3478: UDP, length 20
                    17:27:06.510091 IP 172.16.9.3 > 192.168.7.5: ICMP 172.16.9.3 udp port 3478 unreachable, length 56
                    17:27:06.510111 IP 172.16.9.3 > 192.168.7.5: ICMP 172.16.9.3 udp port 3478 unreachable, length 56
                    17:27:07.473528 IP 192.168.7.5.8400 > 172.16.9.3.3478: UDP, length 20
                    17:27:07.473562 IP 192.168.7.5.8401 > 172.16.9.3.3478: UDP, length 20
                    17:27:07.514075 IP 172.16.9.3 > 192.168.7.5: ICMP 172.16.9.3 udp port 3478 unreachable, length 56
                    17:27:08.473665 IP 192.168.7.5.8400 > 172.16.9.3.3478: UDP, length 20
                    17:27:08.473701 IP 192.168.7.5.8401 > 172.16.9.3.3478: UDP, length 20
                    17:27:08.514468 IP 172.16.9.3 > 192.168.7.5: ICMP 172.16.9.3 udp port 3478 unreachable, length 56
                    17:27:09.643209 IP 192.168.7.5.13124 > 172.16.9.3.5060: UDP, length 993
                    17:27:09.684850 IP 172.16.9.3.5060 > 192.168.7.5.13124: UDP, length 553
                    17:27:09.685543 IP 192.168.7.5.13124 > 172.16.9.3.5060: UDP, length 319
                    17:27:09.788606 IP 192.168.7.5.13124 > 172.16.9.3.5060: UDP, length 1153
                    17:27:09.899588 IP 172.16.9.3.5060 > 192.168.7.5.13124: UDP, length 504
                    17:27:10.377102 IP 172.16.9.3.5060 > 192.168.7.5.13124: UDP, length 830
                    17:27:18.814965 IP 172.16.9.3.5060 > 192.168.7.5.13124: UDP, length 602
                    17:27:18.919547 IP 192.168.7.5.13124 > 172.16.9.3.5060: UDP, length 546
                    17:27:18.919561 IP 192.168.7.5.13124 > 172.16.9.3.5060: UDP, length 4
                    17:27:22.514306 IP 172.16.9.3.5060 > 192.168.7.5.13124: UDP, length 816
                    17:27:22.613545 IP 172.16.9.3.5060 > 192.168.7.5.13124: UDP, length 816
                    17:27:22.813835 IP 172.16.9.3.5060 > 192.168.7.5.13124: UDP, length 816
                    17:27:23.214383 IP 172.16.9.3.5060 > 192.168.7.5.13124: UDP, length 816
                    17:27:24.013785 IP 172.16.9.3.5060 > 192.168.7.5.13124: UDP, length 816
                    17:27:25.614259 IP 172.16.9.3.5060 > 192.168.7.5.13124: UDP, length 816
                    17:27:28.813743 IP 172.16.9.3.5060 > 192.168.7.5.13124: UDP, length 816
                    17:27:28.933847 IP 172.16.9.3.5060 > 192.168.7.5.13124: UDP, length 577
                    17:27:29.033666 IP 172.16.9.3.5060 > 192.168.7.5.13124: UDP, length 577
                    17:27:29.036021 IP 192.168.7.5.13124 > 172.16.9.3.5060: UDP, length 387
                    17:27:29.036053 IP 192.168.7.5.13124 > 172.16.9.3.5060: UDP, length 387
                    
                    
                    1 Reply Last reply Reply Quote 0
                    • S
                      stephenw10 Netgate Administrator
                      last edited by Jun 26, 2023, 12:28 PM

                      When you test 'locally' is the test client also behind firewall A2?

                      SIP hates NAT but it should be configurable to work. The most common problem is the PBX handing out it's local IP to external clients to connect back to that they cannot reach.

                      It would be much better to remove NAT here and make it all routed if you can.

                      And/or have the remote client connect to an OpenVPN server on A2 directly.

                      Steve

                      1 Reply Last reply Reply Quote 0
                      • A
                        ashima LAYER 8 @netblues
                        last edited by Jun 26, 2023, 12:31 PM

                        @netblues Sorry I guess you mean rtp ports

                        Yes I have forwarded rtp ports : 10000:20000

                        1 Reply Last reply Reply Quote 0
                        • A
                          ashima LAYER 8
                          last edited by Jun 26, 2023, 4:53 PM

                          Thank you @stephenw10 for replying.

                          Yes, the test was done locally behind the firewall A2.

                          I made the VPN connection to Firewall A2 from Firewall B and things started working.

                          I wish I could make it working using VPN firewall A1 as I have all my branches getting connected to firewall A1 for other services.

                          What settings do I need to do in Firewall A2 n B to make it work. I was reading following :

                          https://docs.netgate.com/pfsense/en/latest/recipes/nat-voip-phones.html
                          https://docs.netgate.com/pfsense/en/latest/recipes/nat-voip-pbx.html

                          Also bit confuse about settings in asterisk server. Adding another local network in sip.conf. (Not sure how to do that)

                          Any pointers on this.

                          1 Reply Last reply Reply Quote 0
                          • S
                            stephenw10 Netgate Administrator
                            last edited by Jun 26, 2023, 6:05 PM

                            I would convert Firewall A2 to be routed only (no NAT) if you can.

                            Does the call initially connect with audio both ways?

                            1 Reply Last reply Reply Quote 0
                            • A
                              ashima LAYER 8
                              last edited by Jun 27, 2023, 5:02 AM

                              @stephenw10 As suggested I am connecting to A2 (No NAt).

                              Audio both ways ... I didn't really understand that.

                              We need to do make outbound calls and receive inbound calls. Need to do only call recordings.

                              1 Reply Last reply Reply Quote 0
                              • S
                                stephenw10 Netgate Administrator
                                last edited by Jun 27, 2023, 11:29 AM

                                You have converted Firewall A2 to route only? Or you switched the VPN to connect to A2?

                                So you are able to make and receive calls and you get audio in both directions but the calls are dropped after a few seconds? In both directions?

                                That does sound like route asymmetry but it's hard to see where that could be happening.

                                Try running a packet capture for the SIP traffic and see if one end is disconnecting the call intentionally.

                                Steve

                                1 Reply Last reply Reply Quote 0
                                • A
                                  ashima LAYER 8
                                  last edited by Jun 28, 2023, 11:00 AM

                                  @stephenw10

                                  Yes I have connected the vpn to A2. Every thing is working fine. No call drops. Audio is working in either direction.

                                  Thank you for all the support.

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    stephenw10 Netgate Administrator
                                    last edited by Jun 28, 2023, 11:53 AM

                                    Ok, well you likely could also correct it by converting A2 to routing only and leaving the VPN on A1 which might be easier for you with all the other clients.

                                    1 Reply Last reply Reply Quote 0
                                    17 out of 17
                                    • First post
                                      17/17
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                      This community forum collects and processes your personal information.
                                      consent.not_received