Port forward issue to PBX
-
Hello, everyone!
Port forward fails to communicate with internal PBX Server. No response from the server.
Twilio cloud SIP provider, initiates call and communication with my on-prem PBX server. PBX fails to communicate back. The state shows CLOSED:SYNC_SENT CLOSED:SYNC_SENTPORT FORWARD RULE
I've made an alias with all of Twilio's SIP and RTP IP addresses, created a port forward rule to allow ANY protocol coming from Twilio's Alias, from ANY source port to My WAN address destination ANY ports and redirect to my PBX local IP address on ANY ports. NAT Reflection "Use system default"Hybrid Outbound NAT
Interface WAN, Source PBX local IP, Source Port ANY, Destination Twilio Alias, Destination port ANY, Nat Address WAN address, Nat port ANY, Static port YES.Firwall rule in WAN
Firewall rule in WAN gets created automatically, I initiate a call to the twilio number which in response tries to communicate with my PBX. I am able to see two logs for each failed call under the WAN firewall rule: Both are in State CLOSED:SYNC_SENT CLOSED:SYNC_SENTAny idea what is going on here? I'm not sure if i've made an error configuring the NAT rules. Thank you for your help in advanced!
-
Did you exactly follow this config? https://docs.netgate.com/pfsense/en/latest/recipes/nat-voip-pbx.html
-Rico
-
Furthermore : pfSense version ?
Use the packet capture (look into the diagnostics menu)
First test : scan on the LAN, enter the IP of the PBX.
You'll see all traffic going to and coming from the IP == PBX.You will also see, that when traffic was initiated somewhere on the Internet, the "Twilio's SIP and RTP IP addresses" reaches the LAN, thus reaching your PBX IP. Did it answer ?
Does your PBX accept requests from non LAN or NON RFC1918 ?You can repeat the test on the WAN interface. Use as a test IP all the IPs from "Twilio's SIP and RTP IP addresses" : does their request reaches your WAN ? Does the answer from the PBX reaches trough pfSense the WAN? thus "Twilio's SIP and RTP IP addresses" ?
@emc said in Port forward issue to PBX:
rule to allow ANY protocol
As soon as possible : make that TCP or UDP or whatever your VOIP solution is using.
-
@Rico said in Port forward issue to PBX:
https://docs.netgate.com/pfsense/en/latest/recipes/nat-voip-pbx.html
Yes, I did. Outbound calls work, but income calls do not
-
It's pfSense 23.05 release.
And as @Rico mentioned, I followed the Netgate doc to set up the port forward and Outbound NAT.[Red is Private PBX IP, Green is Public IP]
I used the packet capture as you recommended. The "Twilio SIP and RTP IP addresses" reach the PBX's IP in the LAN, but the PBX does not respond
After two tries from Twilio, call disconnects. After it disconnects, the PBX reaches to other servers for some reason, I'm not sure what why that is or what it is.
I am able to see the SIP connections from my PBX to Twilio which are established
EDIT: I also changed protocol to ANY as suggested. The issue persists, there is no answer from the PBX
-
@emc Is your pfSense WAN a public IP? If not the ISP router will need to forward the ports to pfSense. Also note some ISPs (Starlink) use CGNAT which cannot have inbound connections.
-
No, my comcast WAN interface IP is a private IP given by Comcast Router
I have a comcast router with my static public IP.
The firewall on comcast is set to minimuum security which means it forwards all traffic to my pfSense, which has a static private IP on the comcast.Comcast(public IP)->pfSense(private IP WAN interface 10.10.10.9 example)->PBX
-
@emc I don't think "minimum security" adds port forwarding but I'm not looking at one. In a normal setup with PCs connected directly to it, it wouldn't know where to send the traffic. Does it have a setting for "DMZ" where you can use that to point traffic to your pfSense IP?
-
The DMZ zone points out to pfSense.
Communication between Twilio provider and the PBX works when using only UDP. For TLS enabled only outbound calls work. -
This issue has been fixed. NAT is working. It was a firewall issue in the PBX. I've whitelisted the IPs on the PBX's firewall and it works. Thank you everyone for your help.
