VOIP-Grandstream HT802 connect out to Allworx
-
Hi,
I am pretty new to pfSense, so I am probably missing something simple.
I have a netgate 1100 behind a Starlink in bridge mode or whatever they call that. The netgate has a very basic setup. I updated it to latest when I installed it a year or so again and once since then, ran through a check list I found at the time of "good things to do on a new setup."
The only thing that might be a little out of the ordinary is that I originally had a cellular service as backup and I set that up as a failover. That seemed to work as expected. The cellular service is no longer connected, but the conifguration for failover remains in the Netgate.
Recently I connected a Grandstream HT802 ATA to be able to connect a POTS phone. Note that this is the only VOIP device on the network. The goal is to have this connect to an Allworx phone system at a remote location.
When I connect behind the Netgate it does not seem to work. The Grandstream says registered. The phone system sees it is registered. But when I make a phone out or in that should ring the phone neigther works.
If I take the HT802 to my home and connect it to my Comcast gateway it connects, registers, and seems to work fine. Inbound and outbound call go through.
I have searched and found a few threads and this support page:
https://docs.netgate.com/pfsense/en/latest/recipes/nat-voip-phones.htmlMost of the info is talking about setups that stop working after some period of time. In my case it seems to not work at all for any period of time.
The web page linked above makes it seem like it should "just work." But of course I am never that lucky. I tried to follow the direction to "disable source port rewriting" from that document and the page it links to. I am not sure I have done that correctly, but so far no change in behavior.
Not knowing much about pfSense, I do not know what to look at to monitor, test, or adjust to make this work. I could try putting starlink back to its normal mode, and connect the HT802 outside the pfSense. But I was less than impressed with that router and would prefer to keep it in bridge mode . . .
Suggestions welome!
Bob
-
Does the 1100 have a public IP on it's WAN? AFAIK Starklink is CGN NAT only so it probably doesn't.
VoIP hates NAT and there you are probably behind two layers of NAT.
If the phone appear to register correctly but SIP ring requests never arrive it's probably registering the wrong public IP somehow.
Do you have access to the PBX to see what's happening?
-
Thanks for replying.
The WAN interface of the Netgate does have a public IP address. Starlink is in what they call "Bypass Mode" which is similar to what many ISP devices call "Bridge Mode" where the vendor equipment is truly a bridge, converting the public side media (satellite in this case) to internal side media (Ethernet in this case). So it is not doing NAT or any other data manipulation as far as I know. It is DHCP, it does not have a permanent/static IP, but it seems to change infrequently enough.
Yes, I can access the PBX, but not sure I know what I am looking at there. I have someone that can help on that front. But since it works from a "dumb" home internet behind a Frontier fiber internet router in that case, with no issue, I am pretty confident the PBX side is setup correctly. Possibly we can see something about what is happening when the PBX tries to connect. But also the POTs phone can not dial a call out when behind the pfSense.
Bob
-
The Starlink device can be in "bridge mode" and you will still have a "CGNAT" address..
What are the first to octets of your Pfsense WAN address?
When VOIP was originally designed they did not include any support for NAT whatsoever.. It was later hacked in and did not work very well at first... it many times depending on the company implementing it is not better now.. and add double NAT and you have double the troubles..
Try static ports for your VOIP device and put some WAN firewall rules allowing your SIP and RTP ports to the device. Don't bother with port forwards as that would not be needed.
How many IP addresses will Starlink give you? If all else fails throw in a dumb switch in between your Starlink and your Pfsense and just plug in your VOIP device ahead of your firewall..
-
Yup I would try static port outbound NAT but if it's behind CGN that probably won't help.
A phone connecting to an external PBX really shouldn't require anything special though.
-
@stephenw10 said in VOIP-Grandstream HT802 connect out to Allworx:
but if it's behind CGN that probably won't help.
A phone connecting to an external PBX really shouldn't require anything special though.
If it is behind CGNAT adding static port will take out one of the obstacles that the "hacked" part of SIP has to deal with in some cases. I actually might recommend the SIProxd package in this case.. Cant hurt to try..
After the Vonage lawsuit that they lost, many providers are still gun shy and try to build their own version to avoid getting sued themselves.. there is no guarantee that one provider will work like another does.
I have successfully used double NAT with my provider.. Voipo with some issues intermittently but with SIProxd here I have not issues when I have to use my Verizon Cell modem during outages..
We use Zoom for our phones at work which seem to work behind double NAT just fine. (Verizon cell router in my truck when I set phones up for various sites)
There really is no "cut and dry" when it comes to SIP.. Though it is much better than it used to be.
I have no working knowledge at all about Allworx so YMMV..
-
Hi everyone, thanks so much for all the thinking and suggestions. I am not sure why, but reading this triggered my brain to say "I have contol of both networks, why not just setup a VPN and see what happens?"
One IPsec VPN tunnel later and all is well in VOIP land here. I don't know what the problem was, but the issue is resolved. It has only been an hour, but so far working reliably.
To answer questions: the Netgate WAN IPv4 address starts: 98.97..
I am prety sure it is publically routable. No trouble setting up the VPN or other inbound connections, though other than this all inbound is just testing/incidental. I may switch the tunnel to not rely on the IP if it changes a lot. Time will tell.I did not want to put the device outside the Netgate; I could be wrong but I think to do that I would have to take Starlink out of Bypass and end up with a NAT address on the WAN of the pfSense. And I did not see much good in the Starlink router. I am not a huge fan in general for speed, cost or reliability reasons. but any sort of cable/fiber connection due to location is over 100K installation. So . . .
Again, thanks for the help. I still feel like it should have "just worked" out of the box, but alls well that ends well.
Bob
