Upgrade 2.6 -> 2.7.2 now can’t make outgoing VOIP/SIP calls
-
I am at my wits end and hope someone here knows something or can point me in the right direction. After upgrading from 2.6 CE to 2.7.2 CE everything works perfectly except my home PBX (Freeswitch on a Mac mini) can no longer make outgoing calls.
Edit: I installed 2.7.2 on an extra Msata using the last 2.6 config on a USB stick. then swapped the 2.6 msata with 2.7.2 in the Protectli FW6A and it booted fine. So it was a clean install+previous config. No other problems so far.
Here are details:
Real phones and iPads register with PBX fine.
Incoming calls works fine.
Outgoing just dies, PBX shows a couple of lines to ITSP (Callcentric) and NO errors, phone just waits then times out. No log errors!
There are NO firewall block lines showing up. I checked all logs, nothing shows up!
I have restarted pfsense, switch,. Mac mini and no luck.
Obviously I search the web, and did not find a solution but others have had VOIP/SIP issues going to pfsense 2.7.x.
If I can’t fix this I have to go back to 2.6, but am really worried 2.8 may have the same issue.
-
UPDATE: I found https://www.voip-info.org/forum/threads/pfsense-2-6-2-7-breaks-outgoing-calls.27528/
Sure enough, if I deactivate the one and only VPN IPSEC tunnel, I CAN make outbound calls. Not a solution though. What could cause this and could it be a 2.7.2 bug?
Please note that the VOIP connection has nothing to do with VPN, the IPSEC VPN is only used for iPhones to connect remotely. Strange the IPSEC VPN would break SIP/VOIP.
I checked all logs, nothing abnormal shows up. There are NO firewall block lines in log.
I compared the PBX failing log with the previous working calls log and I found outgoing calls connect to Callcentric and connection starts but stops before "entering state [calling][0]" message should occur. Nothing else helpful.
Only packages are: mailreport, notopng, and pfBlockerNG-devel.
-
How is the IPSec configured? Is it tunnel or VTI mode? Is it grabbing the VoIP traffic incorrectly? Check a pcap on the VPN.
-
Thanks so much for your help. Some info:
Just want to make sure this is understood: the SIP/VOIP phone traffic does not go through VPN It goes from the Mac host strait to the ITSP. Another item: If I turn on the tunnel the problem starts immediately, I must deactivate the tunnel and reboot to remove the problem, simply turning the tunnel off does not reverse the issue.
I have been reading how to PCAP. Since this is new to me it may take a while but working on it since I really want to stay on 2.7.2. Had planned to jump to 2.8 but have a problem on 2.6 (routing stops and no GUI after power failure) since updating modem from Arris S33 to S34 which triggered this conversion.
I think its tunnel because I set it up years ago. Have no idea what VTI is but think its new. The VPN settings are (any IPs changed for security):
-
Is there a way to change the post title to:
Upgrade 2.6 -> 2.7.2 now can’t make outgoing VOIP/SIP calls if a VPN tunnel is active -
Ok the problem is almost certainly that the address pool you're using for mobile clients is 1.2.10.1/6.
That's all addresses from 0.0.0.0 to 3.255.255.254 and those are public IPs. Since the local side is set to 0.0.0.0/0 (any address) it means that the tunnel will match any traffic trying to reach any public IP in that range. So I suspect a lot would be broken but you have just now noticed it because the VoIP server is probably in that range?
Unclear why 2.6 would not be affected but probably more luck that anything. It likely should have been and only isn't because of a bug which is fixed in 2.7.2.
So set the pool to some much smaller and private subnet like 10.2.10.1/24. Assuming that doesn't conflict with any local subnet you have already.
-
Holly mackerel you nailed it! When I set it up years ago I thought the 6 was the number of clients (no mask title), that's why I made it 6. I changed it to 24 and bingo all was well again! Also, the real pool address is different, I changed the post to 1.2.10... for privacy. It's actually 10.246...., no matter since changing the mask to 24 fixed it. I guess it was probably was a 2.6 bug as you said.
Different issue but mentioning it again in case someone else has this happen:
The recent S33 modem failure and change to S34 caused pfsense 2.6 not to come back up after a power failure (3 this month so far!). I hope pfsense 2.7.2 can recover from a power failure like 2.6 did with the old modem. Fingers crossed!stephenw10, I cannot thank you enough for this! This stressed wife and I a lot. We depend on emergency and medical calls/communications which is why I deferred 2.7.2.
-
I can't believe I had pfsense since 2.4.2 and this major misconfiguration error didn't cause other problems! I was lucky I guess. Wife says thank you again! She is not techie at all, just watches me stress over stuff like this.
-
Cool. Good result!
-
@MarioG said in Upgrade 2.6 -> 2.7.2 now can’t make outgoing VOIP/SIP calls:
I hope pfsense 2.7.2 can recover from a power failure
If you installed 2.7.x new it will use ZFS by default which should be much better in this case. Otherwise most writeable file systems might (or might not) have problems/corruption due to partially-written files. Option 2 is using a UPS...
-
@SteveITS I have had ZFS since it was available for that reason, and I always reformat the SSD so pfsense install does ZFS from scratch. Yes, I have a very large UPS for many years, small car battery size. The problem is it lasts for a couple of hours since it handles the modem, router, HP 24 port switch, Mac Mini phone system, etc., whereas our power failures average 3 to 8 hours. Sometimes multiple days, one time almost a week! 2.6 always recovered until the modem change, strange but true. Trying to login to pfsense 2.6 only returned the dreaded "502 Bad Gateway Nginx error". Had to power off/on. Waiting to see what happens to 2.7.2. I'm thinking possible ethernet driver issue with a different chip in the S34 than the S33, which may be fixed in 2.7.2. The next power failure will be the test.
My plan is after Pfsense 2.8 is released I will buy a new box for it with 2.5G ethernet to the modem which hopefully will be fine.
Thanks for the comments.
