Voip : Only one way speech is working between 2 Sites!



  • Hello,

    i have 3 sites connected with openvpn using Pfsense Server:
    Site A : 172.16.1.0
    Site B : 172.16.2.0
    Site C : 172.16.3.0

    the problem is that when we installed and configured the VOIP  in the 3 sites, only one way speech is working between site A and Site B also Site A and site C !

    for info :

    Gateways :
    172.16.1.254
    172.16.2.254
    172.16.3.254

    Adresse PBX :

    172.16.1.200
    172.16.2.200
    172.16.3.200

    –-------------------------
    in the rules (lan) of the 3 pfsenses, i autorised the communication between autocoms and i open all ports!

    do you have any idea about this problème  ????

    thanks in advance ;)



  • You might have a split route. Check to make sure that the servers can ping each other through the VPN. Also make sure that your rules also include UDP, which they probably are, but it might be allowed on one side and the default of TCP only is on the other.



  • You might have a split route. Check to make sure that the servers can ping each other through the VPN. Also make sure that your rules also include UDP, which they probably are, but it might be allowed on one side and the default of TCP only is on the other.

    Hi,
    The servers can ping each other through the LAN interface and VPN, and the transfer of data is good in 3 direction!
    in the rules i tried to autorise the adresses ip of 3 autocoms! in the 3 servers using Protocol TCP/UDP, but i have the same probléme!
    from site A i can heard the user in Site B, but he can't heard anything!!

    Thanks for your answer ;).



  • What ports have you authorized?



  • In the first time i autorised from 32000 to 32512 IN UDP (i found those ports in Alcatel documentation guide)""sorry for my english :-[""
    also i tried the same ports for TCP and TCP/UDP,
    But no résult ???



  • I would switch that to allow all tcp and udp ports through. Watch your state tables and you can adjust your FW rules based on the connection(s).


  • Rebel Alliance

    Do some packet capture, with wireshark, then check the RTPs stream to check if its go to the right place.



  • what did you mean by state tables and where can i find it?
    thanks very much!



  • @fifinon:

    what did you mean by state tables and where can i find it?
    thanks very much!

    It is under Diag -> States.



  • It is under Diag -> States.

    OK THIS IS A CAPTURE OF TABLE :
    http://imageshack.us/photo/my-images/580/voip.png/

    for info :
    our goal is to use simple telephones(analog & num) between sites and remove telephones IP.



  • can you explain this :

    stats table :

    udp 172.16.1.200:2910 -> 172.16.11.200:24124 -> 172.16.2.200:1719 MULTIPLE:SINGLE 
    udp 172.16.1.200:1719 -> 172.16.11.200:10490 -> 172.16.2.200:1028 SINGLE:NO_TRAFFIC

    172.16.11.200 = antenne RLAN



  • Check if there is some nat configurarion for sip at your voip servers and also reduce  the RTP port range for a Easier rule creation.

    At asterisk its very easy to setup.

    I just don't understand why are you giving up ip phones?
    But its a firewall forum, not a voip one, So check these configs and see if ir works.



  • Check if there is some nat configurarion for sip at your voip servers and also reduce  the RTP port range for a Easier rule creation.

    the protocol used for my voip configuration is H323!

    can you please explain me this ( reduce  the RTP port range for a Easier rule creation )?



  • @fifinon:

    the protocol used for my voip configuration is H323!

    can you please explain me this ( reduce  the RTP port range for a Easier rule creation )?

    I do not have experience with h323 but 'google'  ;) told me that both(sip and h323) signaling protocols uses RTP for media transport, in this case audio is the media.

    Every time you get no audio or one way audio, it means you are having RTP issues.

    At asterisk, default RTP range is from 10000 to 20000. I have no idea how h323 handles this.

    Returning to firewall….
    RTP packages sents 'inpackage' information telling other part how(and for who) he will return the package. When you have NAT, or server thinks he is behind NAT, the information inside the package will tell the other side to return the package to a wrong or unreachable destination.



  • @marcelloc:

    @fifinon:

    the protocol used for my voip configuration is H323!

    can you please explain me this ( reduce  the RTP port range for a Easier rule creation )?

    I do not have experience with h323 but 'google'  ;) told me that both(sip and h323) signaling protocols uses RTP for media transport, in this case audio is the media.

    Every time you get no audio or one way audio, it means you are having RTP issues.

    At asterisk, default RTP range is from 10000 to 20000. I have no idea how h323 handles this.

    Returning to firewall….
    RTP packages sents 'inpackage' information telling other part how(and for who) he will return the package. When you have NAT, or server thinks he is behind NAT, the information inside the package will tell the other side to return the package to a wrong or unreachable destination.

    maybe there is a problem in NAT ! i will wait for other idea about this because i'm newbie !
    thanks alot.



  • this is another captur of my state table in site C :

    Proto    Source -> Router -> Destination    State   
    udp 172.16.3.200:1719 <- 172.16.1.200:4562 SINGLE:MULTIPLE 
    udp 172.16.1.200:4562 -> 172.16.6.200:1719 MULTIPLE:SINGLE 
    udp 172.16.3.200:48607 <- 172.16.1.200:1719 NO_TRAFFIC:SINGLE 
    udp 172.16.1.200:1719 -> 172.16.6.200:48607 SINGLE:NO_TRAFFIC 
    udp 172.16.1.200:4561 <- 172.16.6.200:48607 NO_TRAFFIC:SINGLE 
    udp 172.16.3.200:48607 -> 192.168.24.25:56773 -> 172.16.1.200:4561 SINGLE:NO_TRAFFIC


  • Rebel Alliance

    Diagnostics –> Packet Capture

    Do a "call capture" then open with Wireshark ( Telephony -> VoIP Calls -> Flow ) and check where the RTPs Come & Go, then you can figure what is happening.



  • i created  this rules but no résult

    source (ports)  => destination (ports)

    adresse PBX site A : 172.16.1.200 (UDP 32000-32512 ) => adresse PBX Site B 172.16.2.200 (UDP 32000-32512)



  • Create one with serverA => serverB and serverB => serverA.

    Free all traffic between voip servers.



  • @marcelloc:

    Create one with serverA => serverB and serverB => serverA.

    Free all traffic between voip servers.

    i did it !! no résult >:(



  • I think the problème is in the NAT !! because when i turn off NAT filtre in advance setup the voip work very good, but the navigation in internet don't work (no internet acces) so i don't know how to give acces to internet !!! do you have any idea ????



  • The server is on the same subnet as machines?

    If so, disable automatic nat and create your own nat out rules.

    Ps.
    It sounds strange to me that some services will need nat and some don't.



  • @marcelloc:

    The server is on the same subnet as machines?

    If so, disable automatic nat and create your own nat out rules.

    Ps.
    It sounds strange to me that some services will need nat and some don't.

    Yes the server is on the same subnet as machnies !



  • I really don't understand this problème!!!
    i tired every thing to resolve it but no solution until now!!

    now i'm trying to make the VOIP work just between 2 sites but the firewall still block the voip!

    the ping between 2 sites A and B is good also the transfer of DATA from A => B and B => A!

    Site A :172.16.1.0
    ALCATEL PBX A : 172.16.1.200
    Site B :172.16.2.0
    ALCATEL PBX B : 172.16.2.200

    i created those rules,

    in Server A :

    Rule 1 :

    Lan Interface :

    Action : Pass

    Interface : LAN

    Protocol : Any

    Source  : Lan subnet

    Destination : Single Hoste Or Aliace (Site B)

    Geteway : default

    Rule 2 :

    Lan Interface :

    Action : Pass

    Interface : LAN

    Protocol : TCP/UDP

    Source  : Single Hoste Or Aliace (172.16.1.200)

    Port : from 32000 to 32512

    Destination : Single Hoste Or Aliace (172.16.2.200)

    Port : from 32000 to 32512

    Geteway : default

    –-----------------------------------------------------------

    in Server B :

    Rule 1 :

    Lan Interface :

    Action : Pass

    Interface : LAN

    Protocol : Any

    Source  : Lan subnet

    Destination : Single Hoste Or Aliace (172.16.1.0)

    Geteway : default

    Rule 2 :

    Lan Interface :

    Action : Pass

    Interface : LAN

    Protocol : TCP/UDP

    Source  : Single Hoste Or Aliace (172.16.2.200)

    Port : from 32000 to 32512

    Destination : Single Hoste Or Aliace (172.16.1.200)

    Port : from 32000 to 32512

    Geteway : default

    –------------------------------------------------------------

    Alcatel support say that the VOIP need just port from 32000 to 32512 but i also tried to autorise all port!! but no résult!

    in Diagnostics: System logs: Firewall : the firewall still block the voip !!!

    Act       Time         If            Source                Destination              Proto
    X Oct 2 15:32:01 LAN 172.16.1.200:4489 172.16.2.200:58615 UDP
    X Oct 2 15:31:59 LAN 172.16.1.200:4491 172.16.2.200:34195 UDP


    Do you have any idea? ???



  • Have you disabled nat between sites?

    Use tcpdump at console and see packages flowing



  • I turned off the NAT in advance setup, it work good ! but users can't have the internet navigation!!

    how can i block the nat just between the 2 sites ???



  • With manual outbound nat, there is two ways to do it.
    either you have rules to these networks with a check box: DO NOt NAT and after that destination any network with normal natting

    -or-

    almost similar, but any other destinations has to have nat rule except these 2sites.



  • It's probably not NATing between the sites, it wouldn't by default at least, you would have to setup manual outbound NAT for that.


Locked