Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Voip : Only one way speech is working between 2 Sites!

    Firewalling
    6
    28
    8863
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fifinon last edited by

      Hello,

      i have 3 sites connected with openvpn using Pfsense Server:
      Site A : 172.16.1.0
      Site B : 172.16.2.0
      Site C : 172.16.3.0

      the problem is that when we installed and configured the VOIP  in the 3 sites, only one way speech is working between site A and Site B also Site A and site C !

      for info :

      Gateways :
      172.16.1.254
      172.16.2.254
      172.16.3.254

      Adresse PBX :

      172.16.1.200
      172.16.2.200
      172.16.3.200

      –-------------------------
      in the rules (lan) of the 3 pfsenses, i autorised the communication between autocoms and i open all ports!

      do you have any idea about this problème  ????

      thanks in advance ;)

      1 Reply Last reply Reply Quote 0
      • P
        podilarius last edited by

        You might have a split route. Check to make sure that the servers can ping each other through the VPN. Also make sure that your rules also include UDP, which they probably are, but it might be allowed on one side and the default of TCP only is on the other.

        1 Reply Last reply Reply Quote 0
        • F
          fifinon last edited by

          You might have a split route. Check to make sure that the servers can ping each other through the VPN. Also make sure that your rules also include UDP, which they probably are, but it might be allowed on one side and the default of TCP only is on the other.

          Hi,
          The servers can ping each other through the LAN interface and VPN, and the transfer of data is good in 3 direction!
          in the rules i tried to autorise the adresses ip of 3 autocoms! in the 3 servers using Protocol TCP/UDP, but i have the same probléme!
          from site A i can heard the user in Site B, but he can't heard anything!!

          Thanks for your answer ;).

          1 Reply Last reply Reply Quote 0
          • P
            podilarius last edited by

            What ports have you authorized?

            1 Reply Last reply Reply Quote 0
            • F
              fifinon last edited by

              In the first time i autorised from 32000 to 32512 IN UDP (i found those ports in Alcatel documentation guide)""sorry for my english :-[""
              also i tried the same ports for TCP and TCP/UDP,
              But no résult ???

              1 Reply Last reply Reply Quote 0
              • P
                podilarius last edited by

                I would switch that to allow all tcp and udp ports through. Watch your state tables and you can adjust your FW rules based on the connection(s).

                1 Reply Last reply Reply Quote 0
                • ptt
                  ptt Rebel Alliance last edited by

                  Do some packet capture, with wireshark, then check the RTPs stream to check if its go to the right place.

                  1 Reply Last reply Reply Quote 0
                  • F
                    fifinon last edited by

                    what did you mean by state tables and where can i find it?
                    thanks very much!

                    1 Reply Last reply Reply Quote 0
                    • P
                      podilarius last edited by

                      @fifinon:

                      what did you mean by state tables and where can i find it?
                      thanks very much!

                      It is under Diag -> States.

                      1 Reply Last reply Reply Quote 0
                      • F
                        fifinon last edited by

                        It is under Diag -> States.

                        OK THIS IS A CAPTURE OF TABLE :
                        http://imageshack.us/photo/my-images/580/voip.png/

                        for info :
                        our goal is to use simple telephones(analog & num) between sites and remove telephones IP.

                        1 Reply Last reply Reply Quote 0
                        • F
                          fifinon last edited by

                          can you explain this :

                          stats table :

                          udp 172.16.1.200:2910 -> 172.16.11.200:24124 -> 172.16.2.200:1719 MULTIPLE:SINGLE 
                          udp 172.16.1.200:1719 -> 172.16.11.200:10490 -> 172.16.2.200:1028 SINGLE:NO_TRAFFIC

                          172.16.11.200 = antenne RLAN

                          1 Reply Last reply Reply Quote 0
                          • marcelloc
                            marcelloc last edited by

                            Check if there is some nat configurarion for sip at your voip servers and also reduce  the RTP port range for a Easier rule creation.

                            At asterisk its very easy to setup.

                            I just don't understand why are you giving up ip phones?
                            But its a firewall forum, not a voip one, So check these configs and see if ir works.

                            Treinamentos de Elite: http://sys-squad.com

                            Help a community developer! ;D

                            1 Reply Last reply Reply Quote 0
                            • F
                              fifinon last edited by

                              Check if there is some nat configurarion for sip at your voip servers and also reduce  the RTP port range for a Easier rule creation.

                              the protocol used for my voip configuration is H323!

                              can you please explain me this ( reduce  the RTP port range for a Easier rule creation )?

                              1 Reply Last reply Reply Quote 0
                              • marcelloc
                                marcelloc last edited by

                                @fifinon:

                                the protocol used for my voip configuration is H323!

                                can you please explain me this ( reduce  the RTP port range for a Easier rule creation )?

                                I do not have experience with h323 but 'google'  ;) told me that both(sip and h323) signaling protocols uses RTP for media transport, in this case audio is the media.

                                Every time you get no audio or one way audio, it means you are having RTP issues.

                                At asterisk, default RTP range is from 10000 to 20000. I have no idea how h323 handles this.

                                Returning to firewall….
                                RTP packages sents 'inpackage' information telling other part how(and for who) he will return the package. When you have NAT, or server thinks he is behind NAT, the information inside the package will tell the other side to return the package to a wrong or unreachable destination.

                                Treinamentos de Elite: http://sys-squad.com

                                Help a community developer! ;D

                                1 Reply Last reply Reply Quote 0
                                • F
                                  fifinon last edited by

                                  @marcelloc:

                                  @fifinon:

                                  the protocol used for my voip configuration is H323!

                                  can you please explain me this ( reduce  the RTP port range for a Easier rule creation )?

                                  I do not have experience with h323 but 'google'  ;) told me that both(sip and h323) signaling protocols uses RTP for media transport, in this case audio is the media.

                                  Every time you get no audio or one way audio, it means you are having RTP issues.

                                  At asterisk, default RTP range is from 10000 to 20000. I have no idea how h323 handles this.

                                  Returning to firewall….
                                  RTP packages sents 'inpackage' information telling other part how(and for who) he will return the package. When you have NAT, or server thinks he is behind NAT, the information inside the package will tell the other side to return the package to a wrong or unreachable destination.

                                  maybe there is a problem in NAT ! i will wait for other idea about this because i'm newbie !
                                  thanks alot.

                                  1 Reply Last reply Reply Quote 0
                                  • F
                                    fifinon last edited by

                                    this is another captur of my state table in site C :

                                    Proto    Source -> Router -> Destination    State   
                                    udp 172.16.3.200:1719 <- 172.16.1.200:4562 SINGLE:MULTIPLE 
                                    udp 172.16.1.200:4562 -> 172.16.6.200:1719 MULTIPLE:SINGLE 
                                    udp 172.16.3.200:48607 <- 172.16.1.200:1719 NO_TRAFFIC:SINGLE 
                                    udp 172.16.1.200:1719 -> 172.16.6.200:48607 SINGLE:NO_TRAFFIC 
                                    udp 172.16.1.200:4561 <- 172.16.6.200:48607 NO_TRAFFIC:SINGLE 
                                    udp 172.16.3.200:48607 -> 192.168.24.25:56773 -> 172.16.1.200:4561 SINGLE:NO_TRAFFIC

                                    1 Reply Last reply Reply Quote 0
                                    • ptt
                                      ptt Rebel Alliance last edited by

                                      Diagnostics –> Packet Capture

                                      Do a "call capture" then open with Wireshark ( Telephony -> VoIP Calls -> Flow ) and check where the RTPs Come & Go, then you can figure what is happening.

                                      1 Reply Last reply Reply Quote 0
                                      • F
                                        fifinon last edited by

                                        i created  this rules but no résult

                                        source (ports)  => destination (ports)

                                        adresse PBX site A : 172.16.1.200 (UDP 32000-32512 ) => adresse PBX Site B 172.16.2.200 (UDP 32000-32512)

                                        1 Reply Last reply Reply Quote 0
                                        • marcelloc
                                          marcelloc last edited by

                                          Create one with serverA => serverB and serverB => serverA.

                                          Free all traffic between voip servers.

                                          Treinamentos de Elite: http://sys-squad.com

                                          Help a community developer! ;D

                                          1 Reply Last reply Reply Quote 0
                                          • F
                                            fifinon last edited by

                                            @marcelloc:

                                            Create one with serverA => serverB and serverB => serverA.

                                            Free all traffic between voip servers.

                                            i did it !! no résult >:(

                                            1 Reply Last reply Reply Quote 0
                                            • F
                                              fifinon last edited by

                                              I think the problème is in the NAT !! because when i turn off NAT filtre in advance setup the voip work very good, but the navigation in internet don't work (no internet acces) so i don't know how to give acces to internet !!! do you have any idea ????

                                              1 Reply Last reply Reply Quote 0
                                              • marcelloc
                                                marcelloc last edited by

                                                The server is on the same subnet as machines?

                                                If so, disable automatic nat and create your own nat out rules.

                                                Ps.
                                                It sounds strange to me that some services will need nat and some don't.

                                                Treinamentos de Elite: http://sys-squad.com

                                                Help a community developer! ;D

                                                1 Reply Last reply Reply Quote 0
                                                • F
                                                  fifinon last edited by

                                                  @marcelloc:

                                                  The server is on the same subnet as machines?

                                                  If so, disable automatic nat and create your own nat out rules.

                                                  Ps.
                                                  It sounds strange to me that some services will need nat and some don't.

                                                  Yes the server is on the same subnet as machnies !

                                                  1 Reply Last reply Reply Quote 0
                                                  • F
                                                    fifinon last edited by

                                                    I really don't understand this problème!!!
                                                    i tired every thing to resolve it but no solution until now!!

                                                    now i'm trying to make the VOIP work just between 2 sites but the firewall still block the voip!

                                                    the ping between 2 sites A and B is good also the transfer of DATA from A => B and B => A!

                                                    Site A :172.16.1.0
                                                    ALCATEL PBX A : 172.16.1.200
                                                    Site B :172.16.2.0
                                                    ALCATEL PBX B : 172.16.2.200

                                                    i created those rules,

                                                    in Server A :

                                                    Rule 1 :

                                                    Lan Interface :

                                                    Action : Pass

                                                    Interface : LAN

                                                    Protocol : Any

                                                    Source  : Lan subnet

                                                    Destination : Single Hoste Or Aliace (Site B)

                                                    Geteway : default

                                                    Rule 2 :

                                                    Lan Interface :

                                                    Action : Pass

                                                    Interface : LAN

                                                    Protocol : TCP/UDP

                                                    Source  : Single Hoste Or Aliace (172.16.1.200)

                                                    Port : from 32000 to 32512

                                                    Destination : Single Hoste Or Aliace (172.16.2.200)

                                                    Port : from 32000 to 32512

                                                    Geteway : default

                                                    –-----------------------------------------------------------

                                                    in Server B :

                                                    Rule 1 :

                                                    Lan Interface :

                                                    Action : Pass

                                                    Interface : LAN

                                                    Protocol : Any

                                                    Source  : Lan subnet

                                                    Destination : Single Hoste Or Aliace (172.16.1.0)

                                                    Geteway : default

                                                    Rule 2 :

                                                    Lan Interface :

                                                    Action : Pass

                                                    Interface : LAN

                                                    Protocol : TCP/UDP

                                                    Source  : Single Hoste Or Aliace (172.16.2.200)

                                                    Port : from 32000 to 32512

                                                    Destination : Single Hoste Or Aliace (172.16.1.200)

                                                    Port : from 32000 to 32512

                                                    Geteway : default

                                                    –------------------------------------------------------------

                                                    Alcatel support say that the VOIP need just port from 32000 to 32512 but i also tried to autorise all port!! but no résult!

                                                    in Diagnostics: System logs: Firewall : the firewall still block the voip !!!

                                                    Act       Time         If            Source                Destination              Proto
                                                    X Oct 2 15:32:01 LAN 172.16.1.200:4489 172.16.2.200:58615 UDP
                                                    X Oct 2 15:31:59 LAN 172.16.1.200:4491 172.16.2.200:34195 UDP


                                                    Do you have any idea? ???

                                                    1 Reply Last reply Reply Quote 0
                                                    • marcelloc
                                                      marcelloc last edited by

                                                      Have you disabled nat between sites?

                                                      Use tcpdump at console and see packages flowing

                                                      Treinamentos de Elite: http://sys-squad.com

                                                      Help a community developer! ;D

                                                      1 Reply Last reply Reply Quote 0
                                                      • F
                                                        fifinon last edited by

                                                        I turned off the NAT in advance setup, it work good ! but users can't have the internet navigation!!

                                                        how can i block the nat just between the 2 sites ???

                                                        1 Reply Last reply Reply Quote 0
                                                        • M
                                                          Metu69salemi last edited by

                                                          With manual outbound nat, there is two ways to do it.
                                                          either you have rules to these networks with a check box: DO NOt NAT and after that destination any network with normal natting

                                                          -or-

                                                          almost similar, but any other destinations has to have nat rule except these 2sites.

                                                          1 Reply Last reply Reply Quote 0
                                                          • C
                                                            cmb last edited by

                                                            It's probably not NATing between the sites, it wouldn't by default at least, you would have to setup manual outbound NAT for that.

                                                            1 Reply Last reply Reply Quote 0
                                                            • First post
                                                              Last post