Issues with inbound SIP on 5080

mhotel

NAT configured in pfSense 1.2.3 on an Alix 2d3, along with AON/manual.

WAN UDP 5080 192.168.X.24 (ext.: 70.57.X.Y) 5080 SIP

When other end sends invites, pfSense logs appear to indicate forwarding those packets to the LAN host on X.24:

Last 50 firewall log entries
Act Time If Source Destination Proto
Sep 20 16:03:39 NG0 66.241.X.Y:5060 192.168.X.24:5080 UDP
Sep 20 16:03:37 NG0 66.241.X.Y:5060 192.168.X.24:5080 UDP
Sep 20 16:03:36 NG0 66.241.X.Y:5060 192.168.X.24:5080 UDP
Sep 20 16:03:35 NG0 66.241.X.Y:5060 192.168.X.24:5080 UDP
Sep 20 16:00:10 NG0 66.241.X.Y:5060 192.168.X.24:5080 UDP
Sep 20 16:00:08 NG0 66.241.X.Y:5060 192.168.X.24:5080 UDP
Sep 20 16:00:07 NG0 66.241.X.Y:5060 192.168.X.24:5080 UDP
Sep 20 16:00:06 NG0 66.241.X.Y:5060 192.168.X.24:5080 UDP

Packet capture on pfSense targeting remote IP shows packets coming in on WAN but only outbound keepalives on LAN:

PC WAN:
16:00:04.937940 IP 70.57.247.39.57891 > 66.241.X.Y.5060: UDP, length 4
16:00:05.743872 IP 66.241.X.Y.5060 > 70.57.247.39.5080: UDP, length 901
16:00:06.744333 IP 66.241.X.Y.5060 > 70.57.247.39.5080: UDP, length 901
16:00:07.744914 IP 66.241.X.Y.5060 > 70.57.247.39.5080: UDP, length 901
16:00:09.745756 IP 66.241.X.Y.5060 > 70.57.247.39.5080: UDP, length 901

PC LAN:
16:03:45.012120 IP 192.168.X.24.5080 > 66.241.X.Y.5060: UDP, length 4
16:04:05.019382 IP 192.168.X.24.5080 > 66.241.X.Y.5060: UDP, length 4

The sipx box on X.24 does not receive the packets (at all.) Both tcpdump and application logging show no packets coming from the ITSP gateway address (tcpdump does show keepalives we are sending to them every 20 seconds.) I can ping the sipx box from pfsense, and I can send UDP/5080 packets with netcat which get picked up by the sipx logs and by tcpdump.

I've restarted pfSense and the sipx server, deleted and re-created both the NAT mapping and the firewall rules more than once.

Running tcpdump on both the NAT target and on pfSense looking for the remote host IP shows the internal host sending keepalives to the ITSP, but nothing coming from them. pfSense firewall rule logs packets that tcpdump does not report on either host:

pfsense:~# tcpdump host 66.241.X.Y
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vr0, link-type EN10MB (Ethernet), capture size 96 bytes
16:00:04.937904 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
16:00:24.945250 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
16:00:X.951511 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
16:01:04.958807 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
16:01:24.965093 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
16:01:X.972356 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
16:02:04.978729 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
16:02:24.986003 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
16:02:X.992371 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
16:03:04.999559 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
16:03:25.005844 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
16:03:45.012120 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4

[root@sipx ~]# tcpdump host 66.241.X.Y
tcpdump: WARNING: arptype 65535 not supported by libpcap - falling back to cooked socket
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
16:00:05.228464 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
16:00:25.229026 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
16:00:45.228519 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
16:01:05.229038 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
16:01:25.228569 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
16:01:45.229074 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
16:02:05.228691 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
16:02:25.229212 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
16:02:45.228824 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
16:03:05.229273 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
16:03:25.228818 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
16:03:45.228354 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4

Updated topic title for the continuing saga of http://forum.pfsense.org/index.php/topic,51615.msg278760.html

thanks~

chpalmer

What kind of switch do you utilize and have you rebooted it?

podilarius

Can you post screen shots of the NAT configuration? If you are using AON, please post that also.

mhotel

@chpalmer:

What kind of switch do you utilize and have you rebooted it?

Switch is a Cisco SG300-20 with no VLANs yet defined, and yes it has been rebooted. Straight cable between the Alix and the DSL modem.

I'll grab screenshots when I'm down there this afternoon.

thanks~

mhotel

Screenshots

![NAT page.png](/public/imported_attachments/1/NAT page.png)
![NAT page.png_thumb](/public/imported_attachments/1/NAT page.png_thumb)
![Outbound NAT.png](/public/imported_attachments/1/Outbound NAT.png)
![Outbound NAT.png_thumb](/public/imported_attachments/1/Outbound NAT.png_thumb)

podilarius

Can you edit the rule and post those screen shots? To be honest, I don't have a 1.2.3 installed any longer. Would it be possible to upgrade that to 2.0?

Supermule

Your int. port range is wrong. It should say 5060 instead of 5080.

Delete the rule and create again.

BUT…..I would use 5060 ext. range since this is the default SIP.

mhotel

Internal and external are both on 5080 by design. Not my preference, but sipXbridge currently requires it.

mhotel

@podilarius:

Can you edit the rule and post those screen shots?

edit-rule.png_thumb

chpalmer

Try filling in the "to" with 5080.

podilarius

On your advanced outbound, create a new rule above your default. Have it set so that it looks like:

Source:192.168.44.24
SPort: any
Destination: 66.241.X.Y
DPort: 5060
Translation: Interface Address
Static Port: yes

mhotel

Just tried that, no change in packet behavior.

Note that the outbound keepalives are making it through pfSense and back to the ITSP. It's the inbound 5080 that gets dropped.

podilarius

Is that traffic in response to the keep alives or are they calls or alerts from the ISP? Are you able to make calls? Do you have one way audio? Do you have keep states set on the default rule or the rule governing the traffic?
Does a traceroute complete from either location?

Do you have a range of IP addresses from your provider?

Also, do you have a spare machine you can load pfsense on for a quick load of you rules to see if that would work.

mhotel

Outbound calls go to a different proxy and are working fine.

The packets we are sending to 5060 are intended to keep a generic firewall open to inbound SIP invites on 5080.

Only one static IP from this provider, and the ITSP is sending to that address.

I'll look for another machine to try 2.01 on. The strange thing is that this was working when we first set it up, and stopped a couple of days later with no changes to pfSense.

podilarius

Could be hardware related or someone made an accidental change in the config.