Issues with inbound SIP on 5080



  • NAT configured in pfSense 1.2.3 on an Alix 2d3, along with AON/manual.

    WAN    UDP    5080    192.168.X.24 (ext.: 70.57.X.Y)    5080    SIP

    When other end sends invites, pfSense logs appear to indicate forwarding those packets to the LAN host on X.24:

    Last 50 firewall log entries
    Act Time If Source Destination Proto
    Sep 20 16:03:39 NG0 66.241.X.Y:5060 192.168.X.24:5080 UDP
    Sep 20 16:03:37 NG0 66.241.X.Y:5060 192.168.X.24:5080 UDP
    Sep 20 16:03:36 NG0 66.241.X.Y:5060 192.168.X.24:5080 UDP
    Sep 20 16:03:35 NG0 66.241.X.Y:5060 192.168.X.24:5080 UDP
    Sep 20 16:00:10 NG0 66.241.X.Y:5060 192.168.X.24:5080 UDP
    Sep 20 16:00:08 NG0 66.241.X.Y:5060 192.168.X.24:5080 UDP
    Sep 20 16:00:07 NG0 66.241.X.Y:5060 192.168.X.24:5080 UDP
    Sep 20 16:00:06 NG0 66.241.X.Y:5060 192.168.X.24:5080 UDP

    Packet capture on pfSense targeting remote IP shows packets coming in on WAN but only outbound keepalives on LAN:

    PC WAN:
    16:00:04.937940 IP 70.57.247.39.57891 > 66.241.X.Y.5060: UDP, length 4
    16:00:05.743872 IP 66.241.X.Y.5060 > 70.57.247.39.5080: UDP, length 901
    16:00:06.744333 IP 66.241.X.Y.5060 > 70.57.247.39.5080: UDP, length 901
    16:00:07.744914 IP 66.241.X.Y.5060 > 70.57.247.39.5080: UDP, length 901
    16:00:09.745756 IP 66.241.X.Y.5060 > 70.57.247.39.5080: UDP, length 901

    PC LAN:
    16:03:45.012120 IP 192.168.X.24.5080 > 66.241.X.Y.5060: UDP, length 4
    16:04:05.019382 IP 192.168.X.24.5080 > 66.241.X.Y.5060: UDP, length 4

    The sipx box on X.24 does not receive the packets (at all.)  Both tcpdump and application logging show no packets coming from the ITSP gateway address (tcpdump does show keepalives we are sending to them every 20 seconds.)  I can ping the sipx box from pfsense, and I can send UDP/5080 packets with netcat which get picked up by the sipx logs and by tcpdump.

    I've restarted pfSense and the sipx server, deleted and re-created both the NAT mapping and the firewall rules more than once.

    Running tcpdump on both the NAT target and on pfSense looking for the remote host IP shows the internal host sending keepalives to the ITSP, but nothing coming from them.  pfSense firewall rule logs packets that tcpdump does not report on either host:

    pfsense:~#  tcpdump host 66.241.X.Y
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on vr0, link-type EN10MB (Ethernet), capture size 96 bytes
    16:00:04.937904 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
    16:00:24.945250 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
    16:00:X.951511 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
    16:01:04.958807 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
    16:01:24.965093 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
    16:01:X.972356 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
    16:02:04.978729 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
    16:02:24.986003 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
    16:02:X.992371 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
    16:03:04.999559 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
    16:03:25.005844 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
    16:03:45.012120 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4

    [root@sipx ~]# tcpdump host 66.241.X.Y
    tcpdump: WARNING: arptype 65535 not supported by libpcap - falling back to cooked socket
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
    16:00:05.228464 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
    16:00:25.229026 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
    16:00:45.228519 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
    16:01:05.229038 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
    16:01:25.228569 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
    16:01:45.229074 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
    16:02:05.228691 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
    16:02:25.229212 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
    16:02:45.228824 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
    16:03:05.229273 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
    16:03:25.228818 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
    16:03:45.228354 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4

    Updated topic title for the continuing saga of http://forum.pfsense.org/index.php/topic,51615.msg278760.html

    thanks~



  • What kind of switch do you utilize and have you rebooted it?



  • Can you post screen shots of the NAT configuration? If you are using AON, please post that also.



  • @chpalmer:

    What kind of switch do you utilize and have you rebooted it?

    Switch is a Cisco SG300-20 with no VLANs yet defined, and yes it has been rebooted.  Straight cable between the Alix and the DSL modem.

    I'll grab screenshots when I'm down there this afternoon.

    thanks~



  • Screenshots

    ![NAT page.png](/public/imported_attachments/1/NAT page.png)
    ![NAT page.png_thumb](/public/imported_attachments/1/NAT page.png_thumb)
    ![Outbound NAT.png](/public/imported_attachments/1/Outbound NAT.png)
    ![Outbound NAT.png_thumb](/public/imported_attachments/1/Outbound NAT.png_thumb)



  • Can you edit the rule and post those screen shots? To be honest, I don't have a 1.2.3 installed any longer. Would it be possible to upgrade that to 2.0?


  • Banned

    Your int. port range is wrong. It should say 5060 instead of 5080.

    Delete the rule and create again.

    BUT…..I would use 5060 ext. range since this is the default SIP.



  • Internal and external are both on 5080 by design.  Not my preference, but sipXbridge currently requires it.



  • @podilarius:

    Can you edit the rule and post those screen shots?




  • Try filling in the "to" with 5080.



  • On your advanced outbound, create a new rule above your default. Have it set so that it looks like:

    Source:192.168.44.24
    SPort: any
    Destination: 66.241.X.Y
    DPort: 5060
    Translation: Interface Address
    Static Port: yes



  • Just tried that, no change in packet behavior.

    Note that the outbound keepalives are making it through pfSense and back to the ITSP.  It's the inbound 5080 that gets dropped.



  • Is that traffic in response to the keep alives or are they calls or alerts from the ISP? Are you able to make calls? Do you have one way audio? Do you have keep states set on the default rule or the rule governing the traffic?
    Does a traceroute complete from either location?

    Do you have a range of IP addresses from your provider?

    Also, do you have a spare machine  you can load pfsense on for a quick load of you rules to see if that would work.



  • Outbound calls go to a different proxy and are working fine.

    The packets we are sending to 5060 are intended to keep a generic firewall open to inbound SIP invites on 5080.

    Only one static IP from this provider, and the ITSP is sending to that address.

    I'll look for another machine to try 2.01 on.  The strange thing is that this was working when we first set it up, and stopped a couple of days later with no changes to pfSense.



  • Could be hardware related or someone made an accidental change in the config.


Locked