Asterisk SIP - CARP IP with 1 to 1 NAT presenting internal 10.0.0.x IP to carrie

  • I have been on this for a while without success. I did searches and found no help for someone in a similar configuration.

    We have a multi WAN setup with two blocks of IPs.
    Each pfsense firewall has an IP in each block to allow CARP of both blocks between them
    pfsense-a handles one block of ips, pfsense-b handles the other. ( I dind't set this, it just seemed to split it up for me)

    When only have 1 way audio and no DTFM when calling out to our SIP provider. I have called the SIP provider and they claim the IP they receive is 10.0.0.x, which they can't route back to us. How is it possible that the internal IP of my asterisk server is routed out the WAN to the SIP carrier as the proper return path?

    Any help offered is appreciated. I don't want to run siproxd, direct 1 to 1 nat to the asterisk server is preferred.

  • Rebel Alliance Developer Netgate

    They probably mean that your PBX is sending the 10.x.x.x IP in its VIA headers in the SIP packets. The firewall doesn't touch those, they're set by your PBX. Setup your NAT settings + local net definitions in your PBX and it will probably work.

  • I have reconfigured the Asterisk server to include both "externip" and "fromdomain" values, this did not make a difference.

    I think the issue is with pfsense and how it's handling the 1:1 NAT. In the states table I see the following.

    SIPProviderIPAddress:5060 <- InternalIPAddress:5060
    InternalIPAddress:5060 -> CARPIPAddress:5060 -> SIPProviderIPAddress:5060

    I suspect that the CARP not being seen in the state for both directions of traffic is the issue here. Is there a way to force all traffic using the CARP IP to use that IP in both directions and have it shows in the states?

    The other item that may be an issue is the Single:Multple and Multple:Single under the "state" column. If I can sort out how pfsense is delivering a class C IP to the SIP provider and get it to send the CARP IP I want to use I believe this SIP / Asterisk setup will work without siproxyd.