FreePBX inbound call issue
-
@samsmart84 said in FreePBX inbound call issue:
@jaredbusch said in FreePBX inbound call issue:
@samsmart84 said in FreePBX inbound call issue:
@jaredbusch said in FreePBX inbound call issue:
@samsmart84 okay, so this confirms shit is just fucked up.
Ok. The hard part here is making sure you have no outbound calls.
Then when you make an inbound call monitor the CLI
asterisk -rvvvvvAnd then call in.
I get nothing in the CLI for inbound calling when it fails. When I call out first then call in, stuff shows up obviously but not seeing anything that would indicate an issue (as far as I can tell)
What version of FreePBX?
Old. 2.8.1.5
umm, ok.. /me racks brain cells
So first, shut off iptables and see if the problem goes away.
service iptables stopYour system if not direct ont he internet right? So this should be safe enough for a short term test.
-
@jaredbusch said in FreePBX inbound call issue:
@samsmart84 said in FreePBX inbound call issue:
@jaredbusch said in FreePBX inbound call issue:
@samsmart84 said in FreePBX inbound call issue:
@jaredbusch said in FreePBX inbound call issue:
@samsmart84 okay, so this confirms shit is just fucked up.
Ok. The hard part here is making sure you have no outbound calls.
Then when you make an inbound call monitor the CLI
asterisk -rvvvvvAnd then call in.
I get nothing in the CLI for inbound calling when it fails. When I call out first then call in, stuff shows up obviously but not seeing anything that would indicate an issue (as far as I can tell)
What version of FreePBX?
Old. 2.8.1.5
umm, ok.. /me racks brain cells
So first, shut off iptables and see if the problem goes away.
service iptables stopYour system if not direct ont he internet right? So this should be safe enough for a short term test.
No it is not direct so should be safe. Issue remains after shutting off iptables
-
@samsmart84 said in FreePBX inbound call issue:
@jaredbusch said in FreePBX inbound call issue:
@samsmart84 said in FreePBX inbound call issue:
@jaredbusch said in FreePBX inbound call issue:
@samsmart84 said in FreePBX inbound call issue:
@jaredbusch said in FreePBX inbound call issue:
@samsmart84 okay, so this confirms shit is just fucked up.
Ok. The hard part here is making sure you have no outbound calls.
Then when you make an inbound call monitor the CLI
asterisk -rvvvvvAnd then call in.
I get nothing in the CLI for inbound calling when it fails. When I call out first then call in, stuff shows up obviously but not seeing anything that would indicate an issue (as far as I can tell)
What version of FreePBX?
Old. 2.8.1.5
umm, ok.. /me racks brain cells
So first, shut off iptables and see if the problem goes away.
service iptables stopYour system if not direct ont he internet right? So this should be safe enough for a short term test.
No it is not direct so should be safe. Issue remains after shutting off iptables
Well that points back to your routing which is the root cause of this circle jerk.
Because in 2.8, the only firewalling was
iptables.If that is not running, but you are not seeing anything hit the PBX, then it is like the call is not making to it.
-
I am trying to think where else to look, but not getting anywhere.
-
@jaredbusch said in FreePBX inbound call issue:
I am trying to think where else to look, but not getting anywhere.
Yeah it's just so odd.. I can't wrap my head around why the SIP trunk IP changing would break inbound. On the old router config there was literally no reference to the actual SIP trunk IP or anything else I could see that would be affecting it
-
@samsmart84 Maybe this Sophos KB article will help?
-
@triple9 said in FreePBX inbound call issue:
@samsmart84 Maybe this Sophos KB article will help?
Success! So basically some trial and error with the settings.. I had to turn OFF the Sophos VOIP options as that was actually BLOCKING everything (Go figure). I had made the DNAT rule listed in that link before but didn't have any success - the auto firewall rules with it didn't work evidently. Running the DNAT mixed with creating manual firewall rules for outbound calling and it all seems to be working. I've been testing for about an hour - when I turn the DNAT off it stops working and when it's on it works just fine so I think we've got the right combo at this point.
Thanks for all your help everyone! That was a pain in the butt to track down.
-
@samsmart84 said in FreePBX inbound call issue:
@triple9 said in FreePBX inbound call issue:
@samsmart84 Maybe this Sophos KB article will help?
Success! So basically some trial and error with the settings.. I had to turn OFF the Sophos VOIP options as that was actually BLOCKING everything (Go figure).
That’s actually expected. That’s SIP-ALG. Always have to disable that. It’s basically just SIP blocking.
-
@scottalanmiller said in FreePBX inbound call issue:
@samsmart84 said in FreePBX inbound call issue:
@triple9 said in FreePBX inbound call issue:
@samsmart84 Maybe this Sophos KB article will help?
Success! So basically some trial and error with the settings.. I had to turn OFF the Sophos VOIP options as that was actually BLOCKING everything (Go figure).
That’s actually expected. That’s SIP-ALG. Always have to disable that. It’s basically just SIP blocking.
Nice of them to include that as a SIP "feature"
-
@samsmart84 said in FreePBX inbound call issue:
@scottalanmiller said in FreePBX inbound call issue:
@samsmart84 said in FreePBX inbound call issue:
@triple9 said in FreePBX inbound call issue:
@samsmart84 Maybe this Sophos KB article will help?
Success! So basically some trial and error with the settings.. I had to turn OFF the Sophos VOIP options as that was actually BLOCKING everything (Go figure).
That’s actually expected. That’s SIP-ALG. Always have to disable that. It’s basically just SIP blocking.
Nice of them to include that as a SIP "feature"
It’s so dumb. But every vendor does it. So don’t think too badly of Sophos. Only vendor I know that doesn’t do it is Ubiquiti. And they do it, it just works.
-
@scottalanmiller said in FreePBX inbound call issue:
@samsmart84 said in FreePBX inbound call issue:
@scottalanmiller said in FreePBX inbound call issue:
@samsmart84 said in FreePBX inbound call issue:
@triple9 said in FreePBX inbound call issue:
@samsmart84 Maybe this Sophos KB article will help?
Success! So basically some trial and error with the settings.. I had to turn OFF the Sophos VOIP options as that was actually BLOCKING everything (Go figure).
That’s actually expected. That’s SIP-ALG. Always have to disable that. It’s basically just SIP blocking.
Nice of them to include that as a SIP "feature"
It’s so dumb. But every vendor does it. So don’t think too badly of Sophos. Only vendor I know that doesn’t do it is Ubiquiti. And they do it, it just works.
Sorry to disappoint, but it Ubiquiti does not have it disabled by default.
You have to disable it.configure set system conntrack modules sip disable commit;save;exit -
@jaredbusch said in FreePBX inbound call issue:
@scottalanmiller said in FreePBX inbound call issue:
@samsmart84 said in FreePBX inbound call issue:
@scottalanmiller said in FreePBX inbound call issue:
@samsmart84 said in FreePBX inbound call issue:
@triple9 said in FreePBX inbound call issue:
@samsmart84 Maybe this Sophos KB article will help?
Success! So basically some trial and error with the settings.. I had to turn OFF the Sophos VOIP options as that was actually BLOCKING everything (Go figure).
That’s actually expected. That’s SIP-ALG. Always have to disable that. It’s basically just SIP blocking.
Nice of them to include that as a SIP "feature"
It’s so dumb. But every vendor does it. So don’t think too badly of Sophos. Only vendor I know that doesn’t do it is Ubiquiti. And they do it, it just works.
Sorry to disappoint, but it Ubiquiti does not have it disabled by default.
You have to disable it.configure set system conntrack modules sip disable commit;save;exitI know it is enabled, but have you ever seen it fail? It's the one SIP-ALG system that I have seen "just work" in the real world.
-
@scottalanmiller said in FreePBX inbound call issue:
@jaredbusch said in FreePBX inbound call issue:
@scottalanmiller said in FreePBX inbound call issue:
@samsmart84 said in FreePBX inbound call issue:
@scottalanmiller said in FreePBX inbound call issue:
@samsmart84 said in FreePBX inbound call issue:
@triple9 said in FreePBX inbound call issue:
@samsmart84 Maybe this Sophos KB article will help?
Success! So basically some trial and error with the settings.. I had to turn OFF the Sophos VOIP options as that was actually BLOCKING everything (Go figure).
That’s actually expected. That’s SIP-ALG. Always have to disable that. It’s basically just SIP blocking.
Nice of them to include that as a SIP "feature"
It’s so dumb. But every vendor does it. So don’t think too badly of Sophos. Only vendor I know that doesn’t do it is Ubiquiti. And they do it, it just works.
Sorry to disappoint, but it Ubiquiti does not have it disabled by default.
You have to disable it.configure set system conntrack modules sip disable commit;save;exitI know it is enabled, but have you ever seen it fail? It's the one SIP-ALG system that I have seen "just work" in the real world.
Ah, I misunderstood.
I have not because I always disable it.
-
Reviving my thread -
Weirdest thing. We had a power failure/surge over the weekend which knocked down all my servers, switching, etc.
My phones have been working FLAWLESSLY since I last posted. But now, after getting everything back up and running, the SAME issue is back.. but the rules that fixed it before are still in place! Outgoing calling works (though it seems highly delayed now.. like 5-8 seconds after dialing a number for it to start ringing) but I CANNOT call in UNLESS I call out first, which fixes it for 2-3 minutes.
Once again, it's gotta be a firewall issue. This is stupid.
-
Okay.. so now I'm more confused than I've ever been. I deleted my DNAT and my outbound rule for my SIP provider and now it works. Flawlessly. WHAT!? How do the calls know where to go!?!?! Did my Sophos UTM get superpowers after a power spike?
-
@samsmart84 said in FreePBX inbound call issue:
Okay.. so now I'm more confused than I've ever been. I deleted my DNAT and my outbound rule for my SIP provider and now it works. Flawlessly. WHAT!?
I never understood what your router was doing in the first place. So any number of things might be the issue.
-
@jaredbusch said in FreePBX inbound call issue:
@samsmart84 said in FreePBX inbound call issue:
Okay.. so now I'm more confused than I've ever been. I deleted my DNAT and my outbound rule for my SIP provider and now it works. Flawlessly. WHAT!?
I never understood what your router was doing in the first place. So any number of things might be the issue.
Well false alarm.. it's not actually working
Firewall Rule:
Internal Network > SIP > AnyIPv4DNAT:
SIP Trunk > SIP > Public IP > Internal SIP Server -
Because nothing is hitting your PBX, you need to get a packet capture from the WAN side of the router.
You may need to drop a switch with the ports configured for mirroring and such in between your ISP modem and your Sophos in order to get this. Or Sophos may have the capability.
Contact Sophos about that bit, I have no clue.
-
I have been watching the logs for the last day or so as I've been testing. I've noticed on the Sophos that when the inbound calls don't work I get a hit on the firewall logs for my DNAT rule for my VOIP Provider > External WAN on port 5060
When inbound calls DO work, I get a hit for my DNAT rule, same IPs, but the port always shows as one of the RTP ports. So either way the calls ARE hitting at least the WAN interface and I'm getting a different response on the firewall depending on whether it works or not.
-
@samsmart84 said in FreePBX inbound call issue:
I have been watching the logs for the last day or so as I've been testing. I've noticed on the Sophos that when the inbound calls don't work I get a hit on the firewall logs for my DNAT rule for my VOIP Provider > External WAN on port 5060
When inbound calls DO work, I get a hit for my DNAT rule, same IPs, but the port always shows as one of the RTP ports. So either way the calls ARE hitting at least the WAN interface and I'm getting a different response on the firewall depending on whether it works or not.
There we go! You should not be getting anything inbound on port 5060. You do not need an inbound port forwarding rule for anything if your trunk is a standard register trunk going outbound. That outbound registration will keep the NAT tunnels alive and allow everything to work with zero port forwarding rules.
