RTP traffic being sent to incorrect IP address



  • So in my adventures with tinkering in my lab, I've encountered a new issue. RTP traffic is not being sent from the SIP client to FreePBX. SIP signaling seems fine as both sides are able to initiate and answer a call; however, neither side hears audio.

    Here's the setup:

    • FreePBX is on a VM that's behind a VyOS firewall in my colo.
    • Yealink T21P phone behind an ERL at my home.
    • Cellphone used for testing is on MetroPCS
    • SIP trunking is provided by Twilio

    I have a FreePBX VM in Vultr, which I've been using for a while, and I have no problems making and receiving calls with SIP clients on my home network.

    My first though was that there must be something screwy with NAT; however, I don't see anything wrong with my configuration. I have the source NAT rule for FreePBX before the masquerade rule, so from what I understand, no traffic from 192.168.100.5 will be masqueraded to .114. Perhaps a few FFSes will lift my blindness.

    As far as how I know that RTP traffic is going to the wrong address. I collected a packet capture from both VyOS and my Yealink phone. The SIP packets are being sent to the correct IP, .116. However, once RTP traffic flows, that traffic sent to the.114 address, which is the main address of the VyOS eth0 interface, and the address from which all other outbound traffic in my colo is masqueraded.

    I'm curious as to how the Yealink phone would know to send RTP traffic to .114 rather than .116.

    This is the interface configuration.

    interfaces {
        ethernet eth0 {
            address 208.70.XXX.114/YY
            address 208.70.XXX.115/YY
            address 208.70.XXX.116/YY
            description WAN
            duplex auto
            firewall {
                in {
                    name WAN_IN
                }
                local {
                    name WAN_LOCAL
                }
            }
            hw-id 52:54:00:8d:d5:91
            smp_affinity auto
            speed auto
        }
        ethernet eth1 {
            address 192.168.100.1/24
            description LAN
            duplex auto
            hw-id 52:54:00:a9:66:e6
            smp_affinity auto
            speed auto
        }
        loopback lo {
        }
    }
    

    This is the firewall configuration.

        name WAN_IN {
            default-action drop
            rule 1010 {
                action accept
                state {
                    established enable
                    related enable
                }
            }
            rule 1020 {
                action accept
                description "Allow RTP to FreePBX"
                destination {
                    address 192.168.100.5
                    port 10000-20000
                }
                protocol udp
            }
            rule 1021 {
                action accept
                description "Allow SIP to FreePBX"
                destination {
                    address 192.168.100.5
                    port 5060,5061
                }
                protocol udp
            }
            rule 1030 {
                action drop
                state {
                    invalid enable
                }
            }
        }
    

    This is my NAT configuration:

    nat {
        destination {
            rule 110 {
                description "Internet to FreePBX"
                destination {
                    address 208.70.XXX.116
                }
                inbound-interface eth0
                translation {
                    address 192.168.100.5
                }
            }
        }
        source {
            rule 105 {
                description "FreePBX to Internet"
                outbound-interface eth0
                source {
                    address 192.168.100.5
                }
                translation {
                    address 208.70.XXX.116
                }
            }
            rule 110 {
                description "Masquerade to Internet"
                outbound-interface eth0
                translation {
                    address masquerade
                }
            }
        }
    }
    


  • Is FreePBX configured correctly?

    Settings -> Asterisk SIP Settings
    0_1526863111188_777259c1-be79-49df-9d53-afa34834bdc5-image.png



  • Yes. Initially no, but during my troubleshooting yesterday, the address was set to .114. I had it redetect settings, and it changed to.116, so it is now configured correctly.

    I did fail to mention that ending a SIP call also fails. The BYE request is sent to.114 from the SIP client as well. So if I hang up on the SIP phone at home, the call continues on the cellphone. Likewise if the cellphone hangs up; thus, I can see BYE from Twilio going to .116as intended, despite RTP traffic from Twilio going to.114.



  • WAN_IN, shouldn't the firewall rule allow based on the public IP, not the translated LAN IP?



  • @scottalanmiller said in RTP traffic being sent to incorrect IP address:

    WAN_IN, shouldn't the firewall rule allow based on the public IP, not the translated LAN IP?

    With VyOS, NAT is done before firewall rules for inbound traffic and after firewall rules for outbound traffic.



  • @eddiejennings said in RTP traffic being sent to incorrect IP address:

    @scottalanmiller said in RTP traffic being sent to incorrect IP address:

    WAN_IN, shouldn't the firewall rule allow based on the public IP, not the translated LAN IP?

    With VyOS, NAT is done before firewall rules for inbound traffic and after firewall rules for outbound traffic.

    Correct. Here are my WAN_IN and NAT rules for a site that has an EdgeRouter 4

        name WAN_IN {
            default-action drop
            description "Internet to internal networks"
            rule 10 {
                action accept
                description "Accept Established / Related"
                log disable
                state {
                    established enable
                    related enable
                }
            }
            rule 20 {
                action drop
                description "Drop Invalid"
                log disable
                state {
                    invalid enable
                }
            }
            rule 40 {
                action accept
                description "Allow Telnet from Epicor"
                destination {
                    address 10.1.1.250
                    port 23
                }
                log enable
                protocol tcp
                source {
                    group {
                        address-group EpicorIPAddr
                    }
                }
            }
            rule 41 {
                action accept
                description "Allow RDP from Epicor"
                destination {
                    address 10.1.1.12
                    port 3389
                }
                log enable
                protocol tcp
                source {
                    group {
                        address-group EpicorIPAddr
                    }
                }
            }
            rule 42 {
                action accept
                description "Allow SMTP from Google"
                destination {
                    group {
                        address-group Exchange_Servers
                        port-group SMTP_Ports
                    }
                }
                log disable
                protocol tcp
                source {
                    group {
                        network-group Google_SMTP_Networks
                    }
                }
                state {
                    established disable
                    invalid disable
                    new enable
                    related disable
                }
            }
        }
    
        nat {
            rule 1 {
                description "Forward Telnet from Epicor"
                destination {
                    group {
                        address-group ADDRv4_eth0
                    }
                    port 23
                }
                inbound-interface eth0
                inside-address {
                    address 10.1.1.250
                    port 23
                }
                log enable
                protocol tcp
                source {
                    group {
                        address-group EpicorIPAddr
                    }
                }
                type destination
            }
            rule 2 {
                description "Forward RDP from Epicor"
                destination {
                    group {
                        address-group ADDRv4_eth0
                    }
                    port 3389
                }
                inbound-interface eth0
                inside-address {
                    address 10.1.1.12
                    port 3389
                }
                log enable
                protocol tcp
                source {
                    group {
                        address-group EpicorIPAddr
                    }
                }
                type destination
            }
            rule 3 {
                description "Allow SMTP from Google"
                destination {
                    group {
                        address-group ADDRv4_eth0
                    }
                    port 25
                }
                inbound-interface eth0
                inside-address {
                    address 10.1.1.5
                    port 25
                }
                log disable
                protocol tcp
                source {
                    group {
                        network-group Google_SMTP_Networks
                    }
                }
                type destination
            }
            rule 4 {
                description "Allow SMTP from Google"
                destination {
                    group {
                        address-group ADDRv4_eth0
                    }
                    port 587
                }
                inbound-interface eth0
                inside-address {
                    address 10.1.1.5
                    port 587
                }
                log disable
                protocol tcp
                source {
                    group {
                        network-group Google_SMTP_Networks
                    }
                }
                type destination
            }
            rule 5004 {
                description "Default NAT Masquerade"
                log disable
                outbound-interface eth0
                protocol all
                type masquerade
            }
        }
    


  • Obviously, yours will have some SNAT rules that I do not as I only have a single IP here. So all the SNAT is handled by the default masquerade



  • what IP does your FreePBX box report? This will make sure your SNAT is working right.

    [[email protected] ~]$ curl ifconfig.co
    68.XXX.XXX.XXX
    [[email protected] ~]$ 
    
    

    Thanks @Kelly for this btw.
    https://mangolassi.it/topic/14922/neat-trick-for-routing-and-linux



  • @jaredbusch said in RTP traffic being sent to incorrect IP address:

    what IP does your FreePBX box report? This will make sure your SNAT is working right.

    [[email protected] ~]$ curl ifconfig.co
    68.XXX.XXX.XXX
    [[email protected] ~]$ 
    
    

    Thanks @Kelly for this btw.
    https://mangolassi.it/topic/14922/neat-trick-for-routing-and-linux

    The correct IP .116. I'm about to see if I can replicate the problems from yesterday.



  • Made no configuration changes to the firewall tonight. Shutdown FreePBX VM, made a new one, and stuff seems to be working as it should. I'll do a few more tests tomorrow to make sure all is well.

    Edit: I lied. I made a new DHCP reservation for my new FreePBX server.