RTP traffic being sent to incorrect IP address
-
So in my adventures with tinkering in my lab, I've encountered a new issue. RTP traffic is not being sent from the SIP client to FreePBX. SIP signaling seems fine as both sides are able to initiate and answer a call; however, neither side hears audio.
Here's the setup:
- FreePBX is on a VM that's behind a VyOS firewall in my colo.
- Yealink T21P phone behind an ERL at my home.
- Cellphone used for testing is on MetroPCS
- SIP trunking is provided by Twilio
I have a FreePBX VM in Vultr, which I've been using for a while, and I have no problems making and receiving calls with SIP clients on my home network.
My first though was that there must be something screwy with NAT; however, I don't see anything wrong with my configuration. I have the source NAT rule for FreePBX before the masquerade rule, so from what I understand, no traffic from
192.168.100.5
will be masqueraded to.114
. Perhaps a few FFSes will lift my blindness.As far as how I know that RTP traffic is going to the wrong address. I collected a packet capture from both VyOS and my Yealink phone. The SIP packets are being sent to the correct IP,
.116
. However, once RTP traffic flows, that traffic sent to the.114
address, which is the main address of the VyOSeth0
interface, and the address from which all other outbound traffic in my colo is masqueraded.I'm curious as to how the Yealink phone would know to send RTP traffic to
.114
rather than.116
.This is the interface configuration.
interfaces { ethernet eth0 { address 208.70.XXX.114/YY address 208.70.XXX.115/YY address 208.70.XXX.116/YY description WAN duplex auto firewall { in { name WAN_IN } local { name WAN_LOCAL } } hw-id 52:54:00:8d:d5:91 smp_affinity auto speed auto } ethernet eth1 { address 192.168.100.1/24 description LAN duplex auto hw-id 52:54:00:a9:66:e6 smp_affinity auto speed auto } loopback lo { } }
This is the firewall configuration.
name WAN_IN { default-action drop rule 1010 { action accept state { established enable related enable } } rule 1020 { action accept description "Allow RTP to FreePBX" destination { address 192.168.100.5 port 10000-20000 } protocol udp } rule 1021 { action accept description "Allow SIP to FreePBX" destination { address 192.168.100.5 port 5060,5061 } protocol udp } rule 1030 { action drop state { invalid enable } } }
This is my NAT configuration:
nat { destination { rule 110 { description "Internet to FreePBX" destination { address 208.70.XXX.116 } inbound-interface eth0 translation { address 192.168.100.5 } } } source { rule 105 { description "FreePBX to Internet" outbound-interface eth0 source { address 192.168.100.5 } translation { address 208.70.XXX.116 } } rule 110 { description "Masquerade to Internet" outbound-interface eth0 translation { address masquerade } } } }
-
Is FreePBX configured correctly?
Settings -> Asterisk SIP Settings
-
Yes. Initially no, but during my troubleshooting yesterday, the address was set to
.114
. I had it redetect settings, and it changed to.116
, so it is now configured correctly.I did fail to mention that ending a SIP call also fails. The BYE request is sent to
.114
from the SIP client as well. So if I hang up on the SIP phone at home, the call continues on the cellphone. Likewise if the cellphone hangs up; thus, I can see BYE from Twilio going to.116
as intended, despite RTP traffic from Twilio going to.114
. -
WAN_IN, shouldn't the firewall rule allow based on the public IP, not the translated LAN IP?
-
@scottalanmiller said in RTP traffic being sent to incorrect IP address:
WAN_IN, shouldn't the firewall rule allow based on the public IP, not the translated LAN IP?
With VyOS, NAT is done before firewall rules for inbound traffic and after firewall rules for outbound traffic.
-
@eddiejennings said in RTP traffic being sent to incorrect IP address:
@scottalanmiller said in RTP traffic being sent to incorrect IP address:
WAN_IN, shouldn't the firewall rule allow based on the public IP, not the translated LAN IP?
With VyOS, NAT is done before firewall rules for inbound traffic and after firewall rules for outbound traffic.
Correct. Here are my WAN_IN and NAT rules for a site that has an EdgeRouter 4
name WAN_IN { default-action drop description "Internet to internal networks" rule 10 { action accept description "Accept Established / Related" log disable state { established enable related enable } } rule 20 { action drop description "Drop Invalid" log disable state { invalid enable } } rule 40 { action accept description "Allow Telnet from Epicor" destination { address 10.1.1.250 port 23 } log enable protocol tcp source { group { address-group EpicorIPAddr } } } rule 41 { action accept description "Allow RDP from Epicor" destination { address 10.1.1.12 port 3389 } log enable protocol tcp source { group { address-group EpicorIPAddr } } } rule 42 { action accept description "Allow SMTP from Google" destination { group { address-group Exchange_Servers port-group SMTP_Ports } } log disable protocol tcp source { group { network-group Google_SMTP_Networks } } state { established disable invalid disable new enable related disable } } }
nat { rule 1 { description "Forward Telnet from Epicor" destination { group { address-group ADDRv4_eth0 } port 23 } inbound-interface eth0 inside-address { address 10.1.1.250 port 23 } log enable protocol tcp source { group { address-group EpicorIPAddr } } type destination } rule 2 { description "Forward RDP from Epicor" destination { group { address-group ADDRv4_eth0 } port 3389 } inbound-interface eth0 inside-address { address 10.1.1.12 port 3389 } log enable protocol tcp source { group { address-group EpicorIPAddr } } type destination } rule 3 { description "Allow SMTP from Google" destination { group { address-group ADDRv4_eth0 } port 25 } inbound-interface eth0 inside-address { address 10.1.1.5 port 25 } log disable protocol tcp source { group { network-group Google_SMTP_Networks } } type destination } rule 4 { description "Allow SMTP from Google" destination { group { address-group ADDRv4_eth0 } port 587 } inbound-interface eth0 inside-address { address 10.1.1.5 port 587 } log disable protocol tcp source { group { network-group Google_SMTP_Networks } } type destination } rule 5004 { description "Default NAT Masquerade" log disable outbound-interface eth0 protocol all type masquerade } }
-
Obviously, yours will have some SNAT rules that I do not as I only have a single IP here. So all the SNAT is handled by the default masquerade
-
what IP does your FreePBX box report? This will make sure your SNAT is working right.
[jbusch@pbx ~]$ curl ifconfig.co 68.XXX.XXX.XXX [jbusch@pbx ~]$
Thanks @Kelly for this btw.
https://mangolassi.it/topic/14922/neat-trick-for-routing-and-linux -
@jaredbusch said in RTP traffic being sent to incorrect IP address:
what IP does your FreePBX box report? This will make sure your SNAT is working right.
[jbusch@pbx ~]$ curl ifconfig.co 68.XXX.XXX.XXX [jbusch@pbx ~]$
Thanks @Kelly for this btw.
https://mangolassi.it/topic/14922/neat-trick-for-routing-and-linuxThe correct IP
.116
. I'm about to see if I can replicate the problems from yesterday. -
Made no configuration changes to the firewall tonight. Shutdown FreePBX VM, made a new one, and stuff seems to be working as it should. I'll do a few more tests tomorrow to make sure all is well.
Edit: I lied. I made a new DHCP reservation for my new FreePBX server.