Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 25 replies
  • Answers 1 answer
  • Subscribers 7 subscribers
  • Views 71623 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

External VOIP Phones connecting back to Office - No Audio

Dread

Morning All!

Just installed a new Panasonic NS700 phone system at the Office. It's working perfectly here onsite but I have a handset at home that is connecting to the external IP I have setup for the PABX, downloading all its settings etc I can log in and out (ie change my extension number), dial internally and externally ... but I get no audio traffic to or from the remote handset.

Now, I've setup the NAT rules for the Ports needed to be forwarded and it auto-created the Firewall Rules on my SG230. I know the remote handset is hitting the Firewall and being routed correctly to the PABX onsite because its logging in and out of the PABX, dialling and making internal calls to extensions at the Office and external calls to mobile phones etc and I can connect to the PABX's Web Console from any remote PC ... just no audio to or from the remote phone after a call is made!

Network is setup similar to (extremely brief description here):

SG230: 10.0.10.250 (vLAN 10)
Internet Connection is: 1x ADSL and 1x EoC that I have setup as Load Balanced on the SG230. I have a block of extra 4 IP's on each. I have allocated External IP address No 3 on the EoC connection to point to the Internal PABX

NS700 PABX: 10.0.30.250 (vLAN 30)
DSP Card 1: 10.0.30.251

DSP Card 2: 10.0.30.252

All my internal VOIP Phones are on vLAN 30 and getting an address off one of my Windows Servers (vLAN 10) DHCP Pools for vLAN 30

Dell 6248 is my 'Core Layer 3 Switch' with IP Helper and all my inter vLAN routing - all my vLANs are working fine across the network with no issues. Trunk Port on Switch to SG230 is untagged vLAN 10 and Tagged for ALL my other vLANs (including vLAN 30) to give them all a path to the SG230. I have put ALL the vLANS onto the SG230 pointing back to the Internal Interface ... all my internet traffic across all my vLANs is working fine.

The only issue I have is this damned audio to and from these new remote voip handsets!

I have two RTP NAT Rules, supplied by the PABX installer

1. Ports 16000:16511 to DSP1 (UDP)

2. Ports 16512:17023 to DSP2 (UDP)


I have defined both as Service Definitions on the SG230, ticked auto-create firewall rules and everything else I can think of - with no luck so far.


Any tips, pointers, advice or suggestions appreciated :)



This thread was automatically locked due to age.
  • 0 in reply to Ol Deda

    Still awaiting Sophos Support to contact me again on this case. Just fired off another reminder after my last reminder a week ago.

    Will advise outcome

  • 0 in reply to Dread

    Well after weeks of screwing around with this my hand is getting forced to dump Sophos across the entire network :( 

    We've had 2 Sophos Engineers remote in and capture live data traversing the UTM then shrug their shoulders after confirming everything I have already said to them and sent wireshark traces and screenshots of Live Firewall logs. The phone provider has sent out 3 different network specialists, I've had a mate of mine (also a network security specialist) plus my weeks of research and testing and none of us can see why the voice traffic is not traversing correctly through the SG230. We can see all the packets hitting the PABX via the allocated external IP and different port ranges and we can see them all heading back out but they never arrive at their destination. I've tried every Multi Path rule I can think of, DNAT and SNAT rules, NAT Masquerading, breaking the Link Balancing etc and it just will not work. 

    Its a pain due to all the IP's I have, services running, RED sites connected etc but I'm getting a shitload of pressure to get the remote phones working ASAP :( 

    Cheers for the help lads.

  • 0 in reply to Dread

    Hi Dread,

    I run three different PBX systems here in my office,I work for a telecoms provider, and have no problems with the Phones on any of the systems, except when you have a router (at home) that doesn't like SIP ... for instance had a Virgin Super Hub (I had this ISP a few years back), had to disable SIP ALG on the firewall (and then they go and update the router firmware which  switches SIP ALG on.. ).

    I have found default routers like BT super (un-helpful) hub absolutely hates SIP (strange for a huge ... pain in the harris .. telecoms company..lol), in fact a lot of ISPs do not like you using SIP based products (or even your own routers for that matter...) on their internet (go figure).

    check your router out and look out for SIP ALG, also check on your home ISP providers forums for SIP/VoIP based issues...

    If you have a BT Super Hub (or any BT hub/router), get another router.

    Sky Q Router - there's a problem

    TalkTalk - they do not like you using SIP through their router (but there are documented ways around this).

    I hope this helps

     

    Jason

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • 0 in reply to Argo

    Cheers for the reply Jason

    We've tested from about 5 different ISP connections and modem/routers now, including the Telco engineers soft phone and 3G Dongle while he was sitting beside me here in the Office. It's definatly not the remote end that is the issue here.

    I'm pretty sure its a NAT issue or something to do with the Multipath rules not actually working as intended.

    As an example, the original deployment of the new PABX was using our existing ISDN lines until their new SIP trunks could be provisioned on a new 2mb up/down service on a Cisco they installed into the comms room. On Monday they were unable to register the services back to their end - I could see the 15060 traffic leaving the PABX and going out to their IP but there was no evidence at all of return traffic from them. Change the gateway on the PABX to their 2mb up/down connection and it registers instantly. The ISDN service was ported to the new SIP trunks yesterday so we've left the PABX pointed like that as it just will not register/work at all if it goes through the SG230.

    I was thinking about setting up that 2mb up/down as a third Internet service/interface on the SG230 but I just have zero faith at all at this stage that it will work and I am already getting enough grief from management and remote site staff as it is I figure its just far easier to go with a solution that will just work out of the box - even if it means dumping the web filtering/reporting and going back to a 3rd party mail filtering service. I'll miss the RED devices I've put in remote sites but I can replicate that with IPSEC VPN's between the sites 'the old way' and once the remote phones are working they will go via the internet anyway back to the PABX.

    It just frustrated me that this is like 90% working and its one thing blocking everything and I can't figure out what it is, nor can anyone else :(

  • 0

    Hello OP,

     

    And to all future people struggling with this issue...

    In SOPHOS I created a firewall rule and NAT rule... Pointing to 10.0.30.250...

    I then created another firewall rule and NAT rule (clone/copy) pointing to 10.0.30.251, and a third firewall rule/DNAT pointing to 10.0.30.252.

    I'm using 10.0.30.250-10.0.30.252 as example, my IP are in 192.168 range.

    I assigned TCP/UDP to correct device:

     

    250 :: TCP :: 35300, 7547, 37547

    250 :: UDP :: 2727, 9300, 9301

    251 :: UDP :: 16000-16511

    252 :: UDP :: 16512-17023

     

    Effectively if you do not create new firewall rule and NAT rule for 251 and 252, you cannot forward traffic to those units and thus you have the issue with no audio on either side of the phone line.

    Once I did this, I placed a phone call from a remote phone and it worked whereas before no audio on either side of phones.

Unfiltered HTML