Andrews Arnold + OPNsense + Grandstream HT801

Hello,

I'm new to Voip. I just signed up for an Andrews and Arnold account as very good feedback and reviews. Except, I'm really struggling to get it running with my router running OPNsense!

I have allowed port 5060, set up the account but no joy. I added siproxd plugin and filled in what I could but still no joy.

Has anybody got any tips on getting Voip working with an OPNsense / pfSense router? Any guidance you can provide would be greatly welcomed.

I migrated my existing VOIP services from an ISP router to Opnsense without any issue, no opening any ports, no plugins like siproxd required, it was seamless.

If your ISP provided you with a router when you took the service I would suggest getting the VOIP working via that first before you try it with Opnsense as you may go down the wrong rabbit hole.

Edit: for clarity my VOIP services are not provided by my ISP as that is a totally different conversation.

Edited by deleted (Tue 11-Jul-23 16:14:36)

Thank you.

Likewise - I have different providers for internet (BT) and Voip (A&A).

I had Voip working on my old Unifi USG router last week. But, I swapped that out for OPNsense as the USG could not operate with a faster broadband speed.

Andrew & Arnold use SIP - I think this is maybe the bit that is not playing well with OPNsense.

If anybody knows how to OPNsense working with SIP I'd love to see how. I'm pulling my hair out (and maybe missing phone calls!)

If it was me I would temporary plug the BT hub back in and connect the Grandstream HT801 into the hub and see if it works, if it does then you can focus on the Opnsense if it doesn't then you need to look at the Grandstream HT801

Edit: Most VOIP services are SIP including mine, I did no special setup for it to work on either my ISP router or my Opnsense router only the ATA had to be correctly configured.

Edited by deleted (Tue 11-Jul-23 17:16:31)

It's just UDP. The firewall doesn't need any special configuration.

Have you *ever* hand the HT801 working with the AAISP VOIP service? If not, then it's almost certainly your SIP configuration in the HT801 that's at fault.

If you have, then check your HT801 is getting an IP address and gateway from your OPNSense server (look at the DHCP leases)

You don't need to open any ports, usually anyway. The ports will be opened when the device connects up to the SIP server then usually "keepalives" are pinged out from the device to keep port 5060 alive over NAT and the Firewall open in order to receive incoming calls. If the settings like account and password are correct you should at least be able to make an outgoing call.

What I would suggest is removing anything added to help with the SIP problem and get back to basics.

You can use pfTop and filter on port 5060, this will let you see if it connects and if packets pass back and forth.

What issues are you having? Or is it just failing to register full stop?

In reply to a post by candlerb:

It's just UDP. The firewall doesn't need any special configuration.

Have you *ever* hand the HT801 working with the AAISP VOIP service? If not, then it's almost certainly your SIP configuration in the HT801 that's at fault.

If you have, then check your HT801 is getting an IP address and gateway from your OPNSense server (look at the DHCP leases)

Yes, the HT801 worked with my Unifi router, I could make and receive calls.

Yes the HT801 is getting an internal IP address from OPNsense.

In reply to a post by candlerb:

It's just UDP. The firewall doesn't need any special configuration.

Have you *ever* hand the HT801 working with the AAISP VOIP service? If not, then it's almost certainly your SIP configuration in the HT801 that's at fault.

If you have, then check your HT801 is getting an IP address and gateway from your OPNSense server (look at the DHCP leases)

I'm sure the OP with the issue will appreciate your comments

Are you running IPv6 on opnSense and your ISP?

Also some more information here about Firewall rules. https://support.aa.net.uk/VoIP_Firewall

Edited by E300 (Tue 11-Jul-23 18:10:10)

In reply to a post by E300:

You don't need to open any ports, usually anyway. The ports will be opened when the device connects up to the SIP server then usually "keepalives" are pinged out from the device to keep port 5060 alive over NAT and the Firewall open in order to receive incoming calls. If the settings like account and password are correct you should at least be able to make an outgoing call.

Thank you. We can make outgoing calls. Just not receive then. When making an incoming call the line is just silent. No ring tone, nothing on the calling phone and the voip phone also does not ring. Then it goes to voicemail. I can see a record of incoming call in the call log online. But, no indication there is a call from the voip.

What I would suggest is removing anything added to help with the SIP problem and get back to basics.

You can use pfTop and filter on port 5060, this will let you see if it connects and if packets pass back and forth.

I have disabled the SIP plugin. Looking at the live view / log files, I can see the incoming call on port 5060 proto udp, but is blocked by "Default deny / state violation rule"?

What issues are you having? Or is it just failing to register full stop?

The HT801 says it is registered. And, can make outgoing calls. But, does not ring nor allow incoming calls.

I have the GS wave VOIP app on my android phone registered to A&A via my OPNsense router. I also have a Gigaset N300 registered to A&A

If needed I can supply details of how A&A is configured in the app.

So its incoming the issue. Do you have any keep alive options on the HT801 that can be turned on?

I'm not familiar with how AA run their service, but they do have two IPv4 addresses and two IPv6 addresses for their SIP servers, so an element of load balancing might be happening.

For example, the outgoing connection on 5060 is usually kept alive by keep alive packets, this means incoming packets can find their way back across the firewall as the phone constantly pings out keeping the route open, however the firewall will only allowing incoming traffic back into the open 5060 port from the server it connected with that caused it to open the ports in the first place. So if you connect to AAISP server 1, and the incoming call is sent to you from their server 2, which has a different IP address, it is blocked by the firewall and quite correctly so. You may find some incoming calls work, as it the load balancing may mean sometimes calls do come through on the server you first initiated the connection with. This may be why you are seeing the denied input. Another reason may be the firewall is closing the ports because no keep alive is being sent, either way the solution usually is the same.

You would need to add NAT rules to forward all traffic arriving on port 5060 from any of AAISPs servers to forward to your HT801. Usually that automatically adds the corresponding firewall rule as well. If you are using IPv6 then you wouldn't need the NAT forward rules but still would need a firewall rule to allow any traffic from AAs SIP servers into your network.

Port 5060 is only the first problem. You may find your phone then rings for incoming calls, but you get no audio, or one way audio, so additional ports may need opening.

Hopefully that helps get someway to resolving the issue.

You may want to check the OPNsense intrusion detection logs to see whether on incoming calls a SIP Invite is logged as rejected.

I am also using AA VoIp and just checked the logs from my Fritzbox, SIP Register is sent to 81.187.30.116 and all incoming SIP Invites (for legitimate calls via AA) are from the same peer address. I don't think SIP would work if the peer address was suddenly changed.

RTP packets may come from a different peer address but that would be advertised in the SDP part of the Invite message. However, for the imcoming calls that I received recently, the UDP peer address is also 81.187.30.116. if your firewall is SIP aware, then it would look at the SDP part and open ports accordingly to ;et RTP packets get through.

You are likely to see loads of dodgy SIP Invites from SIP scanners in your intrusion detection log as well. I hope they are all being blocked

Thank you for this. Very good explanation and very useful.

I used this and also moved my HT801 to a new DMZ vlan (that I set-up for other purposes), adding rules for 5060.

There was a switch in the HT801 FXSPort options for NAT Traversal, that I set to keep alive.

Eureka - its taking calls. So, I know it works.

Next job is to reboot the router and phone, and check still working ok.

THANK YOU ALL.

Now you've proved you can make it work you should try it with the port 5060 firewall rule disabled or at the very least limit it to the A & A IP addresses as its a security risk otherwise.