As many people are struggling with using the Fritz!Box with Zen in IP Client mode behind another device doing NAT, after many years of absence, I have re-registered to explain what is going on for those that have failed to get it to work.
Zen's Digital Voice (VOIP) service, assumes that the customer will be connecting the provided Fritz!box router directly to DSL or FTTP. This would mean the Fritz!box would have the public IP address on its WAN port, making it easy for it to send and receive calls using the public IP address.
If, like me, you have your own firewall, (in my case OPNsense), or another router, instead of the Fritz!Box connected to the internet. Some additional setup is required for successful incoming calls. In my case I have the Fritz!Box connected to my OPNsense firewall to provide VOIP telephone service and act as a DECT base station. You don't necessarily have to use the Fritz!Box, you can use other VOIP devices or a SIP PBX like Astersk if you prefer.
The first thing, as has been mentioned a few times is, ports must be forwarded from Zen’s VOIP servers to IP address of the Fritz!box, using the information provided by Zen in their help document
general-sip-settings While this will allow the incoming call to be initiated, for some people, depending on the type of NAT you have, this may be enough calls will drop out after approximately 30 seconds.
In addition to the inbound port forwarding rules, you will also need to make sure that you configure your outbound NAT, so that connections from the Fritz!Box have static ports. On PFSense & OPNsense this can be done as follows...
1. First go to the Firewall -> NAT setting menu, click on outbound. Set the NAT mode to ‘Hybrid outbound NAT rule generation’.
2. Add an outgoing rule for the IP address of the Fritz!Box...
Interface: WAN
TCP/IP Version: IPv4
Source address: Fritz!box IP address
Source port: UDP/*
Destination address: any
Destination port: any
Translation/target: Interface address
Static Port: yes
Save and apply this rule.
Why this second step is impotant
There are different types of NAT available, but most dynamically generate new port numbers on out going connections, i.e port address translation as well as address translation. While this works for many things, SIP is one of the few protocols where this is a problem. SIP expects the source port to be the same as the destination, in this example port 5060. When the outgoing port is changed from 5060 to a random port by your firewall's NAT, the connection will fail.
The failure is due to the call sett-up being a 3-way process...
1. The incoming call sends an INVITE to your public IP address on the SIP port 5060, this is forwarded to your Fritz!Box according to your port forwarding rule, the phone starts ringing!
2. The Fritz!Box sends an OK response so the call can be set-up, but this needs to have a source port of 5060, not a random port.
3. For the call to be successful, the server will need to send an ACK response to Fritz!Box, to acknowledge the OK sent. Herein lies the problem, the OK response will be sent on the same port that the OK was received. Using the common dynamic port mapping on NAT, this will be a random port. As there is no corresponding port forwarding rule matching the random port, to receive this connection on, the ACK response will never be received an the call dropped.
Setting a static port on the outgoing NAT, ensures that the outgoing port remains 5060, now when Zen tries to send the ACK to your public IP address, you have a port forwarding rule that forwards requests to port 5060 to your Fritz!box, the ACK is therefore received and the call stays up.
Hope this helps some people.
PS, my old forum username from many years ago that got deleted through non-use was 'Going_Digital'
Darren @ Tandy
Edited by Tandy (Sun 05-May-24 10:05:31)
Pages in this thread: 
Print Thread
