reco Posted March 5, 2010 Report Share Posted March 5, 2010 hi there, i haveing big troubles with pbxnsip behind the fortinet fortigate running os 3. i am running pbxnsip 3.4.0.3201 (Darwin) this is my setup the forwarding is done via a virtual IP on the wan interface to forward all traffic to the pbxnsip ip. reading this page: https://www.pbxnsipsupport.com/index.php?_m...kbarticleid=437 I set the IP Routing List: 10.0.24.0/255.255.255.0/10.0.24.1 0.0.0.0/0.0.0.0/11.11.11.22 my problem is that i still see pbx and sip giving out the private ip when sending sip invites to my phone providers (icall and callcentric). Contact: <sip:XXXXXXX@10.0.24.2:5060;transport=udp> i have the session helper of the fortinet setup: edit 12 set name sip set port 5060 set protocol 17 next edit 14 set name sip set port 5080 set protocol 17 next edit 15 set name sip set port 10123 set protocol 17 next any help appreciated .... thanx Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted March 5, 2010 Report Share Posted March 5, 2010 I see two points here: 1. Why do you run the PBX on a private IP address? I guess the firewall supports a transparent mode when the packets are forwarded without changing the IP address (no NAT, just router mode). That is the best solution, as the PBX runs as if it would be on a routable ("public") address. 2. Most service providers today use a session border controller to deal with devices that cannot present a (useful) routable address. I know that callcentric does this; for callcentric you have to do nothing, it will "just work". Well, at least if the firewall is not SIP-aware and screws it all up... Quote Link to comment Share on other sites More sharing options...
reco Posted March 15, 2010 Author Report Share Posted March 15, 2010 I see two points here: 1. Why do you run the PBX on a private IP address? I guess the firewall supports a transparent mode when the packets are forwarded without changing the IP address (no NAT, just router mode). That is the best solution, as the PBX runs as if it would be on a routable ("public") address. 2. Most service providers today use a session border controller to deal with devices that cannot present a (useful) routable address. I know that callcentric does this; for callcentric you have to do nothing, it will "just work". Well, at least if the firewall is not SIP-aware and screws it all up... 1. i am not running the firewall in transparent mode. the rule though forwarding the external ip to the pbxnsip has nat disabled. 2. looking into that. Quote Link to comment Share on other sites More sharing options...
reco Posted March 16, 2010 Author Report Share Posted March 16, 2010 this is driving me crazy. somebody has a fortinet firwall os 3 or 4 and external sip clients/phones working without vpn? thanx Quote Link to comment Share on other sites More sharing options...
Bill H Posted March 16, 2010 Report Share Posted March 16, 2010 this is driving me crazy. somebody has a fortinet firwall os 3 or 4 and external sip clients/phones working without vpn? thanx This is how you indicated your IP Routing List is set: 10.0.24.0/255.255.255.0/10.0.24.1 0.0.0.0/0.0.0.0/11.11.11.22 It looks like the IP Address of your PBXNSIP is set wrong in the list. Here is how it should be: Based on your diagram. 10.0.24.0/255.255.255.0/10.0.24.2 0.0.0.0/0.0.0.0/11.11.11.22 Bill H Quote Link to comment Share on other sites More sharing options...
shopcomputer Posted March 17, 2010 Report Share Posted March 17, 2010 We use Fortinet for our clients, we don't set routing lists, it works fine. Quote Link to comment Share on other sites More sharing options...
reco Posted March 17, 2010 Author Report Share Posted March 17, 2010 hi there, thanx for your reply. did you get external sip clients to register can call successfully? reco Quote Link to comment Share on other sites More sharing options...
shopcomputer Posted March 17, 2010 Report Share Posted March 17, 2010 hi there, thanx for your reply. did you get external sip clients to register can call successfully? reco yes, never ran into a sip registration issue with fortinet. Quote Link to comment Share on other sites More sharing options...
DomingoSiete Posted May 29, 2012 Report Share Posted May 29, 2012 Hi, we have a SnomOne yellow PBX behind a Fortinet 110C. The PBX has an internal ip and on the Fortinet we made a port forwarding to internal PBX ip with SIP, RTP ports. The problem is that an external extension has no audio. The Snom 821 its registered an rings but no audio. Do you have any ideas? Thanks for help! Regards, Dominik Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted May 29, 2012 Report Share Posted May 29, 2012 SIP works different than HTTP. While it might be possible to forward the TCP/TLS connection like you forward that to a web server with a successful registration, this does not work with RTP any more, as this is UDP-based. The PBX needs to "advertize" it's address for UDP; it probably tells the phone to send the RTP to a private IP address, which cannot be routed from the phone. There is a lot of talk about this problem, search for SIP and NAT--you'll get the idea. My short form is: You need to be able to route packets to the PBX from anywhere where you want to use the service and the PBX host needs to be aware about this. This is a classical problem in SIP and VoIP. There are some tips at http://wiki.snomone.com/index.php?title=Server_Behind_NAT. Quote Link to comment Share on other sites More sharing options...
shopcomputer Posted May 29, 2012 Report Share Posted May 29, 2012 Hi, we have a SnomOne yellow PBX behind a Fortinet 110C. The PBX has an internal ip and on the Fortinet we made a port forwarding to internal PBX ip with SIP, RTP ports. The problem is that an external extension has no audio. The Snom 821 its registered an rings but no audio. Do you have any ideas? Thanks for help! Regards, Dominik You need to turn off all sip helpers in fortinet. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.