Jump to content
Vodia PBX forum
reco

pbxnsip behind fortinet firewall

Recommended Posts

hi there,

 

i haveing big troubles with pbxnsip behind the fortinet fortigate running os 3.

i am running pbxnsip 3.4.0.3201 (Darwin)

 

this is my setup

network.png

 

the forwarding is done via a virtual IP on the wan interface to forward all traffic to the pbxnsip ip.

 

reading this page: https://www.pbxnsipsupport.com/index.php?_m...kbarticleid=437

I set the IP Routing List:

 

10.0.24.0/255.255.255.0/10.0.24.1 0.0.0.0/0.0.0.0/11.11.11.22

 

my problem is that i still see pbx and sip giving out the private ip when sending sip invites to my phone providers (icall and callcentric).

 

Contact: <sip:XXXXXXX@10.0.24.2:5060;transport=udp>

 

i have the session helper of the fortinet setup:

 

edit 12

set name sip

set port 5060

set protocol 17

next

edit 14

set name sip

set port 5080

set protocol 17

next

edit 15

set name sip

set port 10123

set protocol 17

next

 

any help appreciated ....

 

thanx

Share this post


Link to post
Share on other sites

I see two points here:

 

1. Why do you run the PBX on a private IP address? I guess the firewall supports a transparent mode when the packets are forwarded without changing the IP address (no NAT, just router mode). That is the best solution, as the PBX runs as if it would be on a routable ("public") address.

 

2. Most service providers today use a session border controller to deal with devices that cannot present a (useful) routable address. I know that callcentric does this; for callcentric you have to do nothing, it will "just work". Well, at least if the firewall is not SIP-aware and screws it all up...

Share this post


Link to post
Share on other sites
I see two points here:

 

1. Why do you run the PBX on a private IP address? I guess the firewall supports a transparent mode when the packets are forwarded without changing the IP address (no NAT, just router mode). That is the best solution, as the PBX runs as if it would be on a routable ("public") address.

 

2. Most service providers today use a session border controller to deal with devices that cannot present a (useful) routable address. I know that callcentric does this; for callcentric you have to do nothing, it will "just work". Well, at least if the firewall is not SIP-aware and screws it all up...

 

1. i am not running the firewall in transparent mode. the rule though forwarding the external ip to the pbxnsip has nat disabled.

 

2. looking into that.

Share this post


Link to post
Share on other sites

this is driving me crazy.

 

somebody has a fortinet firwall os 3 or 4 and external sip clients/phones working without vpn?

 

thanx

Share this post


Link to post
Share on other sites
this is driving me crazy.

 

somebody has a fortinet firwall os 3 or 4 and external sip clients/phones working without vpn?

 

thanx

 

This is how you indicated your IP Routing List is set:

 

10.0.24.0/255.255.255.0/10.0.24.1 0.0.0.0/0.0.0.0/11.11.11.22

 

 

 

It looks like the IP Address of your PBXNSIP is set wrong in the list.

 

Here is how it should be: Based on your diagram.

 

10.0.24.0/255.255.255.0/10.0.24.2 0.0.0.0/0.0.0.0/11.11.11.22

 

 

 

 

Bill H

Share this post


Link to post
Share on other sites
hi there,

 

thanx for your reply. did you get external sip clients to register can call successfully?

 

reco

yes, never ran into a sip registration issue with fortinet.

Share this post


Link to post
Share on other sites

Hi,

 

we have a SnomOne yellow PBX behind a Fortinet 110C. The PBX has an internal ip and on the Fortinet we made a port forwarding to internal PBX ip with SIP, RTP ports. The problem is that an external extension has no audio. The Snom 821 its registered an rings but no audio. Do you have any ideas?

 

Thanks for help!

 

Regards,

Dominik

Share this post


Link to post
Share on other sites

SIP works different than HTTP. While it might be possible to forward the TCP/TLS connection like you forward that to a web server with a successful registration, this does not work with RTP any more, as this is UDP-based. The PBX needs to "advertize" it's address for UDP; it probably tells the phone to send the RTP to a private IP address, which cannot be routed from the phone. There is a lot of talk about this problem, search for SIP and NAT--you'll get the idea. My short form is: You need to be able to route packets to the PBX from anywhere where you want to use the service and the PBX host needs to be aware about this.

 

This is a classical problem in SIP and VoIP. There are some tips at http://wiki.snomone.com/index.php?title=Server_Behind_NAT.

Share this post


Link to post
Share on other sites

Hi,

 

we have a SnomOne yellow PBX behind a Fortinet 110C. The PBX has an internal ip and on the Fortinet we made a port forwarding to internal PBX ip with SIP, RTP ports. The problem is that an external extension has no audio. The Snom 821 its registered an rings but no audio. Do you have any ideas?

 

Thanks for help!

 

Regards,

Dominik

You need to turn off all sip helpers in fortinet.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...