Results 1 to 4 of 4
  1. #1
    Newbie
    Join Date
    Jan 2020
    Posts
    5

    Default Untangle and Voip RTP

    Hello everyone, made a couple of searches on the forums for a few days but didn't manage to find a workaround for this problem.

    I currently have a customer with 2 sites both with a Untangle NG Firewall connected by an OpenVPN tunnel, everything in the tunnel is working fine. My problem is with 2 VoIP systems which are kinda old from Siemens which are using their H323 to connect to one another, call initiation works fine since it happens on tcp but audio is giving me a headache.

    For context this customer of mine was using 2 ubiquiti edgerouters connected by IPSEC (vti) before we convinced them to upgrade to Untangle and VoIP was working fine.

    What I've managed to find so far is when one site calls the other the first call works just fine with audio both ways.

    This first call is going to use ports 15000 and 15001 for RTP using udp.

    When call is disconnected this udp session stays active on untangle until it times out, so during this time if a second call is established, the Siemens PBX will again try to use udp ports 15000 and 15001 since they were already released from previous call, but Untangle will not route them since the udp sessions from the first call did not timeout yet and thus second call has no audio.

    Once UDP sessions time out there will be audio again.

    example:

    udp 17 120 src=192.168.101.253 dst=192.168.102.253 sport=15000 dport=15000 packets=591 bytes=118200 src=192.168.102.253 dst=192.168.101.253 sport=15000 dport=15000 packets=591 bytes=118200 [ASSURED] mark=16841218 delta-time=72 use=1

    I see no way of manipulating UDP timeouts, I've tried of using different methods for connecting both sites such as IPSEC and GRE but same behaviour happens.

    I know recent systems randomize RTP ports and thus this issue would never occur, but it is what it is.

    Anyone has any thoughts or suggestions for a workaround?

    Notes:
    I've already tried SNAT with masquerade in hopes Untangle would NAT to a different source port as it would for a WAN but it didn't work.

    I've got bypass rules for both Siemens PBX IP addresses.

    Thank you.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,001

    Default

    Have you created bypass rules on the Untangles for the PBXs? I usually recommend two, one simply destined to IP PBX, and the other sourced from IP of PBX.

    You should only need to do them for the near side PBX, as everything else goes to/from those addresses.

    Untangle bypasses SIP by default, but the RTP gets caught up in the filters, which causes all sorts of not so fun things.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Newbie
    Join Date
    Jan 2020
    Posts
    5

    Default

    Yes, I've created bypass rules on both sites with both source and destination to both PBX.

    SharedScreenshot.jpg
    Last edited by sado; 01-20-2020 at 04:03 AM.

  4. #4
    Newbie
    Join Date
    Jan 2020
    Posts
    5

    Default

    I've worked around this by re-using Ubiquiti Edgerouters and creating a vti inside the already existing OpenVPN tunnel and thus bypassing Untangle routing. (Basically an IPSEC tunnel inside an OpenVPN tunnel, I know this isn't ideal but had to bypass Untangle routing somehow).

    Comparing Edgerouter behaviour to Untangle, they both open the session the same way, difference is when the second call is established on the Edgerouter it just refreshes the udp session while Untangle will not, untill timeout happens.

    Is this intended behaviour on Untangle side?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2