cancel
Showing results for 
Search instead for 
Did you mean: 
1

Ask

2

Reply

3

Solution

Landline phone with own router on FTTP

bruce_miranda
4: Newbie

Just got FTTP and everything is working fine off the VF router. Phone lines are plugged into the VF router, VF router's WiFi is switched off. 3rd party Mesh has been switched to Bridge mode and plugged into the VF's ethernet port.

However I am shocked at how feature poor the VF router is. e.g. There are no Parental controls at all. I know I can get rid of the VF router and plug my own Mesh router into the Openreach ONT, but what about the Landline. 

Are there any 3rd party routers in the market that have a telephone socket at the back to allow the home phone to be plugged in? 

701 REPLIES 701

wyeview
2: Seeker
2: Seeker

Followed the great advice in this thread (thanks Bruce for starting it) to get a HT801 working through a Fritz!Box.

But since mid-December we have an intermittent problem whereby the calling party cannot hear us when we answer the phone - we can hear them okay. Reverting to the Vodafone router usually solves the problem but of course if we wanted to do that we wouldn't be following this thread in the first place. When we contacted Vodafone about this the escalated to second level support, who gave us a slick line in BS which amounted to "we have reset the Vodafone Router config".

Has anybody else had this problem, i.e. calling party can't hear us on answer?

Madmanmav
2: Seeker
2: Seeker

Has anyone got this to work with OPNsesne router ?
I bought a H812 and followed the settings in this thread , set NAT to STUN but I am struggling to get it through OPNsense's firewall.
I setup and old ASUS router and the H812 registered and I could call out and call in (though calling in the phone never rang , but picking it up I could hear my voice both ends ,, maybe a ringer setting i am missing ?)
I have tried allsorts on OPNsense to no avail.
Any advice would be appreciated.

OK so I got this working in OPNsesne with the following settings

Step1 Create an Alias for the H8xx pointing to its LAN address (i.E 192.165.1.XXX) i called mine grandstream
Step 2 Create an Alias for ports 5059 and 10000 (type ports UDP) I called mine voipports

Step 3 create inbound rule 

Interface Proto Address Ports Address Ports IP Ports Description     

WANUDP**LAN addressVoipports  Grandstream  Voipports    

Step Goto to outbound rules and select HYBRID MODE

Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description  STATIC 

  WANLAN net***Interface address*YES 


Goto to firewall > advanced and set

Network Address Translation 
 Reflection for port forwards
 Reflection for 1:1
 Automatic outbound NAT for Reflection

Also in firewall avanced set 

 Firewall Optimization
 conservative

Setup HT8XX as mentioned in this tread.

IMPORTANT reboot router to reset firewall state tables as anothe rule may have already taken these ports ad assigned the to other uses , so a reboot of router will free ports and H8XX should then be able to register fine.

Was fighting this for days and much of that time i had it right but the state tables needed resetting , so a router rest IS required , once connected and registered it should stay connected fine.
 

Hey, I'm sorry I missed your original post. I did include a section for Opnsense in my Github repo here: https://github.com/mouldybread/VodafoneUKVOIPConfig

You're 99% of the way there but your OUTBOUND nat rules need to include your alias as the source, otherwise you're effectively disabling outbound port remapping(by setting STATIC=YES) for all devices on both udp and tcp which will cause intermittent connectivity issues if more than one outbound connection from your network uses the same source port.

According to Ripshods configuration (and as I have it working) the SIP port should be 5065 instead of 5059.

RTP (which SIP uses for audio transport) usually uses a range of random udp source ports. Ripshods configuration has the local RTP port set to 10000 with a port range of 24, and random port set to yes. When I configured my phone the minimum accepted range was actually 200. I'm unclear as to if this means 10000-10200, but it should.

So your UDP port alias should actually be more like 10000-10200 if you're being conservative and we assume the device is selecting from the "Local RTP port" upwards based on the settings. If you are more concerned with making sure it works: your UDP range should be 10000-32767 which is the full range used by RTP. You can always specify !=RFC1918 if you want to descope.

Picking a random source port is especially important as we have disabled outbound remapping. If something else is (or has) been using UDP/10000, the call will fail(this is the problem that remapping aims to fix after all). So a bigger range is better and relying on a single port may cause intermittent issues.

As far as I know, the firewall settings you mentioned (Reflection for port forwards, Reflection for 1:1, Automatic outbound NAT for Reflection) should be unnecessary as they relate to port forwarding/nat reflection.

Finally to reset state tables without restarting you can go to Firewall -> States -> Actions (tab) and Reset State Table/source tracking.

I hope this helps!

Further I just noticed that your inbound WAN rule directly exposes your phone to the internet. This may pose a significant security risk, and is also not needed for your phone to function. Please disable your inbound WAN rule ASAP. Perhaps a moderator can edit the original post and remove that part?

Thanks for the tips ,
Yes you are correct the port is 5065 , that was a typo but could not see where to edit the post. 
The inbound port forward rule should be only exposing ports 5065 and 10000 to the phone , the admin interface on port 80,443,22 aren't exposed with that rule. Without the rule I could not get it to work at all.
The rule without aliases would be as follows
Scource                                                                     Destinantion
interface      protocol   address  ports                address    ports                    IP                      ports
WAN            UDP           ANY       ANY                 LAN          5065 10000        VOIP LAN IP     5065 10000
so only 5065 and 10000 should be exposed I beleive ,, i will look at the link provided thankyou.
exposing only those two ports has so far been solid ,, originally I had the rule forward 5060-5065 and 10000-20000 ,, but paired it back to just those two ports which seem to work ,, i have disabled direct IP dailing in the ATA. I agree ideally I would limit the inbound IP range to vodaphones block. thanks for the tip and resetting states ,, i will now go and read the link you provided and reply here.
Thanks once again ,, been banging my head on the wall for a while with this.

@Bigfluctuation I heave read through your wrtiup , excellent , i wish I had know about it sooner ,, not sure how I missed it as I have been back and forwards through the tread a few times reading up. I though have tried disabling the rule and can't seem to get inbound calls without it. I don't have a static IP and am using fullcone STUN as per a tip i think @Ripshod posted , could that have a bearing ? 
I will be honest I am not great in OPNsense , especially with rules as i find the nomenclature somewhat counter intuative at times. I originally thought Unbound might be a cause for the problems.
As I mentioned I tried it on a spare asus A88u I had laying around running the Merlin firmware and it just worked (after wrestling the ATA setting provided by @Ripshod et all).

I feel it would be great to get a definitive setup for each working ATA/PHONE ,as I did note when cribbing from others posted setups that a number of them disagreed on certain features.
As an aside
I wanted to confirm my settings with voda (they had already provided them but they were scribbled down and i figured I might have an I for a 1 or o for a 0 that sort of thing) ,I had got them no problem first ime round but the next guy refused to provide them or confirm the ones i had were correct , so I escalated this up to the top teir.
They were very helpfull appologised and reprovided them , they also said they do an adapter that would plug ino the network and work with third party routers and would send one free of charge. GREAT I thought Voda are providing a Voda branded ATA , I nearly posted here with this marvelous revelation.
A few days later the "device" arrived ... It was an RJ11 to BT connector wire 😂

Hi,

You can use the live view (Firewall -> Log Files -> Live View) to see exactly what's happening when you enable/disable your WAN INBOUND rule. Does it match anything? Upon re-reading your instructions it shouldn't match anyway as the packets won't have the VOIP devices LAN IP in the destination field when they hit the WAN side.

At any rate an INBOUND ALLOW rule on the WAN interface is potentially risky and isn't needed for VOIP as OPNSense stateful and tracks outbound connections. As a general principle, allowing any unsolicited traffic from the internet to reach your devices is undesirable.

In terms of OPNSense, Full Cone NAT is called Static Port Mapping and is what you have configured with your NAT Outbound Rule. Generally I think limiting the scope of this rule to devices that need static mapping is preferable as Port Remapping does serve an important purpose and any resulting problems will be transient and hard to trace. In your case this may be why the phone would only work after resetting the state tables - another connection likely used the same port.

In terms of the device I found that any setting other than 'No' for NAT Traversal resulted in the phone not working. When I'm able to find some time I may look at this further but as it is up and running for me with no issues it's not a high priority.

STUN gives the device a means by which to determine the external IP and negotiate a connection in symmetric(full cone/static NAT) environments. See RFC3489 for the full specification. It's not perfect and there are already proposals that supersede STUN. As per my instructions STUN wasn't necessary to get my phone working, though I did manually specify my external IP.

From your instructions I think you've implemented parts from the three different approaches outlined in my write up. This is understandable given the amount of confused/incomplete/outdated documentation floating around, but the steps I outlined should be enough to get your phone working without any additional steps.

FWIW I found this thread: https://community.freepbx.org/t/happiness-with-sonicwalls-it-can-happen/39463 which is full of people who also discovered that certain PBX don't work unless Static Port Mapping is enabled. This is probably because the PBX in question are doing something similar to what is described here: https://www.sonicwall.com/support/knowledge-base/troubleshooting-a-scenario-where-source-remap-is-ca... 

I agree , Ideally there would be no holes poked through, but without I simply doesnt work for me.
The forward is limited to a single IP though that of the h812 ata and only the 2 UDP ports 5065 and rtp 10000.

The hybrid rule on outbound from what I understand essentially converts opnsense to a type2 nat , I could limit the translation fron the lan net to a sigle IP i suppose , making that ip moderate and the rest type 3 and have only that IP statically mapped. I did try this but had no joy , but this may have been down to my firewall tables not being reset after that change.

I will take another look at it , I am not overly concerned about the 2 forwarded ports to a single IP , unless there is a way to hack the ATA on those 2 ports it should be ok for time being but I will relook at this and thankyou for your pointers. I will post some feedback next time i have a play. I don't actually use the landline but my folks do and they were without phone for some time , so i will let them have their fill of poinless jibber jabber for now before i potentially cut them off again :Smiling:


Ripshod
16: Advanced member
16: Advanced member

My experience agrees totally. Port forwarding is necessary. It wouldn't be necessary if the ata device is built into the router, but as these devices are seperate from the router and have their own local network IPs the traffic needs to be steered to them.