PBR SIP passthrough

Hey!
I'm trying to get SIP running on a FritzBox behind my OpenWRT Router. The OpenWRT Router routes all traffic through a WireGuard VPN.

FritzBox (ISP) -> OpenWRT -> FritBox 7490

The SIP Setup works over the VPN, but I would like to avoid adding latency.

So I tried this:

config policy
  option name 'SIP Ports'
  option interface 'wan'
  option dest_port '5060'
  option proto 'tcp udp'

But I can't receive calls and if there is a connection, no voice is transmitted. So I would guess I'm missing some rule for the "Receiving Site".
Which port do I have to open? What rules do I have to set? Do I need to forward something from the ISP FritzBox?

The SIP provider ist 1&1:

SIP:  sip.1und1.de
STUN: stun.1und1.de
Port: 5060
/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fdad:fdfc:33fe::/48'

config device
	option type '8021q'
	option ifname 'bond0'
	option vid '1'
	option name 'mgmt'

config device
	option type '8021q'
	option ifname 'bond0'
	option vid '10'
	option name 'wan'

config device
	option type '8021q'
	option ifname 'bond0'
	option vid '100'
	option name 'lan'

config device
	option type '8021q'
	option ifname 'bond0'
	option vid '200'
	option name 'guest'

config interface 'wan'
	option proto 'dhcp'
	option peerdns '0'
	option device 'bond0.10'
	list dns '192.168.1.2'

config interface 'management'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option device 'bond0.1'
	option ip6assign '60'
	list ip6class 'local'

config interface 'lan'
	option device 'bond0.100'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.100.1'
	option ip6assign '60'
	list ip6class 'local'

config interface 'guest'
	option device 'bond0.200'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.200.1'

config interface 'vpn'
	option proto 'wireguard'
	option force_link '1'
	option mtu '1380'
	option private_key 'xxxxxxxxxxx'
	option addresses 'xxxxxxxxxxxx'

config wireguard_vpn
	option persistent_keepalive '25'
	option endpoint_port '51820'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option route_allowed_ips '1'
	option description 'vpn'
	option public_key 'xxxxxxxxxxxxxx'
	option endpoint_host 'xxxxxxxxxxxxx'
/etc/config/vpn-policy-routing

config vpn-policy-routing 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option src_ipset '0'
	option dest_ipset '0'
	list ignored_interface 'vpnserver wgserver'
	option boot_timeout '30'
	option iptables_rule_option 'append'
	option procd_reload_delay '1'
	option webui_enable_column '0'
	option webui_protocol_column '0'
	option webui_chain_column '0'
	option webui_show_ignore_target '0'
	option webui_sorting '1'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list webui_supported_protocol 'all'
	option enabled '1'
	option resolver_ipset 'dnsmasq.ipset'
	option ipv6_enabled '0'

config include
	option path '/etc/vpn-policy-routing.netflix.user'
	option enabled '0'

config include
	option path '/etc/vpn-policy-routing.aws.user'
	option enabled '0'

config policy
	option interface 'wan'
	option name 'Guest'
	option src_addr '192.168.200.0/24'
/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'management'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'management'

config zone 'guest'
	option name 'guest'
	option output 'ACCEPT'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	list network 'guest'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'
	option dest 'lan'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option dest 'lan'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option masq '1'
	list network 'vpn'

config forwarding
	option src 'lan'
	option dest 'vpn'

config rule
	option name 'PiHole DNS'
	option src '*'
	option dest 'management'
	option dest_port '53'
	option target 'ACCEPT'
	list dest_ip '192.168.1.2'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config include 'nat6'
	option path '/etc/firewall.nat6'
	option reload '1'

config forwarding
	option src 'management'
	option dest 'vpn'
etc/dnsmasq.conf

This policy covers only the SIP signaling, not the media traffic.

If you are not familiar with the RTP ports used by your provider, create that policy based on the destination IP addresses or hostnames.

According to this thread, the incoming calls from your provider are originating from two different IP addresses, so you may need to create port forwarding rules to avoid losing calls.

1 Like

Like this?

config policy
	option interface 'wan'
	option name 'SIP1'
	option dest_addr '212.227.67.33'

config policy
	option interface 'wan'
	option name 'SIP2'
	option dest_addr '212.227.67.34'

config policy
	option interface 'wan'
	option name 'SIP3'
	option dest_addr '212.227.124.129'

config policy
	option interface 'wan'
	option name 'SIP4'
	option dest_addr '212.227.124.130'

config policy
	option interface 'wan'
	option name 'SIP5'
	option src_addr '212.227.67.33'

config policy
	option interface 'wan'
	option name 'SIP6'
	option src_addr '212.227.67.34'

config policy
	option interface 'wan'
	option name 'SIP7'
	option src_addr '212.227.124.129'

config policy
	option interface 'wan'
	option name 'SIP8'
	option src_addr '212.227.124.130'
$ nslookup stun.1und1.de
Server:		192.168.1.2
Address:	192.168.1.2#53

Non-authoritative answer:
Name:	stun.1und1.de
Address: 212.227.67.33
Name:	stun.1und1.de
Address: 212.227.67.34

$ nslookup sip.1und1.de
Server:		192.168.1.2
Address:	192.168.1.2#53

Non-authoritative answer:
Name:	sip.1und1.de
Address: 212.227.124.130
Name:	sip.1und1.de
Address: 212.227.124.129

This doesn't work.
The RTP ports are 5070:5079

The src_addr option is only for local addresses.
Remove the SIP[5-8] policies.

Could you be a little more specific?
Is the SIP registration successful?
Can you at least make outgoing calls?
One-way-audio, no-audio?

This means that the SIP NAT Traversal works and you only need to fix your routing issues.