Port Forwarding, VLANs, SIP Server and DMZ (Open NAT)

Hello everyone!

I'm having 2 big issues in setup since I started using VLANs:

  1. Can't have my FreePBX (VLAN 30) to connect to a SIP Server in Port 5060 UDP (even though this port is forwarded in Openwrt "correctly"). If I remove this server from this VLAN and use a standard approach I get it to connect to this external SIP server. Even my Windows machine (that is not in vlan) can connect using the same credentials, so it's not a banned IP issue.

  2. A Playstation 5 in different (VLAN 20) which I denominated as DMZ can't get Open NAT, and even though it's NAT 2, I'm having issues in "Apex Legends" lobbies where I can't sometimes connect to a game server with my party. If I press ready, my group need to wait a couple seconds (like 30+ seconds) until they see my character ready in their screen, otherwise they start the game without me. But I have forwarded either TCP and UDP protocols from this port range 1-65535 for this specific client in this VLAN 20. No luck so far. Would I be able to get an OPEN NAT? I have a valid fixed IP from my ISP, so I suppose I could? I just don't know how. I would love to have OPEN NAT in a separate VLAN, so I don't have to worry about this device, since it would be isolated in its own vlan.

So in my FreePBX server (VLAN 30) I have a random port forwarded to it to allow secure connection between my freepbx server and my remote clients (via TCP TLS). This port is forwarded and it's working great. Even in a mobile connection I can get connect to my FreePBX server and make local calls. So I suppose I have created the VLAN correctly and have done the port forwarding in the right way, but at the same time, why my server is not receiving a response from the SIP server?

tcpdump -i br-lan.30 host app.nvoip.com.br and port 5060

root@roteador:~# tcpdump -i br-lan.30 host app.nvoip.com.br and port 5060
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br-lan.30, link-type EN10MB (Ethernet), snapshot length 262144 bytes
19:00:27.856346 IP freepbx.home.myhome.com.5060 > ec2-54-233-253-44.sa-east-1.compute.amazonaws.com.5060: SIP: REGISTER sip:app.nvoip.com.br:5060 SIP/2.0
19:00:27.870637 IP ec2-54-233-253-44.sa-east-1.compute.amazonaws.com.5060 > freepbx.home.myhome.com.5060: SIP: SIP/2.0 401 Unauthorized
19:00:27.887427 IP ec2-54-233-253-44.sa-east-1.compute.amazonaws.com.5060 > freepbx.home.myhome.com.5060: SIP: SIP/2.0 401 Unauthorized
19:00:50.742122 IP ec2-54-233-253-44.sa-east-1.compute.amazonaws.com.5060 > freepbx.home.myhome.com.5060: SIP: SIP/2.0 200 I am alive
19:00:57.904264 IP ec2-54-233-253-44.sa-east-1.compute.amazonaws.com.5060 > freepbx.home.myhome.com.5060: SIP: SIP/2.0 401 Unauthorized
19:00:57.921359 IP ec2-54-233-253-44.sa-east-1.compute.amazonaws.com.5060 > freepbx.home.myhome.com.5060: SIP: SIP/2.0 401 Unauthorized
19:01:27.939682 IP ec2-54-233-253-44.sa-east-1.compute.amazonaws.com.5060 > freepbx.home.myhome.com.5060: SIP: SIP/2.0 401 Unauthorized
19:01:27.956519 IP ec2-54-233-253-44.sa-east-1.compute.amazonaws.com.5060 > freepbx.home.myhome.com.5060: SIP: SIP/2.0 401 Unauthorized
19:01:50.741661 IP ec2-54-233-253-44.sa-east-1.compute.amazonaws.com.5060 > freepbx.home.myhome.com.5060: SIP: SIP/2.0 200 I am alive
19:01:57.973184 IP ec2-54-233-253-44.sa-east-1.compute.amazonaws.com.5060 > freepbx.home.myhome.com.5060: SIP: SIP/2.0 401 Unauthorized
19:01:57.989403 IP ec2-54-233-253-44.sa-east-1.compute.amazonaws.com.5060 > freepbx.home.myhome.com.5060: SIP: SIP/2.0 401 Unauthorized

While in FreePBX this is what I get:

27098	[2025-01-17 22:00:27] WARNING[141106] res_pjsip_outbound_registration.c: Temporal response '401' received from 'sip:app.nvoip.com.br:5060' on registration attempt to 'sip:12345678@app.nvoip.com.br:5060', retrying in '30'	
27099	[2025-01-17 22:00:50] VERBOSE[141106] res_pjsip/pjsip_configuration.c: Endpoint NVOIP is now Reachable	
27100	[2025-01-17 22:00:50] VERBOSE[141106] res_pjsip/pjsip_options.c: Contact NVOIP/sip:12345678@app.nvoip.com.br:5060 is now Reachable. RTT: 15.623 msec	
27101	[2025-01-17 22:00:57] WARNING[141106] res_pjsip_outbound_registration.c: Temporal response '401' received from 'sip:app.nvoip.com.br:5060' on registration attempt to 'sip:12345678@app.nvoip.com.br:5060', retrying in '30'	
27102	[2025-01-17 22:01:28] WARNING[141106] res_pjsip_outbound_registration.c: Temporal response '401' received from 'sip:app.nvoip.com.br:5060' on registration attempt to 'sip:12345678@app.nvoip.com.br:5060', retrying in '30'	
27103	[2025-01-17 22:01:58] WARNING[141106] res_pjsip_outbound_registration.c: Temporal response '401' received from 'sip:app.nvoip.com.br:5060' on registration attempt to 'sip:12345678@app.nvoip.com.br:5060', retrying in '30'	
27104	[2025-01-17 22:02:28] WARNING[141106] res_pjsip_outbound_registration.c: Temporal response '401' received from 'sip:app.nvoip.com.br:5060' on registration attempt to 'sip:12345678@app.nvoip.com.br:5060', retrying in '30'	
27105	[2025-01-17 22:02:58] WARNING[141106] res_pjsip_outbound_registration.c: Temporal response '401' received from 'sip:app.nvoip.com.br:5060' on registration attempt to 'sip:12345678@app.nvoip.com.br:5060', retrying in '30'	
27106	[2025-01-17 22:03:28] WARNING[141106] res_pjsip_outbound_registration.c: Temporal response '401' received from 'sip:app.nvoip.com.br:5060' on registration attempt to 'sip:12345678@app.nvoip.com.br:5060', retrying in '30'

As I said, if I remove this FreePBX server from the VLAN, it can connect to the SIP server even without any port forwardind. I have tried to change the zone settings to ACCEPT, ACCEPT, ACCEPT, but it didn't help either. I've also tried to disable "Automatic helper assignment" for each firewall zone, because I heard of some issues with ALG SIP, but that didn't help either.

Below are my OpenWRT config files (I have replaced some sensitive info and deleted some other non related port forwarding ports to not make it too big):

dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/home.myhome.com/'
	option domain 'home.myhome.com'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list rebind_domain 'home.myhome.com'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list dhcp_option '6,192.168.1.220,192.168.1.1'
	list dhcp_option '42,192.168.1.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'lan2'
	option interface 'lan2'
	option ignore '1'

config dhcp 'guest'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'guest'

config dhcp 'DMZ'
	option interface 'DMZ'
	option start '10'
	option limit '90'
	option leasetime '12h'

config dhcp 'PUBLICO_ISOLADO'
	option interface 'PUBLICO_ISOLADO'
	option start '10'
	option limit '90'
	option leasetime '12h'

config host
	option name 'freepbx'
	list mac '11:22:33:44:55:66'
	option ip '192.168.30.10'
	option leasetime 'infinite'
	option hostid '0030'

config host
	option name 'ps5'
	list mac 'AA:BB:CC:DD:EE:FF'
	option ip '192.168.20.50'
	option leasetime 'infinite'
firewall
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpn'
	list network 'rooter'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'AndroidAP'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

config zone
	option forward 'REJECT'
	option name 'guest'
	option output 'ACCEPT'
	option input 'REJECT'
	list network 'guest'

config forwarding
	option dest 'wan'
	option src 'guest'

config rule
	option target 'ACCEPT'
	option src 'guest'
	option name 'Guest DNS'
	option dest_port '53'

config rule
	option dest_port '67'
	option src 'guest'
	option name 'Guests DHCP'
	option target 'ACCEPT'
	list proto 'udp'

config rule 'wg'
	option name 'Allow-WireGuard'
	option dest_port '9999'
	option proto 'udp'
	option target 'ACCEPT'
	option src '*'

config redirect
	option dest 'PUBLICO_ISO'
	option target 'DNAT'
	option name 'FreePBX TLS'
	list proto 'tcp'
	option src 'wan'
	option src_dport '20000'
	option dest_ip '192.168.30.10'
	option dest_port '20000'

config zone
	option name 'DMZ'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'DMZ'
	option log '1'

config forwarding
	option src 'lan'
	option dest 'DMZ'

config zone
	option name 'PUBLICO_ISO'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'PUBLICO_ISOLADO'

config forwarding
	option src 'lan'
	option dest 'PUBLICO_ISO'

config rule
	option name 'Allow-DNS-DHCP-DMZ-NTP'
	list proto 'udp'
	option src 'DMZ'
	option dest_port '53 67 123'
	option target 'ACCEPT'

config forwarding
	option src 'DMZ'
	option dest 'wan'

config forwarding
	option src 'PUBLICO_ISO'
	option dest 'wan'

config rule
	option name 'Allow-DNS-DHCP-NTP-PUBLICO-ISOLADO'
	option src 'PUBLICO_ISO'
	option dest_port '53 67 123'
	option target 'ACCEPT'
	list proto 'udp'

config redirect
	option name 'FreePBX SIP'
	option src 'wan'
	option src_dport '5060'
	option dest 'PUBLICO_ISO'
	option dest_ip '192.168.30.10'
	option dest_port '5060'
	option target 'DNAT'
	list proto 'udp'

config redirect
	option name 'FreePBX RTP'
	option src 'wan'
	option src_dport '10000-20000'
	option dest 'PUBLICO_ISO'
	option dest_ip '192.168.30.10'
	option dest_port '10000-20000'
	option target 'DNAT'
	list proto 'udp'

config redirect
	option dest 'DMZ'
	option target 'DNAT'
	option name 'Playstation 5'
	option src 'wan'
	option dest_ip '192.168.20.50'
	list proto 'tcp'
	list proto 'udp'
	option src_dport '1-65535'
	option dest_port '1-65535'
network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'XXXXXXXXXXXXXXXXXX::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan.99'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

config device
	option name 'wan'
	option macaddr 'XXXXXXXXXXXXXXXXXXX'

config interface 'wan'
XXXXXXXXXXXXXXXXXXXXX

config interface 'guest'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.100.1'

config interface 'vpn'
XXXXXXXXXXXXXXXXXXXXX

config interface 'rooter'
XXXXXXXXXXXXXXXXXXXXX

config interface 'AndroidAP'
	option proto 'dhcp'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

config interface 'DMZ'
	option proto 'static'
	option device 'br-lan.20'
	option ipaddr '192.168.20.4'
	option netmask '255.255.255.0'

config interface 'PUBLICO_ISOLADO'
	option proto 'static'
	option device 'br-lan.30'
	option ipaddr '192.168.30.4'
	option netmask '255.255.255.0'

edit: *fixed network tagging

Last 2 rules make no sense, disable them right away. for SIP you need sip alg aka "nat helper" and for playstation likely sysctl net.netfilter.nf_conntrack_udp_timeout=300 | tee -a /etc/sysctl.conf

Yhese two sections makes lan2 lan3 configs non-deterministic

Which one?

Do you mean this?


EDIT: Nevermind, it's a package kmod-nf-nathelper

OK!

I was trying to have VLAN20 and VLAN30 available in LAN4, but also have untagged packets into this port, since I have a proxmox server in this LAN4, and FreePBX is a VM running in there, and the Playstation is in one of the ports of the physical proxmox that I have bridged to the physical port, but I also have other servers running in there that I want to have it available to the other lans. So what am I supposed to have in here?

Tags - no idea, one of 2 will be active at random times,

It looks it's right, but I also had Untagged for VLAN20 and VLAN30, so I fixed this part

At least that what I understood from some vlan videos and tutorials I read online and from what ChatGPT said as well:

So basically it's now fixed based in what you said

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

But FreePBX still doesn't work.
PS5 I haven't tried yet.

EDIT:
FreePBX is working now.

config rule
	option name 'Allow-SIP-Outbound'
	option src 'PUBLICO_ISO'
	option proto 'udp'
	option dest_port '5060'
	option ipset 'NVOIP'
	option target 'ACCEPT'

config rule
	option name 'Allow-RTP-Outbound'
	option src 'PUBLICO_ISO'
	option proto 'udp'
	option dest_port '10000-20000'
	option ipset 'NVOIP'
	option target 'ACCEPT'

I also had to change the password again in the SIP server. For some reason, a special character was not being accepted.

Likely another bug, needing b64 encoding special chars somewhere.