Hello, I am configuring VoIP.ms service for use and discover inbound VoIP TLS / SRTP calls are not possible, but unencrypted inbound calls are working without trouble. I installed conntrack in OpenWRT to look into traffic from Linphone app running on android phone and a hardware Grandstream VoIP phone; There are ports 5061, 7078, and 7079 active from these applications. Adding these as masquerade "Firewall - NAT Rules" allows incoming calls:
SRTP-SIP-5061 Forwarded IPv4, protocol TCP From "any zone", port 5061 To "wan"
SRTP-SIP-7078-7079 Forwarded IPv4, protocol TCP,UDP From "any zone", port 7078-7079 To "wan"
However I don't understand why this works, but I am happy that it does. Should this be changed in OpenWRT for easier use? I was reading conflicting reports that iptables-mod-conntrack-extra is involved, but that would have been for iptables (deprecated) not nftables. I also read that kmod-ipt-conntrack-extra kmod-ipt-nat-extra kmod-nf-nathelper-extra packages may be related but for my situation it does not seem to have any effect.
I do notice yet that the hardware phone seems to forget what it is doing, if after some time I try to place an outbound call it will fail like it has gone to sleep and forgotten its registration (but the VoIP.ms account webpage shows there is an active registration); when it is like this inbound calls do not ring through either. Something else is needing to be done for SRTP / TLS VoIP and OpenWRT, but what?
I have no solution for your problem, but a hint: do you know sngrep? This software helps analyzing the VoIP data flow. You'll find it in the openwrt repository.
Thank you Barney I will look for sngrep and drill down into this problem. Attached are images representing the config that has been allowing incoming voice calls and my hardware phone is working as expected (does not timeout or forget what it is doing) for the past week. The port numbers are from the VOIP provider VoIP.ms https://wiki.voip.ms/article/Firewall documentation. Hopeful that some expert can chime in and tell me if all of these things I have set are appropriate. This is via Starlink ISP IPv4 behind their CGNAT. I would like to test with IPv6 but VoIP.ms is not capable, so that will be another future adventure.
I used to run a Freepbx server behind my Openwrt about a decade ago, with a combination of Aastra phones and some softphones. I went to inspect a backup of my Openwrt configuration (I still have it yes!).
I used 3 different providers and the config is the same for all of them.
Looking at the config, I see I was required to do the following - I allow all traffic out by default, so I didn't have specific rules for outgoing traffic, only for incoming:
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_port '5060:5080'
option src_dport '5060'
option dest_ip '<IP of internal pbx / softphone / hard phone>'
option dest_port '5060'
option name 'voipms-sip'
option src_ip '<VOIP.ms server>'
option extra '-m state --state NEW'
option reflection '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_port '5004:5005'
option src_dport '10001-20000'
option dest_ip '<IP of internal pbx / softphone / hard phone>'
option dest_port '10001-20000'
option name 'voipms-rtp'
option src_ip '<VOIP.ms server>'
option extra '-m state --state NEW'
option reflection '0'
You'll need another rule for SIP-TLS in addition to the two rules above:
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_port '5061:5081'
option src_dport `5061'
option dest_ip '<IP of internal pbx / softphone / hard phone>
option dest_port '5061'
option name 'voipms-siptls'
option src_ip '<VOIP.ms server>'
option extra '-m state --state NEW'
option reflection '0'
I'd recommend you put in some explicit source address restrictions for the incoming traffic, since SIP ports are a frequent target of machines that scan your firewall
