Hi all!
This is my first question to this board. Please let me know if I am breaking any taboos or form.
I have an installation of Freeswitch/FusionPBX. The wrinkle which makes this a bit of a bear is that the install is running inside of a Podman Container. The installation runs behind at least two routers, so there is a lot of Natting going on. However, I have successfully gotten the following patterns to work:
Same Subnet Internal SIP Phone <-> Freeswitch (inside of Linux box running Podman running rootless ) <-> Internal SIP Phone
Subnet A SIP Phone <-> Same FS as above <-> Router <-> Subnet B SIP Phone
Subnet A SIP Phone <-> Same FS as above <-> Router <-> Router <-> Externally Registered phone (via Internal Profile)
All of the permutation of internal extensions seem to work reliably. The internal profile reliably nats and we have signaling and media flowing.
The next task was to connect the FS instance to a backend SIP trunk. The backend provider does not authenticate, so all of the access control is done with an ACL or via firewall ACL. The outgoing calls work perfectly. The signaling works and media flows normally.
The failure occurs with inbound calls. The calls come in using the external profile, the backend provider is authenticated. The internal extension rings (it doesn't seem to matter if the internal extension is on the same subnet or another one), but the ACK and SDP OK 200 message seem to be lost. The backend provider keeps ringing and fails over and tries the call from their backup signalling IP and then quits.
I think I see the problem, but I have no idea how to fix it. In the Podman Rootless Container, the internal networking assigns a non routable ip address to itself (10.0.2.100). I notice that the client being called (it is Linphone) tries responding, but the Contact: info only has this non routable address:
SIP/2.0 200 Ok
Via: SIP/2.0/TCP PUBLICIP:6060;received=10.0.0.3;rport;branch=z9hG4bKepSH5Ba076K6j
From: "EXTERNALDID" <sip:EXTERNALDID@EXTERNALDNSNAME>;tag=K4DDD651a5S9e
To: <sip:1000@10.0.2.100:35096;transport=tcp;received=10.0.2.100:35096>;tag=SPSSu3s
Call-ID: d6b5d43e-5870-123f-89b6-021e7527f955
CSeq: 108573071 INVITE
User-Agent: Linphone-Desktop/5.3.0 (LAPTOP-LQKE7QRM) windows/10 Qt/5.15.2 LinphoneSDK/5.4.38
Supported: replaces, outbound, gruu, record-aware
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO, PRACK, UPDATE
Contact: <sip:1000@10.0.2.100:35096;received=10.0.2.100:35096;transport=tcp>;expires=600;+org.linphone.specs="conference/2.0,ephemeral/1.1,groupchat/1.2,lime"
Content-Type: application/sdp
Content-Length: 191
v=0
o=1000 2046 1799 IN IP4 10.0.0.9
s=Talk
c=IN IP4 10.0.0.9
t=0 0
m=audio 64690 RTP/AVP 0 9 8 3 102 101
a=rtpmap:102 speex/8000
a=fmtp:102 vbr=on
a=rtpmap:101 telephone-event/8000
I have tried nat-acl with just the container IP. I have tried every permutation of the ACL approach. I did notice that the phone would not ring unless the container ip (10.0.2.100) was whitelisted. This doesn't make sense to me as the bridging of the calls occurs inside of the container.
I am posting redacted SIP traces sip traces. For example:
From: "EXTERNALDID" <sip:EXTERNALDID@EXTERNALDNSNAME>;tag=K4DDD651a5S9e
I have no doubt this is some simple flag I have missed, but I am at my wits end. Any help would be appreciated.
Thank you,
-Greg