I just read this column and like to suggest a simpler solution. I have a couple of similar setups with multiple LAN segments, sometimes with VLANs. They basically share the PBX and the usual groupware stuff like calenders.
I know that OPNsense does exist, but I have never used it. My stuff works with pfSense, where it is now pretty easy to install packages from other repositories. Of course, one needs to be careful when updating the system to keep all packages in sync when the upstream repositories change.
Having said that, why not install Asterisk in the router/firewall right away? No NAT issues, multiple LAN segments as easy as pie, perfect control of packages.
Maybe OPNsense does allow to do something similar.
Your setup is not common and Asterisk can’t know any better, it doesn’t know how routing will end up with the setup you have done. I can only provide information on what exists now, I can’t provide information on how to make it work with your specific setup because noone has ever done so.
Like most internet software, Asterisk was designed to work on THE Internet, not on multiple, disjoint internets.
Given that the Internet’s origins are in battle damage tolerant military systems, there are ways of redundantly connecting to multiple providers, but they require sophisticated providers, offering business services, and significant knowledge on the part of the customer. They are not going to be available on consumer services, or on small business services.
When done, this will be done outside the Asterisk box and would be invisible to it.
Yes, OPNSense allow that, but… it’s not really fix the problem, because behind the VPN i have anothers routers that do NAT too and the problems starts again, now from the OPNSense WAN Network…
If your setup is that general and convoluted, another approach could be to use OpenVPN, either as site-to-site tunnels between routers, or as client-to-site tunnels between phones and the PBX, regardless of how many NAT hurdles are in between (provided basic routing works).
Some SIP phones have OpenVPN already on board, some newer Android base ones might need third party libs. My experience with Yealink T4x-Series phones was excellent. Your mileage may vary.
I don’t think that you will ever get clean solutions with NAT on both sides with possibly more NAT firewalls in between. You do not only have to worry about the routing and the ports, but also about the timing behavior of the NAT devices. After all, it’s UDP. I may be wrong, but SIP does not have the mechanisms itself VPN solutions have on board to keep everything alive and to reconnect, if necessary.
There might be other reasons to use OpenVPN, as some mobile nets block SIP traffic. Blocking VPN tunnels might not be so easy, but in some countries they are forbidden.
Then you say that using OpenVPN in the firewalls and not using proxy, and only one user, the asterisk users can be in wathever place of the NAT that works??? of course if not are a second NAT behind of that OpenVPN gg