VoIP Traffic Shaping Policy RTP problems

lk777 · ‎04-11-2023

FortiWiFi 60E

v. 7.2.4

3CX PBX

External SIP trunk

RTP and SIP port forwarding (VIP)

RTP UDP 9000-10999

SIP TCP/UDP 5060

Traffic Shaping Policy:

When I check

diagnose netlink interface list wan1

I see that the class ID 8 forwarded bytes change during the established call (external).

But when I check sessions:

# diagnose sys session filter proto 17

# diagnose sys session list

I have the following output:

session info: proto=17 proto_state=01 duration=21 expire=170 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty npu 
statistic(bytes/packets/allow_err): org=600/3/1 reply=114840/582/1 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=37->6/6->37 gwy=69.x.x.x/10.10.5.25
hook=post dir=org act=snat 10.10.5.25:9060->199.x.x.x:51164(69.x.x.x:9060)
hook=pre dir=reply act=dnat 199.x.x.x:51164->69.x.x.x:9060(10.10.5.25:9060)
hook=post dir=reply act=noop 199.x.x.x:51164->10.10.5.25:9060(0.0.0.0:0)
src_mac=12:b5:51:93:3a:0a
misc=0 policy_id=1 pol_uuid_idx=610 auth_info=0 chk_client_info=0 vd=0
serial=001aa2e9 tos=ff/ff app_list=2000 app=0 url_cat=0
rpdb_link_id=80000000 ngfwid=n/a
npu_state=0x4003408 ofld-O
npu info: flag=0x281/0x00, offload=8/0, ips_offload=0/0, epid=254/0, ipid=77/0, vlan=0x0000/0x0000
vlifid=77/0, vtag_in=0x0000/0x0000 in_npu=1/0, out_npu=1/0, fwd_en=0/0, qid=1/0
no_ofld_reason: 
ofld_fail_reason(kernel, drv): none/not-established, none(0)/none(0)
npu_state_err=00/24



session info: proto=17 proto_state=01 duration=2824 expire=170 timeout=0 flags=00000000 socktype=0 sockport=5060 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=8 shaping_policy_id=9 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty npu nlb app_valid 
statistic(bytes/packets/allow_err): org=62537/88/1 reply=40894/83/1 tuples=3
tx speed(Bps/kbps): 22/0 rx speed(Bps/kbps): 14/0
orgin->sink: org pre->post, reply pre->post dev=37->6/6->37 gwy=69.x.x.x/10.10.5.25
hook=post dir=org act=snat 10.10.5.25:5060->199.x.x.x:5060(69.x.x.x:5060)
hook=pre dir=reply act=dnat 199.x.x.x:5060->69.x.x.x:5060(10.10.5.25:5060)
hook=post dir=reply act=noop 199.x.x.x:5060->10.10.5.25:5060(0.0.0.0:0)
src_mac=12:b5:51:93:3a:0a
misc=0 policy_id=1 pol_uuid_idx=610 auth_info=0 chk_client_info=0 vd=0
serial=0019c3b6 tos=2e/2e app_list=2000 app=34640 url_cat=0
rpdb_link_id=80000000 ngfwid=n/a
npu_state=0x4003408 ofld-O
npu info: flag=0x281/0x00, offload=8/0, ips_offload=0/0, epid=254/0, ipid=77/0, vlan=0x0000/0x0000
vlifid=77/0, vtag_in=0x0000/0x0000 in_npu=1/0, out_npu=1/0, fwd_en=0/0, qid=0/0
no_ofld_reason: 
ofld_fail_reason(kernel, drv): none/not-established, none(0)/none(0)
npu_state_err=00/24

SIP is processed by the Traffic Shaping Policy (ID 9) but RTP not (in this output port 9060).

I can't figure it out.

UPDATE:

While my post was marked as a spam (?), I guess, I figured it out.

The reason of this problem was my custom RTP_3CX service.

Initially it contained only destination ports 9000-10999.

New:

I do not know if this is the right way to create a custom service, but it worked for me.

lk777 · ‎04-12-2023

This is my final RTP_3CX (a custom service) configuration that worked for me.

config firewall service custom
    edit "RTP_3CX"
        set category "VoIP, Messaging & Other Applications"
        set comment "Specific ports for 3CX PBX"
        set color 7
        set udp-portrange 49152-65535:9000-10999 9000-10999:49152-65535
    next
end

VoIP Traffic Shaping Policy RTP problems

Nominate a Forum Post for Knowledge Article Creation