Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lk777
New Contributor

VoIP Traffic Shaping Policy RTP problems

FortiWiFi 60E

v. 7.2.4

 

3CX PBX

External SIP trunk

 

RTP and SIP port forwarding (VIP)

RTP UDP 9000-10999

SIP TCP/UDP 5060

Traffic Shaping Policy:

2023-04-11 16 50 41.jpg

When I check

diagnose netlink interface list wan1

I see that the class ID 8 forwarded bytes change during the established call (external).

 

But when I check sessions:

# diagnose sys session filter proto 17

# diagnose sys session list

I have the following output:

 

 

 

 

 

 

session info: proto=17 proto_state=01 duration=21 expire=170 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty npu 
statistic(bytes/packets/allow_err): org=600/3/1 reply=114840/582/1 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=37->6/6->37 gwy=69.x.x.x/10.10.5.25
hook=post dir=org act=snat 10.10.5.25:9060->199.x.x.x:51164(69.x.x.x:9060)
hook=pre dir=reply act=dnat 199.x.x.x:51164->69.x.x.x:9060(10.10.5.25:9060)
hook=post dir=reply act=noop 199.x.x.x:51164->10.10.5.25:9060(0.0.0.0:0)
src_mac=12:b5:51:93:3a:0a
misc=0 policy_id=1 pol_uuid_idx=610 auth_info=0 chk_client_info=0 vd=0
serial=001aa2e9 tos=ff/ff app_list=2000 app=0 url_cat=0
rpdb_link_id=80000000 ngfwid=n/a
npu_state=0x4003408 ofld-O
npu info: flag=0x281/0x00, offload=8/0, ips_offload=0/0, epid=254/0, ipid=77/0, vlan=0x0000/0x0000
vlifid=77/0, vtag_in=0x0000/0x0000 in_npu=1/0, out_npu=1/0, fwd_en=0/0, qid=1/0
no_ofld_reason: 
ofld_fail_reason(kernel, drv): none/not-established, none(0)/none(0)
npu_state_err=00/24



session info: proto=17 proto_state=01 duration=2824 expire=170 timeout=0 flags=00000000 socktype=0 sockport=5060 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=8 shaping_policy_id=9 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty npu nlb app_valid 
statistic(bytes/packets/allow_err): org=62537/88/1 reply=40894/83/1 tuples=3
tx speed(Bps/kbps): 22/0 rx speed(Bps/kbps): 14/0
orgin->sink: org pre->post, reply pre->post dev=37->6/6->37 gwy=69.x.x.x/10.10.5.25
hook=post dir=org act=snat 10.10.5.25:5060->199.x.x.x:5060(69.x.x.x:5060)
hook=pre dir=reply act=dnat 199.x.x.x:5060->69.x.x.x:5060(10.10.5.25:5060)
hook=post dir=reply act=noop 199.x.x.x:5060->10.10.5.25:5060(0.0.0.0:0)
src_mac=12:b5:51:93:3a:0a
misc=0 policy_id=1 pol_uuid_idx=610 auth_info=0 chk_client_info=0 vd=0
serial=0019c3b6 tos=2e/2e app_list=2000 app=34640 url_cat=0
rpdb_link_id=80000000 ngfwid=n/a
npu_state=0x4003408 ofld-O
npu info: flag=0x281/0x00, offload=8/0, ips_offload=0/0, epid=254/0, ipid=77/0, vlan=0x0000/0x0000
vlifid=77/0, vtag_in=0x0000/0x0000 in_npu=1/0, out_npu=1/0, fwd_en=0/0, qid=0/0
no_ofld_reason: 
ofld_fail_reason(kernel, drv): none/not-established, none(0)/none(0)
npu_state_err=00/24

 

 

 

 

 

 

 

SIP is processed by the Traffic Shaping Policy (ID 9) but RTP not (in this output port 9060).

 

I can't figure it out.

 

UPDATE:

While my post was marked as a spam (?), I guess, I figured it out.

The reason of this problem was my custom RTP_3CX service.

Initially it contained only destination ports 9000-10999.

 

New:

RTP.jpg

I do not know if this is the right way to create a custom service, but it worked for me.

 

 

1 REPLY 1
lk777
New Contributor

This is my final RTP_3CX (a custom service) configuration that worked for me.

 

config firewall service custom
    edit "RTP_3CX"
        set category "VoIP, Messaging & Other Applications"
        set comment "Specific ports for 3CX PBX"
        set color 7
        set udp-portrange 49152-65535:9000-10999 9000-10999:49152-65535
    next
end

 

Labels
Top Kudoed Authors