I am having issues forwarding port 5060
in my firewall/router to a FreeSWITCH server.
Our firewall/router is an Uniquiti Edge Router X. The server's local IP is 10.0.0.216
, the router's 10.0.0.1
. Moreover, we have some other PCs in the network, let's say 10.0.0.10
etc.
Our public IP address is, let's say 1.3.1.2
for example. The hostname example.com
points to 1.3.1.2
.
All traffic on port 5060
using both tcp disappears entirely, while udp id working:
10.0.0.216 $ sudo netcat -l 5060
...
10.0.0.10 $ netcat 10.0.0.216 5060 # same using example.com instead of IP
test # does not appear at our destination host
...
10.0.0.216 $ netcat 10.0.0.216 5060 # even on local machine
test # does not appear in the other netcat
### Same for all other devices
10.0.0.10 $ sudo netcat -l 5060 # or even on any other machine in the network
...
10.0.0.10 $ netcat 10.0.0.216 5060
test # does not appear in the other netcat
### When using any other port
10.0.0.216 $ sudo netcat -l 5061 # for any other port it's working
...
external-device $ netcat example.com 5061
test # perfectly appears on our destination host
Even more confusing: even a local netcat on port localhost 5060
does not work, independant of the host. It is nether working locally on 10.0.0.216
nor on 10.0.0.10
(or any other local device). iptables -F
does not contain anything aka is disabled as is ufw...
✗ sudo iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.18.0.0/16 0.0.0.0/0
MASQUERADE all -- 10.7.7.0/24 0.0.0.0/0
MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0
MASQUERADE tcp -- 172.18.0.2 172.18.0.2 tcp dpt:80
MASQUERADE tcp -- 10.7.7.10 10.7.7.10 tcp dpt:3008
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
DNAT tcp -- 0.0.0.0/0 10.7.7.1 tcp dpt:5000 to:172.18.0.2:80
DNAT tcp -- 0.0.0.0/0 127.0.0.1 tcp dpt:3008 to:10.7.7.10:3008
✗ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (3 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.18.0.2 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 10.7.7.10 tcp dpt:3008
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
✗ sudo tcpdump -iany -vvn -s0 port 5060
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
06:25:50.779745 IP (tos 0x0, ttl 64, id 16067, offset 0, flags [DF], proto TCP (6), length 60)
10.0.0.10.53806 > 10.0.0.216.5060: Flags [S], cksum 0xa89c (correct), seq 156110932, win 64240, options [mss 1460,sackOK,TS val 1675345422 ecr 0,nop,wscale 7], length 0
...
$ netcat 10.0.0.216 -v 5060
10.0.0.216 5060 (sip): Connection refused
If using any other port instead of 5060
, e.g. 5061
all localhost netcat, internal network netcats and external netcats work.
How can this happen? How do I make port 5060 work in my network?