VoIP Home Lab
A complete unified communications environment built from the ground up for hands-on learning and real-world practice.
This lab bridges the gap between CCNA networking theory and real-world VoIP deployment. It demonstrates how Layer 2/3 concepts, VLANs, QoS, and NAT interact in a production telephony environment.
Physical Hardware Inventory
Arris TG3452A
ISP-provided cable modem in bridge mode
TP-Link ER605 V2
Main router handling inter-VLAN routing
Cisco Catalyst 3750-48PS-S
L3 switch with 802.1Q trunking and PoE
Yealink SIP-T21P E2
Two IP desk phones
Debian 12 Server
FreePBX host on Dell OptiPlex
Raspberry Pi 5
LibreNMS monitoring server
Logical Network Map
| VLAN | Purpose | Subnet | Gateway |
|---|---|---|---|
| VLAN 1 | Management | 192.168.0.0/24 | 192.168.0.1 |
| VLAN 10 | Data | 192.168.10.0/24 | 192.168.10.1 |
| VLAN 20 | VoIP | 192.168.20.0/24 | 192.168.20.1 |
IP Address Reference
| Device | IP Address | VLAN | Notes |
|---|---|---|---|
| TP-Link ER605 | 192.168.0.1 | Management | Router, DHCP server |
| Cisco 3750 | 192.168.0.2 | Management | Switch SVI |
| FreePBX Server | 192.168.10.100 | Data | Debian 12 + Docker |
| LibreNMS (Pi 5) | 192.168.0.101 | Management | Monitoring |
| Yealink Phone 1 | 192.168.10.101 | Data | Ext 1001 |
| Yealink Phone 2 | 192.168.10.102 | Data | Ext 1002 |
| Homer SIP Capture | 127.0.0.1:9060 | Localhost | Docker container |
Network Diagram
Visual representation of the complete VoIP lab topology, including VLAN segmentation and SIP trunk connection.
Diagramming Decisions
| Element | Representation | Rationale |
|---|---|---|
| SIP Trunk Lines | Dashed lines | Indicates logical/virtual connection, not physical cable |
| ISP Cloud | Cloud icon | Implies continuation beyond the diagram boundary |
| VLAN Boxes | Background shading | Visual grouping of devices in same broadcast domain |
| Trunk Link | 802.1Q label | Indicates tagged VLAN traffic on that port |
Port Reference: Fa1/0/48 is the trunk port connecting Cisco 3750 to TP-Link ER605. Fa1/0/25 connects to Yealink phones (when on VLAN 20), Fa1/0/13 connects to FreePBX server.
SIP Fundamentals
Understanding the Session Initiation Protocol and its role in modern VoIP communications.
SIP Protocol Deep Dive
SIP is signaling-only — it sets up, modifies, and tears down calls. It does not carry audio. SIP is a text-based protocol (similar to HTTP) that operates on UDP/TCP port 5060.
SIP (Session Initiation Protocol)
Text-based signaling protocol operating on UDP/TCP port 5060
• Sets up, modifies, and tears down sessions
• Handles registration, authentication, call routing
• Negotiates media parameters via SDP
• Routes calls to endpoints and trunks
Analogy: The postal service delivering call setup instructions
RTP (Real-time Transport Protocol)
Binary protocol carrying actual voice/video packets on dynamic UDP ports
• Transports actual voice packets directly between endpoints
• Bypasses the PBX once the call is established
• Provides sequence numbers and timestamps
• RTCP companion provides QoS feedback
Analogy: The actual phone line carrying your voice
SDP: Session Description Protocol
SDP travels inside SIP and negotiates codecs and RTP ports. When a phone sends an INVITE, it includes an SDP body describing:
- Codecs supported: G.711 μ-law, G.729, etc.
- RTP port: Where to send audio (e.g., port 10004)
- IP address: Where the media should be sent
v=0
o=- 12345 12345 IN IP4 192.168.10.101
s=Yealink call
c=IN IP4 192.168.10.101
t=0 0
m=audio 10004 RTP/AVP 0 8 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
RTCP: Real-time Transport Control Protocol
RTCP is RTP’s companion protocol that monitors stream quality. It reports on:
- Jitter: Variation in packet arrival timing
- Packet loss: Percentage of lost packets
- MOS score: Mean Opinion Score (voice quality rating)
- Round-trip time: Latency measurement
SIP handles the “business logic” of calls (who, where, when), while RTP/RTCP handle the “physics” of audio (how, what quality). This separation is why SIP phones can register through a PBX, but RTP streams flow directly between endpoints.
The B2BUA Model
FreePBX/Asterisk acts as a Back-to-Back User Agent — this is critical to understanding SIP call flows.
A B2BUA terminates and re-originates SIP sessions. For every call, there are two INVITE legs: one from caller to PBX, one from PBX to callee. This allows the PBX to manipulate headers, enforce policies, and bridge incompatible endpoints.
Typical Call Flow
Phone A (1001) FreePBX Phone B (1002)
| | |
|---- INVITE (to PBX) -------->| |
|<--- 100 Trying --------------| |
|<--- 180 Ringing -------------| |
| |---- INVITE (to 1002) --->|
| |<--- 100 Trying ----------|
| |<--- 180 Ringing ---------|
|<--- 180 Ringing (relayed) ---| |
| |<--- 200 OK --------------|
|<--- 200 OK (relayed) --------| |
|---- ACK -------------------->|---- ACK ---------------->|
|<=== RTP Media =============>|<=== RTP Media ==========>|
| | |NAT Traversal
Why Network Address Translation breaks SIP, and comprehensive solutions.
The Core Problem
When a phone behind NAT puts a private IP in the SDP body, the remote side can’t send RTP back — causing one-way audio. SIP embeds IP addresses inside message bodies (SDP), not just headers. When NAT rewrites packet headers, the body remains unchanged — causing a mismatch.
Scenario: Internal phone (192.168.10.101) sends INVITE with SDP containing its private IP. Provider receives public NAT IP in headers but private IP in SDP body. RTP returns to wrong destination.
NAT Traversal Solutions
Disable SIP ALG
First and most important step on the router
External IP in FreePBX
Configure NAT settings in Asterisk SIP Settings
STUN Server
Helps endpoints discover their public IP
RTP Port Range
Open UDP 10000–20000 on the firewall
STUN: Session Traversal Utilities for NAT
STUN allows endpoints to discover their public IP and port mappings. The phone queries a STUN server, receives its public address, and uses that in SDP.
Phone → STUN server (stun.l.google.com:19302): “What’s my public IP?”
STUN server → Phone: “Your public address is 203.0.113.45:51234”
From Domain Fix
For VoIP.ms trunk, the From Domain setting in FreePBX forces the correct public identity in SIP headers. This ensures the provider recognizes the registration and routes inbound calls correctly.
Configuration: In FreePBX PJSIP trunk settings, set “From Domain” to newyork1.voip.ms to match your POP (Point of Presence).
SIP ALG: The Silent Killer
SIP Application Layer Gateway attempts to fix NAT issues by rewriting SIP bodies. In practice, it often:
- Mangles SDP with incorrect IP addresses
- Breaks SIP message integrity
- Causes intermittent registration failures
- Corrupts packet payloads
Best Practice: Disable SIP ALG on all routers/firewalls. Use proper NAT configuration in the PBX instead.
UDP Session Timeouts
Routers maintain UDP “connections” in state tables. When idle, these entries expire. VoIP phones send periodic OPTIONS or re-REGISTER to keep sessions alive. When phones were moved to VLAN 10 (same subnet as FreePBX), session timeout issues disappeared because traffic no longer traversed the router.
QoS Theory
Voice traffic needs guaranteed low-latency forwarding to maintain call quality.
Why QoS is Essential
Voice traffic is uniquely sensitive to network conditions. Without QoS, data traffic (file transfers, streaming) can starve voice packets, causing choppy audio and dropped calls.
A large file download can saturate your bandwidth. Without prioritization, voice packets queue behind data packets, causing delay and jitter. QoS ensures voice gets priority treatment.
Layer 2: CoS (Class of Service)
CoS uses the 802.1p field in the Ethernet frame to mark priority at Layer 2.
| CoS Value | Traffic Type | Use Case |
|---|---|---|
| 5 | Voice Bearer (RTP) | Highest priority for actual voice packets |
| 3 | Voice Signaling (SIP) | Second priority for call setup/control |
| 1 | Best Effort | Standard data traffic |
| 0 | Default | Unmarked traffic |
Switch(config-if)# mls qos trust cos
Layer 3: DSCP (Differentiated Services Code Point)
DSCP uses the 6-bit field in the IP header for priority marking. It’s more granular than CoS and survives across Layer 3 boundaries.
| DSCP Value | Name | Traffic Type |
|---|---|---|
| EF (46) | Expedited Forwarding | RTP voice media |
| AF31 (26) | Assured Forwarding | SIP signaling |
| CS0 (0) | Class Selector | Best effort data |
Switch(config-if)# mls qos trust dscp
QoS Implementation Best Practices
- Trust, don’t remark: IP phones already mark correctly; just trust their markings
- Apply at the edge: Set QoS policies at access ports where phones connect
- End-to-end: QoS markings must be honored throughout the network path
- WAN links: Most critical point — prioritize before traffic leaves the building
VLAN Theory
Voice must be isolated on its own VLAN for security, QoS, and performance.
Why Voice Needs Its Own VLAN
- QoS Policies: Apply different quality-of-service rules to voice vs. data
- Reduced Broadcast Domain: Smaller broadcast domains improve performance
- Security: Isolate voice traffic from data network sniffing
- Prevent Competition: Stop data traffic from competing with voice bandwidth
switchport voice vlan
The switchport voice vlan command signals the phone via CDP/LLDP to tag its voice frames. The phone separates voice and PC traffic onto different VLANs using the same physical cable.
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# switchport voice vlan 20
DHCP Option 66: Zero-Touch Provisioning
DHCP Option 66 enables zero-touch provisioning by pointing phones to a provisioning server (TFTP/HTTP) on boot. The phone automatically downloads its configuration.
option 66 ascii “http://192.168.10.100/provisioning”
LLDP-MED (Link Layer Discovery Protocol – Media Endpoint Discovery)
LLDP-MED is an extension of LLDP that allows network devices to advertise:
- Voice VLAN ID
- QoS configuration
- Power over Ethernet (PoE) requirements
RTP Quality Thresholds
Accepted benchmarks for acceptable voice quality.
Voice Quality Benchmarks
| Metric | Acceptable | Excellent | Notes |
|---|---|---|---|
| Jitter | < 30ms | < 10ms | Variation in packet arrival |
| Packet Loss | < 1% | < 0.1% | Causes audio gaps |
| Latency (one-way) | < 150ms | < 50ms | Round-trip < 300ms |
| MOS Score | > 3.5 | > 4.0 | Mean Opinion Score (1-5) |
MOS Score (Mean Opinion Score)
MOS is a subjective quality rating from 1 to 5, where listeners rate voice quality. It’s calculated based on network metrics:
- 5.0: Excellent — Face-to-face conversation quality
- 4.0-4.5: Good — Toll quality (PSTN standard)
- 3.5-4.0: Acceptable — Minor impairment
- 3.0-3.5: Fair — Noticeable degradation
- < 3.0: Poor — Unacceptable for business use
Factors Affecting Voice Quality
Jitter
Variation in packet arrival time
Packet Loss
Missing audio data
Latency
One-way delay
FreePBX / Asterisk Architecture
Understanding how the PBX routes and processes calls.
Core Components
Extensions (chan_pjsip)
Endpoints that register to the PBX
Trunks
Connections to the PSTN
Inbound Routes
Match incoming DIDs to destinations
Outbound Routes
Match dial patterns to trunks
Call Routing Logic
| Feature | Purpose |
|---|---|
| IVR | Interactive Voice Response — menu systems (“Press 1 for Sales”) |
| Ring Groups | Simultaneously ring multiple extensions |
| Queues | ACD (Automatic Call Distribution) with hold music |
| Time Conditions | Route calls differently based on time/date |
| Follow Me | Forward calls to external numbers |
| Voicemail | Message recording with email notification |
Call Flow Example
Incoming Call (DID 814-667-5639)
↓
Inbound Route (matches DID)
↓
Time Condition (business hours?)
↓
IVR ("Thank you for calling...")
↓
Ring Group (ext 1001, 1002)
↓
Extension rings → Answer
↓
RTP stream establishedAnalog / POTS
Understanding legacy telephony infrastructure and migration to VoIP.
FXS vs FXO Ports
| Type | Full Name | Function | Analogy |
|---|---|---|---|
| FXS | Foreign Exchange Station | Powers the phone, provides dial tone | The wall jack in your house |
| FXO | Foreign Exchange Office | Connects to the PSTN | The phone cable you plug into the wall |
Memory trick: FXS = Serves the phone (provides power and dial tone). FXO = connects to the Office (PSTN).
Wiring Infrastructure
66-Blocks
Legacy punch-down blocks
110-Blocks
Modern punch-down standard
Tone and Probe
“Fox and Hound” cable tracing
Migrating from POTS to VoIP
When migrating legacy systems:
- Identify all analog lines (fax, alarms, elevator phones)
- Plan for ATA (Analog Telephone Adapter) or gateway devices
- Test fax machines — they often have issues with VoIP
- Ensure emergency lines (elevator, alarm) remain functional
SIP Response Codes
Understanding what SIP responses mean and how to troubleshoot them.
Response Code Categories
| Range | Category | Meaning |
|---|---|---|
| 1xx | Informational | Call is progressing |
| 2xx | Success | Request succeeded |
| 3xx | Redirection | Alternative location |
| 4xx | Client Error | Something wrong with the request |
| 5xx | Server Error | Server failed to process valid request |
| 6xx | Global Failure | No server can fulfill the request |
Common Response Codes
| Code | Name | Meaning / Troubleshooting |
|---|---|---|
| 100 | Trying | Normal — server received request and is processing |
| 180 | Ringing | Normal — destination is ringing |
| 200 | OK | Success — call connected or registration accepted |
| 401 | Unauthorized | Auth challenge — credentials required (normal during registration) |
| 403 | Forbidden | Bad credentials or blocked IP — check password and ACLs |
| 404 | Not Found | Extension not found — check extension number exists |
| 408 | Request Timeout | Unreachable — network issue or phone offline |
| 486 | Busy Here | Destination busy — phone in use |
| 488 | Not Acceptable | Codec mismatch — no common codec between endpoints |
| 503 | Service Unavailable | Server unavailable — trunk down or PBX overloaded |
Troubleshooting by Code
401 Loop
Continuous 401 responses
488 Codec Mismatch
No common audio codec
Network Configuration
VLAN setup, trunking, and inter-VLAN routing configuration.
802.1Q Trunking on Cisco 3750
Port Fa1/0/48 connects to the TP-Link ER605 and carries all VLANs as a trunk.
Switch(config-if)# description “Trunk to ER605”
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 1,10,20
Switch(config-if)# no shutdown
Why Trunking is Necessary
A single physical link carries multiple logical networks. Without trunking, each VLAN would need its own cable to the router. The TP-Link ER605 subinterfaces handle routing between VLANs.
VLAN Port Assignments
| Port Range | VLAN | Purpose |
|---|---|---|
| Fa1/0/1 – 12 | 1 | Management devices |
| Fa1/0/13 – 24 | 10 | Data network |
| Fa1/0/25 – 47 | 20 | VoIP (unused – phones moved to VLAN 10) |
| Fa1/0/48 | Trunk | Uplink to router |
Inter-VLAN Routing
The TP-Link ER605 handles Layer 3 routing between VLANs:
- Router: Maintains routing table, forwards between subnets
- Switch: Pure Layer 2 switching within each VLAN
ACL Limitation: TP-Link ACLs control inter-VLAN traffic at Layer 3. They do NOT apply to same-subnet Layer 2 traffic. This is why phones on VLAN 10 can reach FreePBX directly without ACL involvement.
WireGuard VPN & DDNS
Secure remote access configuration for managing the lab from anywhere.
NO-IP DDNS Configuration
Dynamic DNS keeps a consistent hostname despite changing public IP addresses.
| Setting | Value |
|---|---|
| Hostname | charliehomelab.ddns.net |
| Provider | NO-IP (noip.com) |
| Update Interval | Every 5 minutes |
| Purpose | Consistent endpoint for VPN connections |
WireGuard VPN Setup
WireGuard provides encrypted tunnel access to the lab network from remote locations.
VPN Subnet
10.200.200.0/24
Allowed IPs
192.168.0.0/16, 10.0.0.0/8
DNS
192.168.0.1 (ER605)
Configuration Purpose
- Secure Management: Access FreePBX GUI, SSH, and switch CLI remotely
- SIP Softphone: Run softphone apps that register as internal extensions
- Packet Capture: Remote SPAN session analysis via WireGuard
WireGuard VPN & DDNS
Secure remote access configuration for managing the lab from anywhere.
NO-IP DDNS Configuration
Dynamic DNS keeps a consistent hostname despite changing public IP addresses.
| Setting | Value |
|---|---|
| Hostname | charliehomelab.ddns.net |
| Provider | NO-IP (noip.com) |
| Update Interval | Every 5 minutes |
| Purpose | Consistent endpoint for VPN connections |
WireGuard VPN Setup
WireGuard provides encrypted tunnel access to the lab network from remote locations.
VPN Subnet
10.200.200.0/24
Allowed IPs
192.168.0.0/16, 10.0.0.0/8
DNS
192.168.0.1 (ER605)
Configuration Purpose
- Secure Management: Access FreePBX GUI, SSH, and switch CLI remotely
- SIP Softphone: Run softphone apps that register as internal extensions
- Packet Capture: Remote SPAN session analysis via WireGuard
FreePBX Configuration
Core Asterisk setup, extensions, and system configuration.
Extension Setup
Two extensions configured for the Yealink phones:
| Extension | User | Phone | Secret Type |
|---|---|---|---|
| 1001 | Line 1 | Yealink T21P E2 | SIP |
| 1002 | Line 2 | Yealink T21P E2 | SIP |
Phone Registration Process
- Phone boots and requests IP via DHCP (VLAN 10)
- Phone sends REGISTER to FreePBX (192.168.10.100:5060)
- FreePBX challenges with 401 Unauthorized (digest auth)
- Phone responds with credentials
- FreePBX accepts and updates AOR (Address of Record)
The delete=yes Voicemail Bug
Voicemail.conf had delete=yes set, causing messages to be deleted immediately after recording — before email notification could be sent. Messages appeared to be silently discarded.
How it was caught: sngrep showed successful SIP INVITE/200 OK flow to voicemail, but no message was playable. Log analysis revealed the file was deleted before the email handler processed it.
The fix: Changed to delete=no in voicemail.conf, allowing the message to persist after email delivery.
VoIP.ms SIP Trunk
Connecting to the public telephone network via VoIP.ms.
VoIP.ms Account Structure
| Component | Value | Purpose |
|---|---|---|
| Main Account | charliechen | Billing and primary login |
| Sub-account | charliechen_homepbx | SIP registration endpoint |
| DID | 814-667-5639 | Public phone number |
| POP | newyork1.voip.ms | Point of Presence |
PJSIP Trunk Configuration
Username: charliechen_homepbx
Secret: [redacted]
SIP Server: newyork1.voip.ms
SIP Server Port: 5060
From Domain: newyork1.voip.ms
From User: charliechen_homepbx
Transport: 0.0.0.0-udp
Match Permit: 208.100.60.0/24
Key Settings Explained
- From Domain: Ensures provider recognizes the registration origin
- Match Permit: Restricts inbound calls to VoIP.ms IP range
- chan_pjsip: Modern SIP channel driver replacing legacy chan_sip
Firewall & fail2ban
Securing the VoIP server against attacks and unauthorized access.
FreePBX Firewall Module Disabled
The integrated firewall module was disabled due to a compatibility issue with Debian 12.
FreePBX firewall uses iptables --wait-interval which behaves differently in Debian 12’s iptables version. This caused a crash loop where the firewall would restart, fail, and restart continuously.
Solution: Manage iptables directly without the FreePBX module.
Direct iptables Management
$ iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
$ iptables -A INPUT -i lo -j ACCEPT
$ iptables -A INPUT -p udp –dport 5060 -j ACCEPT
$ iptables -A INPUT -p udp –dport 10000:20000 -j ACCEPT
$ iptables -A INPUT -p tcp –dport 80 -j ACCEPT
$ iptables -A INPUT -p tcp –dport 443 -j ACCEPT
$ iptables -A INPUT -p tcp –dport 22 -s 192.168.0.0/16 -j ACCEPT
$ iptables -P INPUT DROP
fail2ban Configuration
fail2ban monitors logs and bans IPs showing malicious patterns (brute force, scanning).
Essential jail.local Whitelist Entries
[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.0.0/16 10.0.0.0/8 \
208.100.60.0/24
| Whitelisted Range | Reason |
|---|---|
| 192.168.0.0/16 | Internal networks – never ban local devices |
| 10.0.0.0/8 | VPN subnet for remote access |
| 208.100.60.0/24 | VoIP.ms servers – registration traffic |
Without VoIP.ms IPs whitelisted, legitimate registration traffic can trigger fail2ban (especially during re-registration storms). This caused Scenario 1: phones failing to register after a power cycle when fail2ban auto-banned the VoIP.ms IP.
Packet Capture & SIP Analysis
Tools and techniques for analyzing VoIP traffic.
Cisco SPAN Session
Switched Port Analyzer (SPAN) mirrors traffic from source ports to a destination for capture.
Switch(config)# monitor session 1 destination interface Fa1/0/1
Switch(config)# monitor session 1 encapsulation dot1q
| Setting | Value | Purpose |
|---|---|---|
| Source | Fa1/0/13-24 | FreePBX and phone ports |
| Destination | Fa1/0/1 | Laptop running Wireshark |
| Encapsulation | dot1q | Preserve VLAN tags in capture |
sngrep: Terminal SIP Analysis
sngrep is a terminal-based SIP flow viewer — essential for quick diagnostics without GUI tools.
# Launch interactive SIP ladder view
$ sngrep -r # Show RTP stream analysis
$ sngrep -c # Capture mode
Reading a SIP Ladder
- Horizontal flow: Time progression left-to-right
- Vertical lines: Each SIP endpoint (phones, PBX, provider)
- Arrows: SIP messages between endpoints
- Colors: Request vs. response, success vs. error
tcpdump on FreePBX
Capture directly on the FreePBX server when SPAN isn’t available:
$ tcpdump -i eth0 -w capture.pcap port 5060
# Capture RTP traffic (verbose)
$ tcpdump -i eth0 port 10000:20000 -v
Wireshark Telephony Features
Wireshark provides specialized VoIP analysis tools:
- Telephony → VoIP Calls → Flow Sequence: Shows the full call ladder diagram
- Telephony → RTP → RTP Streams: Shows jitter, loss, and MOS per call
- Statistics → Flow Graph: Visual representation of packet flow
- Telephony → SIP: Filter and analyze SIP traffic specifically
Wireshark Filters
sip # All SIP traffic
rtp || rtcp # Media streams
sip.Method == “INVITE” # Call setups only
ip.addr == 192.168.10.100 # Specific host
sip.Status-Code == 401 # Auth challenges
Homer SIP Capture
Homer provides web-based SIP capture and analysis with HEP protocol.
Deployment
Docker on FreePBX machine (x86_64)
HEP Protocol
Homer Encapsulation Protocol
Homer was originally attempted on Raspberry Pi 5 but failed because Docker images are x86_64 only. No ARM64 builds available. Moved Homer to FreePBX server (x86_64 Debian).
LibreNMS Monitoring
Network monitoring and alerting with SNMP.
LibreNMS Deployment
Running on Raspberry Pi 5, LibreNMS polls network devices every 5 minutes and tracks:
- Interface statistics: Bandwidth, errors, drops per port
- CPU and memory: Switch and router utilization
- Environmental: Temperature sensors (where available)
- Uptime: Device availability tracking
SNMP Configuration
Switch(config)# snmp-server contact “admin@charliehomelab.ddns.net”
SNMPv2c vs. SNMPv3
| Version | Authentication | When to Use |
|---|---|---|
| SNMPv2c | Community string only | Internal trusted networks, simple deployments |
| SNMPv3 | User-based auth + encryption | Multi-tenant, compliance requirements, WAN exposure |
SNMPv3 Configuration (Configured on 3750)
Switch(config)# snmp-server user labuser LABGROUP v3 auth sha Password1 priv aes 128 SecretKey
| Parameter | Value | Description |
|---|---|---|
| Group | LABGROUP | Access control group |
| User | labuser | SNMP username |
| Security Level | authPriv | Authentication + Privacy (encryption) |
| Auth Protocol | SHA | SHA-1 hashing |
| Priv Protocol | AES128 | AES 128-bit encryption |
Troubleshooting Scenarios
Real problems encountered and their resolutions, plus systematic troubleshooting patterns.
Troubleshooting Patterns
Common symptom-to-solution mappings for VoIP issues:
| Symptom | Check These | Likely Cause |
|---|---|---|
| “Not Registered” | Credentials, VLAN routing, FreePBX firewall, SIP ALG | Auth failure, network issue, or ALG mangling |
| “Choppy audio” | RTP jitter/loss in Wireshark, QoS config | Network congestion, QoS not applied |
| “One-way audio” | NAT configuration, SIP ALG, FreePBX external IP | SDP contains private IP, RTP blocked |
| “Drops at 30 min” | SIP session timer, UDP timeout | Session timer expiry, enable keepalives |
Systematic Diagnostics
Not Registered
Phone shows registration failure
2. Verify VLAN routing (can phone ping PBX?)
3. Check FreePBX firewall isn’t blocking
4. Disable SIP ALG on router
5. Verify SIP port 5060 isn’t blocked
Choppy Audio
Garbled or interrupted voice
2. Verify QoS is applied on switch ports
3. Check for bandwidth saturation
4. Look for duplex mismatches
5. Verify no packet fragmentation
One-Way Audio
One party hears, other doesn’t
2. Disable SIP ALG on router
3. Verify RTP ports open (10000-20000)
4. Check SDP for private IP addresses
5. Verify firewall isn’t blocking RTP
Call Drops at 30 Min
Consistent disconnection
2. Check UDP timeout on router
3. Reduce SIP session timer values
4. Enable RTP keepalive packets
5. Consider same-subnet placement
Scenario Library
1Phones Failing to Register After Power Cycle
▼After power outage, both Yealink phones showed “Registering…” indefinitely. Calls between extensions failed.
- Checked phone web GUI – registration failing with “408 Request Timeout”
- sngrep showed no SIP traffic from phones reaching PBX
- Verified network connectivity (ping successful)
- Checked fail2ban status:
fail2ban-client status asterisk-iptables
fail2ban had auto-banned the VoIP.ms IP range (208.100.60.x) during registration attempts. Although phones register to local PBX, the ban list blocked all SIP traffic indiscriminately.
Added 208.100.60.0/24 to ignoreip in /etc/fail2ban/jail.local, then fail2ban-client unban --all and restarted phones.
Always whitelist your VoIP provider’s IP ranges in fail2ban. Provider traffic can look suspicious during re-registration storms.
2SIP Registration Instability
▼Phones registered briefly, then dropped. Random 401 Unauthorized errors. Registration flapping every few minutes.
- sngrep showed mangled SIP headers
- Via header contained wrong public IP
- Contact header was rewritten incorrectly
SIP ALG was enabled on the TP-Link ER605. It attempted to “help” with NAT by rewriting SIP headers but corrupted them instead.
Disabled SIP ALG in router settings: Advanced → NAT → SIP ALG → Off
SIP ALG causes more problems than it solves. Disable it everywhere and handle NAT properly in the PBX.
3Calls Dropping During Idle Periods
▼Active calls dropped after 2-5 minutes of silence (on hold or muted). Shorter calls completed fine.
- Packet capture showed RTP stream stopping abruptly
- BYE came from router, not either endpoint
- UDP session table on ER605 showed timeout values
TP-Link UDP session timeout (300 seconds) was shorter than typical call duration. Silent periods allowed NAT table entries to expire.
Moved phones to VLAN 10 (same subnet as FreePBX), eliminating NAT traversal for internal calls. For external calls, enabled RTP keepalive in Asterisk.
Keep voice traffic on same subnet when possible. When NAT is required, ensure keepalive packets maintain session state.
4Voicemail Silently Discarding Messages
▼Callers could leave voicemails, but no messages appeared in inbox. No email notifications sent. No error messages.
- sngrep showed successful call to *97 voicemail
- Asterisk logs showed voicemail recording completing
- No email logged in Postfix queue
- Checked voicemail.conf for
deleteparameter
delete=yes in voicemail.conf removed message files immediately after recording, before email handler could process them.
Changed to delete=no in voicemail.conf and reloaded Asterisk.
Delete-after-email options exist for a reason. When troubleshooting voicemail, always check the file system for .wav files.
5Homer Failing on Raspberry Pi
▼Homer containers continuously restarted. Web UI returned 502 Bad Gateway. Docker logs showed architecture errors.
docker logs homer-webappshowed exec format error- Checked Docker Hub – no ARM64 tags available
- Verified Pi architecture:
uname -m→ aarch64
Homer Docker images are x86_64 only. No ARM64 builds for Raspberry Pi.
Moved Homer deployment to FreePBX server (x86_64 Dell OptiPlex). Retained Pi 5 for LibreNMS only.
Always verify container architecture before deployment. Don’t assume x86_64 images work on ARM.
6Switch Web GUI Authentication Failure
▼Switch web interface showed login prompt but rejected all credentials. CLI SSH worked fine with same credentials.
- Verified enable secret was correct via CLI
- Checked
show ip http server status - Authentication method showed “local” but wasn’t applied correctly
HTTP server authentication wasn’t explicitly set to use local database.
ip http authentication local command enabled local authentication for web interface.
IOS HTTP server has separate auth configuration from VTY lines. Don’t assume they share settings.
7FreePBX Firewall Crash Loop
▼FreePBX GUI showed “Firewall: Error” banner. System log showed firewall restarting every 30 seconds. iptables rules not being applied.
- Checked
/var/log/asterisk/fullfor firewall errors - Found iptables –wait-interval errors
- Compared iptables version with working FreePBX installs
Debian 12 iptables deprecated –wait-interval flag. FreePBX firewall module expected older iptables behavior.
Disabled FreePBX firewall module. Implemented direct iptables rules via /etc/iptables/rules.v4
OS upgrades can break application assumptions. Check compatibility matrices before upgrading.
8Dropped ACK Fault Simulation
▼In Progress
Simulate dropped SIP ACK packets to understand retransmission behavior and call setup failures.
Using iptables to drop specific SIP packets:
INVITE receives 200 OK, but ACK is dropped. Remote side retransmits 200 OK. Call may fail or experience delay.
Command Reference
Quick lookup for commonly used commands across all platforms.
Cisco IOS
show vlan briefDisplay all VLANs and port assignmentsshow interface trunkShow trunk ports and allowed VLANsshow monitorDisplay SPAN session configurationshow mac address-tableView learned MAC addressesshow cdp neighborsList directly connected Cisco devicesshow ip int briefInterface status and IP addressesshow running-configDisplay active configurationwrite memorySave configuration to NVRAMmls qosEnable QoS globallymls qos trust dscpTrust DSCP markings on interfacemonitor session X sourceConfigure SPAN source portsmonitor session X destConfigure SPAN destination portLinux / Debian
iptables -L -v -nList all firewall rules with countersiptables -FFlush all iptables rulestcpdump -i eth0 -w cap.pcapCapture packets to filetcpdump port 5060Capture SIP trafficsystemctl status fail2banCheck fail2ban statusfail2ban-client statusShow fail2ban jail statusfail2ban-client unban --allUnban all IP addressesdocker psList running containersdocker logs containerView container logsip addr showDisplay network interfacesss -tulnShow listening TCP/UDP portsjournalctl -u serviceView service logsAsterisk CLI
asterisk -rvvvConnect to Asterisk console (verbose)sip show peersList SIP endpoints and statuspjsip show endpointsList PJSIP endpointscore show channelsDisplay active call channelscore show callsShow active call countvoicemail show usersList voicemail boxescore reloadReload configurationcore restart gracefullyRestart after active calls enddialplan showDisplay dialplan contextsrtp set debug onEnable RTP debuggingSIP Tools
sngrepInteractive SIP flow viewersngrep -rShow RTP stream analysissngrep -cCapture modeheplify -hsHEP capture for HomerWireshark Filters
sipAll SIP protocol trafficrtp || rtcpMedia streams and controlsip.Method == "INVITE"Call setup messages onlysip.Status-Code == 200Successful responsesip.addr == 192.168.10.100Specific host trafficudp.port == 5060SIP on standard portframe contains "REGISTER"Search packet payloadSNMP
snmpwalk -v2c -c public IPWalk MIB tree (v2c)snmpwalk -v3 -u user -l authPrivWalk with SNMPv3show snmp communityShow SNMP communities (IOS)show snmp userShow SNMPv3 users (IOS)