UDP Ports 5060,5080,5061

The issue you're experiencing with UDP ports 5060, 5080, and 5061 not working despite being enabled in your security group and ufw settings is concerning, especially for a VoIP project using Freeswitch. Here are some potential reasons and steps to troubleshoot:

1. Asymmetric routing: If your EC2 instance is in a private subnet with a NAT Gateway, there might be an asymmetric routing issue. Ensure that your EC2 instance is in a public subnet with a route to the Internet Gateway (IGW) if it needs to receive inbound traffic directly from the internet.

2. Firewall configuration: Double-check your security group settings to ensure that the UDP ports are correctly configured for inbound traffic. Also, verify that the source IP range is set correctly (e.g., 0.0.0.0/0 for all incoming traffic).

3. Network ACLs: Check if there are any Network ACLs (NACLs) applied to your subnet that might be blocking the UDP traffic. NACLs are stateless and need both inbound and outbound rules configured.

4. Application configuration: Ensure that Freeswitch is properly configured to listen on these UDP ports and that it's bound to the correct network interface (0.0.0.0 to listen on all interfaces).

5. OS-level firewall: Although you mentioned configuring ufw, double-check that the rules are active and correctly applied. You can temporarily disable ufw to test if it's causing the issue.

6. Port conflicts: Use the 'netstat' command to check if any other process is already using these ports.

7. VPC configuration: Verify that your VPC and subnet configurations allow the traffic you're expecting.

8. Testing methodology: Ensure you're testing the UDP ports correctly. Unlike TCP, UDP doesn't establish a connection, so traditional connection tests might not work. Use appropriate tools for testing UDP connectivity.

If after checking these points the issue persists, you may need to engage AWS support or consult with a networking expert familiar with VoIP setups on AWS. Remember that VoIP applications often require specific network configurations to function properly in cloud environments.

Sources
VPC inbound traffic rules do not apply for UDP? Kind of BUG? | AWS re:Post
When trying to start an application, it fails with the error “port already in use”. | AWS re:Post
Security Groups and Classic Ports | AWS re:Post

Also one thing to note, You need to check are you sure you need UDP as with VOIP you can use TCP or UDP on those ports! 5061 Needs TCP as its encrypted traffic.

I Usually use TCP on 5060 & 5061 and UDP for the Media ports for the RTP Streams

Based on the FreeSWITCH documentation for EC2 deployments, several specific ports need to be opened for proper functionality:

Required Ports for FreeSWITCH

Complete Security Group Configuration:

• UDP 16384-32768 (RTP media stream ports)
• UDP 4569 (IAX2 protocol)
• UDP/TCP 5060 (standard SIP ports)
• UDP/TCP 5080 (alternate SIP ports)
• UDP/TCP 8000 (FreeSWITCH event socket)

AWS CLI Port Configuration

The documentation provides AWS CLI commands for opening the required ports. However, the commands use older EC2 CLI syntax. Here are the updated AWS CLI commands:

For SIP Signaling (Port 5060):

aws ec2 authorize-security-group-ingress --group-name freeswitch --protocol udp --port 5060 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress --group-name freeswitch --protocol tcp --port 5060 --cidr 0.0.0.0/0

For RTP Media (Ports 16384-32768):

aws ec2 authorize-security-group-ingress --group-name freeswitch --protocol udp --port 16384-32768 --cidr 0.0.0.0/0

For Additional Required Ports:

aws ec2 authorize-security-group-ingress --group-name freeswitch --protocol udp --port 4569 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress --group-name freeswitch --protocol udp --port 5080 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress --group-name freeswitch --protocol tcp --port 5080 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress --group-name freeswitch --protocol udp --port 8000 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress --group-name freeswitch --protocol tcp --port 8000 --cidr 0.0.0.0/0

Critical Configuration Files

1. vars.xml Configuration

To properly handle NAT with EC2, configure external IP addresses:

Dynamic IP Configuration (Recommended):

<X-PRE-PROCESS cmd="exec-set" data="bind_server_ip=curl -s http://instance-data/latest/meta-data/public-ipv4"/>
<X-PRE-PROCESS cmd="exec-set" data="external_rtp_ip=curl -s http://instance-data/latest/meta-data/public-ipv4"/>
<X-PRE-PROCESS cmd="exec-set" data="external_sip_ip=curl -s http://instance-data/latest/meta-data/public-ipv4"/>

Static IP Configuration (If using Elastic IP):

<X-PRE-PROCESS cmd="set" data="bind_server_ip=[AWS EIP]"/>
<X-PRE-PROCESS cmd="set" data="external_rtp_ip=[AWS EIP]"/>
<X-PRE-PROCESS cmd="set" data="external_sip_ip=[AWS EIP]"/>

2. verto.conf.xml

<param name="ext-rtp-ip" data="[AWS EIP]">

3. internal.xml (SIP Profile)

<param name="aggressive-nat-detection" value="true"/>
<param name="multiple-registrations" value="true"/>
<param name="ext-rtp-ip" value="$${external_rtp_ip}"/>
<param name="ext-sip-ip" value="$${external_sip_ip}"/>
<param name="NDLB-received-in-nat-reg-contact" value="true"/>
<param name="NDLB-force-rport" value="true"/>
<param name="NDLB-broken-auth-hash" value="true"/>
<param name="enable-timer" value="false"/>
<param name="auth-calls" value="true"/>

4. external.xml (SIP Profile)

<param name="aggressive-nat-detection" value="true"/>
<param name="ext-rtp-ip" value="$${external_rtp_ip}"/>
<param name="ext-sip-ip" value="$${external_sip_ip}"/>
<param name="NDLB-force-rport" value="true"/>

5. switch.conf.xml

<param name="rtp-start-port" value="16384"/>
<param name="rtp-end-port" value="32768"/>

Troubleshooting Steps

1. Verify Security Group Configuration:

• Confirm all required UDP/TCP ports are added to your freeswitch security group
• Ensure the security group is applied to your instance
• Create the security group before booting the instance

2. Verify UFW Configuration:

• Run sudo ufw status verbose to check current rules
• Ensure all required UDP/TCP ports are allowed

3. Check NAT Configuration:

• Verify the external IP settings in all configuration files
• Ensure NAT traversal parameters are correctly set

4. Test Port Connectivity:

• Use nc -u -l 5060 on your server to listen on UDP port 5060
• From another machine, test sending UDP packets with echo "test" | nc -u [server-ip] 5060

5. Check FreeSWITCH Configuration:

• Verify all configuration files have the correct NAT settings
• Ensure RTP port ranges match between switch.conf.xml and security group rules

6. Check System Logs:

• Review /var/log/freeswitch/freeswitch.log for FreeSWITCH-specific errors
• Check /var/log/syslog for system-level networking issues
• Look for potential port conflicts or binding issues
• Monitor logs in real-time during connection attempts with tail -f /var/log/freeswitch/freeswitch.log

The documentation emphasizes that the security group should be created and applied before booting the instance. After properly configuring these settings, the standard FreeSWITCH installation process should work correctly, with adjustments to the dialplan as needed for your specific use case.

Additional Resources

For more detailed information about FreeSWITCH logging and troubleshooting:

• FreeSWITCH Wiki: https://freeswitch.org/confluence/display/FREESWITCH/Troubleshooting+FreeSWITCH
• FreeSWITCH Documentation: https://developer.signalwire.com/freeswitch/FreeSWITCH-Explained/Troubleshooting-Debugging/

The primary documentation source for the FreeSWITCH EC2 configuration is: https://developer.signalwire.com/freeswitch/FreeSWITCH-Explained/Installation/Virtualization/Amazon-EC2_3965076/