Port forwarding for VoIP not working

I try to create a configuration for my Panasonic NCP-500 PBX because my old router doesn’t work anymore.

Now… as far as I have understood, the PBX does have 2 internal IPs (main 192.168.7.91 and voipdsp 192.168.7.92). They say, that I should forward ports 5060 and 35060 to port 35060 of the main interface and ports 16000-32000 to the equivalent ports of the voipdsp interface.

That’s what I created:

vyos@vyos:~$ show config
firewall {
    all-ping disable
    broadcast-ping disable
    config-trap disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name SipTrunk {
        default-action drop
        description SipTrunk
        rule 10 {
            action accept
            source {
                address 112.34.44.61
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
    twa-hazards-protection disable
}
interfaces {
    ethernet eth0 {
        address 192.168.7.3/24
    }
    ethernet eth1 {
    }
    ethernet eth2 {
    }
    ethernet eth3 {
        address 49.33.164.11/28
        vif 100 {
            firewall {
                in {
                    name SipTrunk
                }
            }
        }
    }
    loopback lo {
    }
}
nat {
    destination {
        rule 10 {
            destination {
                port 5060
            }
            inbound-interface eth3
            protocol udp
            translation {
                address 192.168.7.91
                port 35060
            }
        }
        rule 12 {
            destination {
                port 35060
            }
            inbound-interface eth3
            protocol udp
            translation {
                address 192.168.7.91
            }
        }
        rule 20 {
            destination {
                port 16000-32000
            }
            inbound-interface eth3
            protocol udp
            translation {
                address 192.168.7.92
            }
        }
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 49.33.164.1 {
            }
        }
    }
}
system {
    config-management {
        commit-revisions 100
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    host-name vyos
    ipv6 {
        disable-forwarding
    }
    login {
        user vyos {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
        }
    }
    ntp {
        server 0.pool.ntp.org {
        }
        server 1.pool.ntp.org {
        }
        server 2.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level info
            }
            facility protocols {
                level debug
            }
        }
    }
}

But… something is not working (I cannot establish a connection to the SIP trunk via my PBX). The question is… does someone see what’s wrong? How do I have to configure this forwarding (with additional firewall rules to make sure, that only the SIP trunk can send data to me).

Unless PBX configuration was modified, you should NAT port 5060 to the PBX.
I would try removing translation from port 5060 to port 35060

Well… that’s a special Panasonic-thing… they us 35060 instead of 5060. So, that’s correct.

But, I found the problem. It was the missing outbound-NAT (translation of UDP packages to my outside IP). My PBX did write the public IP into the SIP packages, but did not set the source of the UDP packages to this IP. And… seems that my ISP started to rely on those entries. After starting to set them correctly now, it works.