[ASTERISK] Sip and NAT

Discussion in 'VOIP' started by Arnold Ligtvoet, Nov 16, 2003.

  1. Has anybody here seen any solution to the problem :

    Asterisk --> Iptables/NAT --> external SIP server (FWD).
    Linux1 Linux2

    I'm to the point where it seems to connect to FWD, but then I hear no
    sound. IMHO this is due to the fact that the UDP is not natted correctly.

    I saw a link pointing to 'Billy Biggs wrote a SIP ALG', but I'm unable
    to track this file somewhere. Anyway I'm left with these questions:

    - is there a Sip/Conntrack module for iptables (perhaps in the make)
    - is uPnP the answer
    - could I do some fancy portforwarding in iptables to get this to work.

    TIA.

    --
    Arnold

    http://www.ligtvoet.org
    Ask smart questions : http://www.catb.org/~esr/faqs/smart-questions.html
    Arnold Ligtvoet, Nov 16, 2003
    #1
    1. Advertising

  2. Arnold Ligtvoet

    Peter Guest

    > I'm to the point where it seems to connect to FWD, but then I hear no
    > sound. IMHO this is due to the fact that the UDP is not natted correctly.

    ....
    > - is there a Sip/Conntrack module for iptables (perhaps in the make)
    > - is uPnP the answer
    > - could I do some fancy portforwarding in iptables to get this to work.


    Do you have "nat=yes" line in your sip.conf FWD client section? And do you
    have RTP ports range forwarded to your Asterisk box? See rtp.conf for ports.

    AFAIK there is no SIP conntrack module for iptables, and I doubt upnp is the
    answer as Asterisk would have to be upnp-aware (which it isnt)... although
    I'm no expert on upnp at all. There was a bit of debate going on in
    asterisk-users mailing list about possible STUN server support which would
    be perfect answer in your situation, but then it's not implemented yet.

    Peter
    Peter, Nov 16, 2003
    #2
    1. Advertising

  3. Arnold Ligtvoet

    Peter Guest


    > Let me get this right: If I open the port range on the iptables machine,
    > forward the portrange to the * machine, everyhting should work?
    > If this is the case I look into my iptables script..


    SIP uses a range of UDP ports as specified in rtp.conf for actual voice
    traffic. Most likely you haven't forwarded these to your * box... put the
    forward in place and try again.

    Hope this helps,
    Peter
    Peter, Nov 16, 2003
    #3
  4. Peter wrote:

    >>I'm to the point where it seems to connect to FWD, but then I hear no
    >>sound. IMHO this is due to the fact that the UDP is not natted correctly.

    >
    > ...
    >
    >>- is there a Sip/Conntrack module for iptables (perhaps in the make)
    >>- is uPnP the answer
    >>- could I do some fancy portforwarding in iptables to get this to work.

    >
    >
    > Do you have "nat=yes" line in your sip.conf FWD client section? And do you
    > have RTP ports range forwarded to your Asterisk box? See rtp.conf for ports.


    Yes I do have nat=yes. I think the problem is in my homebrew iptables
    solution, since calls are succesfully established. I just don't hear the
    sound.

    > AFAIK there is no SIP conntrack module for iptables, and I doubt upnp is the
    > answer as Asterisk would have to be upnp-aware (which it isnt)... although
    > I'm no expert on upnp at all. There was a bit of debate going on in
    > asterisk-users mailing list about possible STUN server support which would
    > be perfect answer in your situation, but then it's not implemented yet.


    Let me get this right: If I open the port range on the iptables machine,
    forward the portrange to the * machine, everyhting should work?
    If this is the case I look into my iptables script..

    --
    Arnold

    http://www.ligtvoet.org
    Ask smart questions : http://www.catb.org/~esr/faqs/smart-questions.html
    Arnold Ligtvoet, Nov 16, 2003
    #4
  5. Arnold Ligtvoet

    shido Guest

    No audio or 1 way audio is a sign of a bad nat'd environment. Reply with
    your iptables/nat settings and work from there.

    --
    Greg Merriweather
    The NuFone Network

    519-251-8225 x 3000
    IM:
    "Arnold Ligtvoet" <> wrote in message
    news:...
    > Has anybody here seen any solution to the problem :
    >
    > Asterisk --> Iptables/NAT --> external SIP server (FWD).
    > Linux1 Linux2
    >
    > I'm to the point where it seems to connect to FWD, but then I hear no
    > sound. IMHO this is due to the fact that the UDP is not natted correctly.
    >
    > I saw a link pointing to 'Billy Biggs wrote a SIP ALG', but I'm unable
    > to track this file somewhere. Anyway I'm left with these questions:
    >
    > - is there a Sip/Conntrack module for iptables (perhaps in the make)
    > - is uPnP the answer
    > - could I do some fancy portforwarding in iptables to get this to work.
    >
    > TIA.
    >
    > --
    > Arnold
    >
    > http://www.ligtvoet.org
    > Ask smart questions : http://www.catb.org/~esr/faqs/smart-questions.html
    >
    shido, Nov 16, 2003
    #5
  6. shido wrote:

    > No audio or 1 way audio is a sign of a bad nat'd environment. Reply with
    > your iptables/nat settings and work from there.
    >

    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5036
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4569
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:10000:20000

    rtp.conf says portrange is 10000-20000. Firewall config file says :
    NAT_UDP_FORWARD="5060,5036,4569,10000-20000>192.168.0.100"

    I have also tried forwarding the ports to my client ip (sip phone on
    internal LAN), but also no audio. Again the setup should be

    Fwd 192.168.0.1 192.168.0.100 192.168.0.2
    I-net Linux gw Asterisk client (SIP)
    Iptables

    Can someone post their iptables rules to acive this ?

    --
    Arnold

    http://www.ligtvoet.org
    Ask smart questions : http://www.catb.org/~esr/faqs/smart-questions.html
    Arnold Ligtvoet, Nov 17, 2003
    #6
  7. Arnold Ligtvoet

    Peter Guest

    > rtp.conf says portrange is 10000-20000. Firewall config file says :
    > NAT_UDP_FORWARD="5060,5036,4569,10000-20000>192.168.0.100"
    >
    > I have also tried forwarding the ports to my client ip (sip phone on
    > internal LAN), but also no audio. Again the setup should be
    >
    > Fwd 192.168.0.1 192.168.0.100 192.168.0.2
    > I-net Linux gw Asterisk client (SIP)
    > Iptables
    >
    > Can someone post their iptables rules to acive this ?


    What's stopping you from installing asterisk on your Linux router? That way
    you'll have it on public IP, problem with port forwarding solved. There are
    other consequences as well to running * behind NAT, such as inability to
    serve SIP clients outside NAT etc.

    Peter
    Peter, Nov 18, 2003
    #7
  8. Arnold Ligtvoet

    Peter Guest

    > > What's stopping you from installing asterisk on your Linux router? That
    way
    > > you'll have it on public IP, problem with port forwarding solved. There

    are
    > > other consequences as well to running * behind NAT, such as inability to
    > > serve SIP clients outside NAT etc.
    > >

    > Mainly the fact that my router is a p133 with 64mb's. Not that my *
    > machine is that up-to-datem, being a k6-450. I thought about integrating


    I used to run it on K6-166 with 96mb ram, and it worked fine. Asterisk and
    routing processes take up very little CPU. Then again, I only have one ISDN
    interface. Right now I'm on Celeron 300Mhz, and it's plenty. Just don't fire
    up X server.

    > the router and *, but have some questions:
    > - security issues. Are people going to be able to connect to my system
    > and use my phonelines ?


    Why not? You'll still have to have decent iptables setup in place, of
    course. I can lend you mine if you want to. P-)

    > - 2 nic interfaces. Does * support clients on both interfaces at the
    > same time ?


    AFAIK yes.

    Peter
    Peter, Nov 18, 2003
    #8
  9. Peter wrote:
    >>rtp.conf says portrange is 10000-20000. Firewall config file says :
    >>NAT_UDP_FORWARD="5060,5036,4569,10000-20000>192.168.0.100"
    >>
    >>I have also tried forwarding the ports to my client ip (sip phone on
    >>internal LAN), but also no audio. Again the setup should be
    >>
    >>Fwd 192.168.0.1 192.168.0.100 192.168.0.2
    >>I-net Linux gw Asterisk client (SIP)
    >>Iptables
    >>
    >>Can someone post their iptables rules to acive this ?

    >
    >
    > What's stopping you from installing asterisk on your Linux router? That way
    > you'll have it on public IP, problem with port forwarding solved. There are
    > other consequences as well to running * behind NAT, such as inability to
    > serve SIP clients outside NAT etc.
    >
    > Peter
    >
    >

    Mainly the fact that my router is a p133 with 64mb's. Not that my *
    machine is that up-to-datem, being a k6-450. I thought about integrating
    the router and *, but have some questions:
    - security issues. Are people going to be able to connect to my system
    and use my phonelines ?
    - 2 nic interfaces. Does * support clients on both interfaces at the
    same time ?

    TIA

    --
    Arnold

    http://www.ligtvoet.org
    Ask smart questions : http://www.catb.org/~esr/faqs/smart-questions.html
    Arnold Ligtvoet, Nov 19, 2003
    #9
  10. Arnold Ligtvoet

    darren Guest

    "Peter" <> wrote in message
    news:bpedcn$1n7e9r$-berlin.de...
    > > > What's stopping you from installing asterisk on your Linux router?

    That
    > way
    > > > you'll have it on public IP, problem with port forwarding solved.

    There
    > are
    > > > other consequences as well to running * behind NAT, such as inability

    to
    > > > serve SIP clients outside NAT etc.
    > > >

    > > Mainly the fact that my router is a p133 with 64mb's. Not that my *
    > > machine is that up-to-datem, being a k6-450. I thought about integrating

    >
    > I used to run it on K6-166 with 96mb ram, and it worked fine. Asterisk and
    > routing processes take up very little CPU. Then again, I only have one

    ISDN
    > interface. Right now I'm on Celeron 300Mhz, and it's plenty. Just don't

    fire
    > up X server.
    >
    > > the router and *, but have some questions:
    > > - security issues. Are people going to be able to connect to my system
    > > and use my phonelines ?

    >
    > Why not? You'll still have to have decent iptables setup in place, of
    > course. I can lend you mine if you want to. P-)
    >
    > > - 2 nic interfaces. Does * support clients on both interfaces at the
    > > same time ?

    >
    > AFAIK yes.
    >
    > Peter
    >
    >


    I have a similar setup to yourself. as long as you don't need to run sip
    clients internlly there has been a hack posted to alter the SDP address to
    the external NAT'd one.
    http://lists.digium.com/pipermail/asterisk-users/2003-October/024968.html
    from the firewall forward the SIP and RTP (from rtp.conf) to * and you
    should be away.
    darren, Nov 19, 2003
    #10
  11. Arnold Ligtvoet

    Peter Guest

    > I have a similar setup to yourself. as long as you don't need to run sip
    > clients internlly there has been a hack posted to alter the SDP address to
    > the external NAT'd one.
    > http://lists.digium.com/pipermail/asterisk-users/2003-October/024968.html
    > from the firewall forward the SIP and RTP (from rtp.conf) to * and you
    > should be away.


    I've looked at that. From what I've learned the hack would break internal
    SIP clients, plus it involves using CVS version and modifying sources
    yourself. All this would be OK in test/development environment, but I'd
    rather not use it in production or mission-critical environments.

    Peter
    Peter, Nov 19, 2003
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Brian Jones
    Replies:
    1
    Views:
    4,959
    shido
    Aug 8, 2003
  2. Martin 53N 1W
    Replies:
    3
    Views:
    4,704
    Martin 53N 1W
    Dec 22, 2004
  3. Glenn Robinson

    Asterisk and SIP

    Glenn Robinson, Sep 15, 2005, in forum: VOIP
    Replies:
    2
    Views:
    491
    Ivor Jones
    Sep 19, 2005
  4. Glenn Robinson

    Asterisk and sip phone problen

    Glenn Robinson, Jan 31, 2006, in forum: UK VOIP
    Replies:
    2
    Views:
    759
    www.cardiffitsupport.com
    Feb 12, 2006
  5. Roger Burton West
    Replies:
    1
    Views:
    1,521
    Voiptalker
    Sep 3, 2010
Loading...

Share This Page