Multiple phones through a 2Wire 2700 HGV (Bt Business Hub)

Discussion in 'UK VOIP' started by Alister, Jan 10, 2008.

  1. Alister

    Alister Guest

    Hi I am having trouble getting multiple SIP phones to work correctly
    through a BT Business Hub Router
    connecting to an asterisk server over the T'internet.

    I am experiencing one way audio and dropped calls - signs which point
    to a firewall issue.

    I know the firewall at the asterisk end is fine 'cos it's a proper
    Cisco Pix which I've configured
    to allow SIP AIX and RTP to and from the external address of the BT
    Hub.

    Unfortunately I cannot seem to open the ports on the BT router for
    more than one internal IP address
    as this router's web interface does not seem to give a direct method
    for opening ports.

    What you have to do is create an 'application' which has ports
    assigned to it, and then you can
    assign this application to an IP address on the internal network.
    Unfortunateley when I try to assign
    this application to more than one phone the GUI gives me an error
    saying I cannot apply this
    to more than one IP.

    Has anyone managed to get this working?

    Any help gratefully received.


    Alister.
     
    Alister, Jan 10, 2008
    #1
    1. Advertising

  2. Alister

    Rob Guest

    "Alister" <> wrote in message
    news:...
    >
    > Unfortunately I cannot seem to open the ports on the BT router for
    > more than one internal IP address
    > as this router's web interface does not seem to give a direct method
    > for opening ports.
    >
    > What you have to do is create an 'application' which has ports
    > assigned to it, and then you can
    > assign this application to an IP address on the internal network.
    > Unfortunateley when I try to assign
    > this application to more than one phone the GUI gives me an error
    > saying I cannot apply this
    > to more than one IP.


    Can't you create multiple 'applications' or instances of your 'application'
    and apply each of them to one of your required internal IP addresses?

    Rob
     
    Rob, Jan 10, 2008
    #2
    1. Advertising

  3. Alister

    alexd Guest

    On Thu, 10 Jan 2008 01:45:33 -0800, Alister wrote:

    > Unfortunately I cannot seem to open the ports on the BT router for more
    > than one internal IP address as this router's web interface does not
    > seem to give a direct method for opening ports.


    Are you trying to allow your phones outbound access? You could try
    disabling the firewall completely while you test it and see if that helps.

    > What you have to do is create an 'application' which has ports assigned
    > to it, and then you can assign this application to an IP address on the
    > internal network. Unfortunateley when I try to assign this application
    > to more than one phone the GUI gives me an error saying I cannot apply
    > this to more than one IP.


    It sounds like you're trying to use the port-forwarding mechanism, which
    isn't going to let you forward the same outside address:port to different
    inside address:ports, unless you have multiple outside addresses [in
    which case you could just give the phones outside IPs and be done with
    it].

    --
    <http://ale.cx/> (AIM:troffasky) ()
    13:53:29 up 5 days, 4:17, 2 users, load average: 1.53, 1.58, 1.55
    2x Broadband/IT/Telecoms support positions in Newcastle city centre.
    For more info call 0191 229 8870 and ask for Steve. No agencies.
     
    alexd, Jan 10, 2008
    #3
  4. Alister

    Alister Guest

    On Jan 10, 10:29 am, "Rob" <> wrote:
    > Can't you create multiple 'applications' or instances of your 'application'
    > and apply each of them to one of your required internal IP addresses?
    >
    > Rob


    Hi Rob,

    Thanks for the suggestion, but I tried that and it won't let you.

    As alexd says, you can only use the port forwarding to forward
    specific outside ports to one inside address.

    Unfortunately this is the only firewall control this router gives you.

    Cheers

    Alister
     
    Alister, Jan 10, 2008
    #4
  5. Alister

    Alister Guest

    On Jan 10, 2:00 pm, alexd <> wrote:
    > On Thu, 10 Jan 2008 01:45:33 -0800, Alister wrote:
    > > Unfortunately I cannot seem to open the ports on the BT router for more
    > > than one internal IP address as this router's web interface does not
    > > seem to give a direct method for opening ports.

    >
    > Are you trying to allow your phones outbound access? You could try
    > disabling the firewall completely while you test it and see if that helps.
    >


    <grin> I'd love to, but this router doesn't give you that option.


    >
    > It sounds like you're trying to use the port-forwarding mechanism, which
    > isn't going to let you forward the same outside address:port to different
    > inside address:ports, unless you have multiple outside addresses [in
    > which case you could just give the phones outside IPs and be done with
    > it].


    You are quite correct, and I have investigated the router further with
    the manufacturer and this is the case.
    The only firewall control this router offers is port forwarding in the
    manner you describe, or to assign a single
    external IP (which is the same as the router's) to a DMZ which has no
    firewall on it at all.

    It looks like I will do this and have another router / firewall in the
    DMZ with one interface as the external IP and the other
    on an internal IP and then connect the phones via a switch.
    I can then set up access-lists to only allow Voip traffic through the
    second router. Bit of a pain though!

    If you have any better suggestions I'd love to hear them!

    Alister.
     
    Alister, Jan 10, 2008
    #5
  6. Alister

    alexd Guest

    On Thu, 10 Jan 2008 08:07:14 -0800, Alister wrote:

    > On Jan 10, 2:00 pm, alexd <> wrote:


    > You are quite correct, and I have investigated the router further with
    > the manufacturer and this is the case. The only firewall control this
    > router offers is port forwarding in the manner you describe, or to
    > assign a single external IP (which is the same as the router's) to a DMZ
    > which has no firewall on it at all.


    Perhaps it's worth replacing the BT router, as you may run into a similar
    problem again in the future with other applications.

    > It looks like I will do this and have another router / firewall in the
    > DMZ with one interface as the external IP and the other on an internal
    > IP and then connect the phones via a switch. I can then set up
    > access-lists to only allow Voip traffic through the second router. Bit
    > of a pain though!


    If I read you right, the plan is:

    (Net)--(BT router)--(Another router)--(switch)--(handsets)

    > If you have any better suggestions I'd love to hear them!


    I think before you throw any more hardware at the problem, you should
    validate that what you're planning is going to work. I can't see how
    adding another link in the chain is going to fix a firewalling problem on
    the BT router. If you just use the one handset, and modify the rules to
    allow it out, does it work? How does internet browsing work if you have
    to add an explicit permit rule to allow a host out, but can only add rule
    at a time?

    Do you have any sites where audio does work?

    Have you tried using a handset [or softphone] from home to test it?

    Does Asterisk have a public IP? If not, have you told it what it's public
    address is? [http://www.voip-info.org/wiki/index.php?page=Asterisk SIP
    +externip]

    Are the handsets SIP or IAX?

    Have you tried disabling/enabling SIP fixup on the PIX?

    If you have to add another router, you'd probably be best off adding
    something that can terminate a VPN from the PIX, and run the calls over
    the VPN. This would bring all the usual benefits of VPNs with it.

    --
    <http://ale.cx/> (AIM:troffasky) ()
    16:29:56 up 5 days, 6:54, 2 users, load average: 1.32, 1.23, 1.17
    2x Broadband/IT/Telecoms support positions in Newcastle city centre.
    For more info call 0191 229 8870 and ask for Steve. No agencies.
     
    alexd, Jan 10, 2008
    #6
  7. Alister

    Linker3000 Guest

    Maybe I am not getting the entire picture here - or maybe its an IAX
    thing - but why do you need to specify port forwarding to every phone?

    Lots of our sites have multiple (SIP) phones connected via ADSL to a
    central Asterisk server and STUN takes care of 'what goes where' -
    there's no specific SIP (in your case IAX) forwarding setup on the
    site's router. Remember, the phones initiate the connection/registration
    to the Asterisk server and so the setup is outbound with the help of
    NAT/STUN- nothing unexpected is initially going to be inbound and thus
    needs help getting past the firewall/NAT routing.

    Worse case (and I still can't see why you'd need it), why not have a
    local Asterisk server to which all the phones register and tie this
    server to the remote one?

    Fill me in, or tell me to shut up, if I'm missing something here!?
     
    Linker3000, Jan 10, 2008
    #7
  8. Alister

    Alister Guest

    On Jan 10, 6:28 pm, alexd <> wrote:

    >
    > Perhaps it's worth replacing the BT router, as you may run into a similar
    > problem again in the future with other applications.
    >


    I have considered that, but have heard a of number of instances where
    a third party router would not work correctly with a BT ADSL
    connection.

    >
    > If I read you right, the plan is:
    >
    > (Net)--(BT router)--(Another router)--(switch)--(handsets)
    >


    Yes That's correct.


    >
    > I think before you throw any more hardware at the problem, you should
    > validate that what you're planning is going to work. I can't see how
    > adding another link in the chain is going to fix a firewalling problem on
    > the BT router. If you just use the one handset, and modify the rules to
    > allow it out, does it work? How does internet browsing work if you have
    > to add an explicit permit rule to allow a host out, but can only add rule
    > at a time?
    >


    I may be wrong but it appears that the only way to turn the firewall
    off on this router
    is to assign whatever you are connecting to its internal interface to
    the DMZ, to which it then assigns
    an external (dynamic) IP, and as it only allows you to do this to one
    host, this will have to be a router
    with an inside and outside ethernet interface so that I can assign non
    routable internal IP's to the phones.

    It is incoming traffic which the BT Firewall is blocking - not 5060
    but the RTP range 10000 - 12000
    We can initiate and answer calls and register the handsets but lose
    audio.

    >
    > Have you tried using a handset [or softphone] from home to test it?
    >
    > Does Asterisk have a public IP? If not, have you told it what it's public
    > address is? [http://www.voip-info.org/wiki/index.php?page=Asterisk SIP
    > +externip]
    >
    > Are the handsets SIP or IAX?


    SIP - a mixture of ATCOM AT530 and Seimens S450IP

    > Have you tried disabling/enabling SIP fixup on the PIX?


    No need, the Pix end of things is quite happy.

    The Asterisk Server has a public IP, and connections to it from other
    sites we run
    have no problems at all - we have a satellite office with its own
    Asterisk and the
    two are connected by IAX. We have a further site in france with
    multiple phones on an
    ADSL from wanadoo.fr which again connects to the main asterisk site
    with no problems.

    At home I have a sip phone which sits behind a BT Router with Static
    IPs and it works fine.

    It is just this site - and this router - which are the problem.

    > If you have to add another router, you'd probably be best off adding
    > something that can terminate a VPN from the PIX, and run the calls over
    > the VPN. This would bring all the usual benefits of VPNs with it.


    I have a spare PIX 501 which I was thinking of using as the router,
    which would mean I could
    possibly use VPN, but on voip to voip calls wouldn't that effectively
    stop RTP from bypassing the asterisk?

    As I understand it, Asterisk initiates the connection but then hands
    it off to the two hosts using RTP for the
    voice and SIP for the call control. If I am wrong, I'm sure you'll let
    me know :)

    btw I do appreciate the time you are taking to try and help - I'm
    sorry if I haven't explained things clearly.

    Alister
     
    Alister, Jan 11, 2008
    #8
  9. Alister

    Alister Guest

    On Jan 10, 10:31 pm, Linker3000 <>
    wrote:
    > Maybe I am not getting the entire picture here - or maybe its an IAX
    > thing - but why do you need to specify port forwarding to every phone?
    >
    > Lots of our sites have multiple (SIP) phones connected via ADSL to a
    > central Asterisk server and STUN takes care of 'what goes where' -
    > there's no specific SIP (in your case IAX) forwarding setup on the
    > site's router. Remember, the phones initiate the connection/registration
    > to the Asterisk server and so the setup is outbound with the help of
    > NAT/STUN- nothing unexpected is initially going to be inbound and thus
    > needs help getting past the firewall/NAT routing.
    >
    > Worse case (and I still can't see why you'd need it), why not have a
    > local Asterisk server to which all the phones register and tie this
    > server to the remote one?
    >
    > Fill me in, or tell me to shut up, if I'm missing something here!?


    <grin>

    I wouldn't dream of telling you to shut up :)

    The phones are SIP and the problem is incoming connections -
    specifically the RTP ports
    that a VoIP call uses for voice traffic. There seems to be no way of
    telling this router to let
    traffic through from outside unless you do it on a per device basis.
    I can register the handsets, and initiate and receive calls, but I get
    either one-way audio or none at all.

    I don't really want to have to go to the trouble of having another
    asterisk at this office just for seven phones
    - particularly as this office is in Somerset and I (as the only IT
    bod) am based in Derbyshire.

    We already run two Asterisk servers - one in Derbyshire and one in
    Warwickshire, and I would rather these phones
    used one or other of these. We run an office in France which uses the
    Warwickshire asterisk with no problems.

    My problem is just this bl***y BT Business Hub, which is designed to
    be user friendly and consequently seems impossible
    to configure for anything other than web browsing or e-mail.

    Do you use BT Broadband at all? and if so what router have you got on
    the end of it?

    Cheers

    Alister
     
    Alister, Jan 11, 2008
    #9
  10. Alister

    alexd Guest

    On Fri, 11 Jan 2008 11:28:51 -0800, Alister wrote:

    > On Jan 10, 6:28 pm, alexd <> wrote:


    > I may be wrong but it appears that the only way to turn the firewall off
    > on this router
    > is to assign whatever you are connecting to its internal interface to
    > the DMZ,


    > It is incoming traffic which the BT Firewall is blocking - not 5060 but
    > the RTP range 10000 - 12000
    > We can initiate and answer calls and register the handsets but lose
    > audio.


    http://www.dslreports.com/forum/2wire

    There are some 2Wire experts in there, might be worth a shot if you're
    reluctant to bin it.

    >
    >> Have you tried using a handset [or softphone] from home to test it?
    >>
    >> Does Asterisk have a public IP? If not, have you told it what it's
    >> public address is?
    >> [http://www.voip-info.org/wiki/index.php?page=Asterisk SIP +externip]
    >>
    >> Are the handsets SIP or IAX?

    >
    > SIP - a mixture of ATCOM AT530 and Seimens S450IP


    OK here's another idea - how about putting the IAX firmware on the
    Atcoms? Won't fix the Siemens, of course.

    > It is just this site - and this router - which are the problem.


    Replace the router. It can't be that hard, all you need is username,
    password and the static IP details [if you've got them]. Having googled
    your router, I'm concerned that there is a VoIP implementation on there,
    and it may be doing silly stuff to your SIP traffic.

    >> If you have to add another router, you'd probably be best off adding
    >> something that can terminate a VPN from the PIX, and run the calls over
    >> the VPN. This would bring all the usual benefits of VPNs with it.

    >
    > I have a spare PIX 501 which I was thinking of using as the router,
    > which would mean I could
    > possibly use VPN, but on voip to voip calls wouldn't that effectively
    > stop RTP from bypassing the asterisk?


    Yes. Calls will be fine from the branch to the site where Asterisk is,
    but calls from said branch to other sites over SIP will again be one
    sided. If you've got enough bandwidth at the Asterisk end, you could stop
    the relevant extensions from being able to reinvite and you should be OK.

    > As I understand it, Asterisk initiates the connection but then hands it
    > off to the two hosts using RTP for the voice and SIP for the call
    > control. If I am wrong, I'm sure you'll let me know :)


    http://www.voip-info.org/wiki/view/Asterisk sip canreinvite

    explains how Asterisk handles re-invites.


    --
    <http://ale.cx/> (AIM:troffasky) ()
    23:13:20 up 6 days, 13:37, 2 users, load average: 1.02, 1.06, 1.01
    2x Broadband/IT/Telecoms support positions in Newcastle city centre.
    For more info call 0191 229 8870 and ask for Steve. No agencies.
     
    alexd, Jan 11, 2008
    #10
  11. Alister

    Alister Guest

    On Jan 11, 11:45 pm, alexd <> wrote:
    <Lots of useful information>

    alexd

    Thank you for all your suggestions,

    You have given me some different ideas to think about, and thanks for
    the link to the
    2wire forum, good stuff!

    I have not made a my mind up yet, butt when I do I'll let you know
    what happens.

    Thanks again for your help

    Alister
     
    Alister, Jan 12, 2008
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Minder

    OT Support email address for 2wire

    Minder, Apr 17, 2005, in forum: Wireless Networking
    Replies:
    2
    Views:
    486
    Jeff Liebermann
    Apr 17, 2005
  2. anonymous
    Replies:
    1
    Views:
    776
    anonymous
    Dec 14, 2005
  3. joseph
    Replies:
    3
    Views:
    1,312
  4. Adam Lipscombe
    Replies:
    1
    Views:
    11,365
    linker3000
    Sep 26, 2006
  5. manicminer01706
    Replies:
    1
    Views:
    1,344
    OrCiscoNovice
    Aug 24, 2007
Loading...

Share This Page