[ASTERISK] Sip and NAT

Discussion in 'VOIP' started by Arnold Ligtvoet, Nov 16, 2003.

  1. Has anybody here seen any solution to the problem :

    Asterisk --> Iptables/NAT --> external SIP server (FWD).
    Linux1 Linux2

    I'm to the point where it seems to connect to FWD, but then I hear no
    sound. IMHO this is due to the fact that the UDP is not natted correctly.

    I saw a link pointing to 'Billy Biggs wrote a SIP ALG', but I'm unable
    to track this file somewhere. Anyway I'm left with these questions:

    - is there a Sip/Conntrack module for iptables (perhaps in the make)
    - is uPnP the answer
    - could I do some fancy portforwarding in iptables to get this to work.

    TIA.
     
    Arnold Ligtvoet, Nov 16, 2003
    #1
    1. Advertisements

  2. Arnold Ligtvoet

    Peter Guest

    I'm to the point where it seems to connect to FWD, but then I hear no
    Do you have "nat=yes" line in your sip.conf FWD client section? And do you
    have RTP ports range forwarded to your Asterisk box? See rtp.conf for ports.

    AFAIK there is no SIP conntrack module for iptables, and I doubt upnp is the
    answer as Asterisk would have to be upnp-aware (which it isnt)... although
    I'm no expert on upnp at all. There was a bit of debate going on in
    asterisk-users mailing list about possible STUN server support which would
    be perfect answer in your situation, but then it's not implemented yet.

    Peter
     
    Peter, Nov 16, 2003
    #2
    1. Advertisements

  3. Arnold Ligtvoet

    Peter Guest

    SIP uses a range of UDP ports as specified in rtp.conf for actual voice
    traffic. Most likely you haven't forwarded these to your * box... put the
    forward in place and try again.

    Hope this helps,
    Peter
     
    Peter, Nov 16, 2003
    #3
  4. Yes I do have nat=yes. I think the problem is in my homebrew iptables
    solution, since calls are succesfully established. I just don't hear the
    sound.
    Let me get this right: If I open the port range on the iptables machine,
    forward the portrange to the * machine, everyhting should work?
    If this is the case I look into my iptables script..
     
    Arnold Ligtvoet, Nov 16, 2003
    #4
  5. Arnold Ligtvoet

    shido Guest

    No audio or 1 way audio is a sign of a bad nat'd environment. Reply with
    your iptables/nat settings and work from there.

    --
    Greg Merriweather
    The NuFone Network

    519-251-8225 x 3000
    IM:
     
    shido, Nov 16, 2003
    #5
  6. ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5036
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4569
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:10000:20000

    rtp.conf says portrange is 10000-20000. Firewall config file says :
    NAT_UDP_FORWARD="5060,5036,4569,10000-20000>192.168.0.100"

    I have also tried forwarding the ports to my client ip (sip phone on
    internal LAN), but also no audio. Again the setup should be

    Fwd 192.168.0.1 192.168.0.100 192.168.0.2
    I-net Linux gw Asterisk client (SIP)
    Iptables

    Can someone post their iptables rules to acive this ?
     
    Arnold Ligtvoet, Nov 17, 2003
    #6
  7. Arnold Ligtvoet

    Peter Guest

    rtp.conf says portrange is 10000-20000. Firewall config file says :
    What's stopping you from installing asterisk on your Linux router? That way
    you'll have it on public IP, problem with port forwarding solved. There are
    other consequences as well to running * behind NAT, such as inability to
    serve SIP clients outside NAT etc.

    Peter
     
    Peter, Nov 18, 2003
    #7
  8. Arnold Ligtvoet

    Peter Guest

    What's stopping you from installing asterisk on your Linux router? That
    way
    I used to run it on K6-166 with 96mb ram, and it worked fine. Asterisk and
    routing processes take up very little CPU. Then again, I only have one ISDN
    interface. Right now I'm on Celeron 300Mhz, and it's plenty. Just don't fire
    up X server.
    Why not? You'll still have to have decent iptables setup in place, of
    course. I can lend you mine if you want to. P-)
    AFAIK yes.

    Peter
     
    Peter, Nov 18, 2003
    #8
  9. Mainly the fact that my router is a p133 with 64mb's. Not that my *
    machine is that up-to-datem, being a k6-450. I thought about integrating
    the router and *, but have some questions:
    - security issues. Are people going to be able to connect to my system
    and use my phonelines ?
    - 2 nic interfaces. Does * support clients on both interfaces at the
    same time ?

    TIA
     
    Arnold Ligtvoet, Nov 19, 2003
    #9
  10. Arnold Ligtvoet

    darren Guest

    I have a similar setup to yourself. as long as you don't need to run sip
    clients internlly there has been a hack posted to alter the SDP address to
    the external NAT'd one.
    http://lists.digium.com/pipermail/asterisk-users/2003-October/024968.html
    from the firewall forward the SIP and RTP (from rtp.conf) to * and you
    should be away.
     
    darren, Nov 19, 2003
    #10
  11. Arnold Ligtvoet

    Peter Guest

    I have a similar setup to yourself. as long as you don't need to run sip
    I've looked at that. From what I've learned the hack would break internal
    SIP clients, plus it involves using CVS version and modifying sources
    yourself. All this would be OK in test/development environment, but I'd
    rather not use it in production or mission-critical environments.

    Peter
     
    Peter, Nov 19, 2003
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.