Asterisk 16 NAT issues

#1

So my build is:

Digital Ocean -> CoreOs -> Docker -> Asterisk 16 -> flowroute (sip provider) -> pjsip -> grandstream 1620 endpoints

docker run --name asterisk -d -p 10000-20000/udp -net=host jklopez/asterisk
sip is at 10000 and rtpstart= 10001 rtpstop=20000

My assumption is that if I make -net=host that it would bypass NAT issues on the asterisk side of things. (maybe wrong, haven’t tested anything other than this yet)

That being said, I’m hoping that the set up should be like, Public facing asterisk box and NAT’d endpoints.

As I’m testing to get this working sometimes I’m able to get incoming calls after I reload asterisk, pjsip, dialplan, however, I’m always able to call outbound with two way audio now.

The issue is that when I call inbound I get stuck at 100 trying, with no 180 ringing, however, If i dial out first (which i always can, and get two way audio) and then try to call back inbound, it does ring, and now I have two way audio…but, like i said thats only for a short duration

My guess (which… im completely new to asterisk, so feel free to laugh as hard as you wish) is that, since the phone is behind NAT its supposed to keep the SIP session alive by sending out packets ever so often.

Also, SIP ALG is verified disabled for the endpoint at home, but I’m not sure for the endpoint at the office as I don’t control it due to rented office space.

But anyway, enough with my foolishness, here is what I’ve got:
pjsip.conf

;–
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Non mapped elements start
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

[general]
srvlookup= yes

[flowroute-trunk]
insecure= port,invite

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Non mapped elements end
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
–;

[global]
type= global
debug= yes

[transport-udp]
type= transport
protocol= udp
bind= 0.0.0.0:10000 ;sip port configured on 10000 to reduce attacks
local_net=192.168.1.0/24 ;for phone network at home (not sure if thats how this is is supposed to work)
tocal_net=192.168.0.0/24 ;for phone network at office (not sure if thats how this is is supposed to work)
local_net=127.0.0.1/32 ;saw this on a example config and said why not…
external_media_address= (bleep) ;digital ocean vm pbx public ip
external_signaling_address= (bleep) ;digital ocean vm pbx public ip

[flowroute]
type= registration
outbound_auth= flowroute-auth
server_uri= sip:us-east-nj.sip.flowroute.com:5060
client_uri= sip:(bleep)@us-east-nj.sip.flowroute.com:10000
retry_interval= 60
line=yes
endpoint=flowroute-endpoint

[flowroute-auth]
type = auth
auth_type=userpass
password= (bleep)
username= (bleep)

[flowroute-endpoint]
type= endpoint
context= default
transport=transport-udp
allow= ulaw
outbound_auth=flowroute-auth
from_domain= us-east-nj.sip.flowroute.com
force_rport=yes
direct_media= no
ice_support=yes
rtp_symmetric=yes
rewrite_contact= yes
aors= flowroute-aor

[flowroute-aor]
type = aor
contact= sip:us-east-nj.sip.flowroute.com

[flowroute-identify]
type= identify
endpoint= flowroute-endpoint
match= us-east-nj.sip.flowroute.com

;allow flowroute ip’s for failover
[acl]
type= acl
permit= 147.75.60.160/255.255.255.240
permit= 34.210.91.112/255.255.255.240
permit= 34.226.36.32/255.255.255.240
permit= 147.75.65.192/255.255.255.240

;phone at office - (grandstream 1620)
[1000]
type = endpoint
transport=transport-udp
callerid=(bleep)
context= outgoing
dtmf_mode= rfc4733
rtp_keepalive=180
force_rport=yes
ice_support=yes
direct_media=no
media_address=(bleep)
rtp_symmetric=yes
rewrite_contact= yes
disallow= all
allow= ulaw
auth=1000
aors= 1000

[1000]
type = aor
max_contacts= 2

[1000]
type = auth
auth_type=userpass
username= 1000
password= (bleep)

;phone at home (grandstream 1620)
[1001]
type = endpoint
transport=transport-udp
callerid=(bleep)
context= outgoing
dtmf_mode= rfc4733
rtp_keepalive=180
force_rport=yes
ice_support=yes
direct_media=no
media_address=(bleep)
rtp_symmetric=yes
rewrite_contact= yes
disallow= all
allow= ulaw
auth=1001
aors=1001

[1001]
type = aor
max_contacts= 2

[1001]
type = auth
auth_type=userpass
username= 1001
password= (bleep)

extensions.conf

[globals]
AREACODE=XXX ;Enter local 3-digit area code here
TECHPREFIX=XXXXXXXX ;Populate only if IP-based authentication is desired

[default]
exten => 11111111111,1,Dial(PJSIP/1000, 20)

[outgoing]
exten => _1NXXNXXXXXX,1,Dial(PJSIP/{TECHPREFIX}*{EXTEN}@flowroute)
exten => _NXXNXXXXXX,1,Dial(PJSIP/{TECHPREFIX}*1{EXTEN}@flowroute)
exten => _NXXXXXX,1,Dial(PJSIP/{TECHPREFIX}*1{AREACODE}{EXTEN}@flowroute) exten => _011.,1,Dial(PJSIP/{TECHPREFIX}*{EXTEN:3}@flowroute) exten => _1XXX,1,Dial(PJSIP/{EXTEN}) ;uhhh… i was hoping I would be able to dial between my two extensions even though there on two separate networks like this, but this doesn’t work either

Please help… been trying almost a week, I’m glad i’ve learned a bit more from documentation and examples, but I need help.

Yours truly,
a sad sad man

#2

These settings are all incorrect.

local_net is to specify what networks are local to the machine itself, You don’t want the networks of your remote hosts defined here at all.

#3

Thank you for your response, i’ve removed these, restarted asterisk, and pjsip, and tried dialing in with the extension set to the phone at home and it worked, changed the inbound extension to the one at the office and it worked. I then realized that I didn’t remove the local_net=127.0.0.1/32 line, so I went back and did that, reloaded, and then it didn’t work, then put it back just to make sure, it didn’t work, so took it back out once more and now I’m back to it not working. When I inspect the incoming traffic by entering the asterisk cli, I’m getting Invites, just one 100 trying, and then its stuck at just trying to Invite my phone.

#4

Local neworks only need to be routable without NAT, not physically routable.

As long as they form part of the same private network, including virutal ones, the home and office network can correctly be described as local.

#5

Thank you for your response, the two phones do not share the same private network, they are not attached via vpn tunnel, is it possible for them to be able to communicate without setting up a vpn tunnel?

#6

A VPN tunnel is the easiest method. It may be possible by other means depending on how the phone and routers cope with NAT and SIP, but I would attempt it as a beginner.