Asterisk on a multihomed box

Hi,

I am running Asterisk on a multihomed box – one Ethernet card having a public IP and another having a private IP.

While the IAX works fine (I am able to register with an IAX client and other IAX peers), SIP works only on the Internal Interface – I am able to register as a SIP client from a device on the Internal Interface only. I am unable to register a SIP client with a public IP. Likewise, I am unable to register Asterisk with a SIP provider as a peer.

However, when I use a client (such as Xlite or otherwise) I am able to register just fine. This rules out the possibility of my ISP blocking ports.

I tried using a sniffer on the asterisk box but I dont see any SIP packets either coming into the asterisk box or going out of the asterisk box via the external interface.

Any pointers would be welcome. If you would need any more info on my system settings, please let me know and I will be only too happy to provide them.

Cheers,
Krish

Sip (without help) is flaky across the net

voip-info.org/wiki/view/Aste … +solutions

there are settings also you need to setup on the users

Now when you say PUBLIC ip you do have a firewall right???
there are ports for iax as well as sip which must forwarded / opened for sip to function
pbx4pros.com/forum/viewtopic.php?t=6

Well, Asterisk is running on the Firewall. The Firewall is a linux box with default policies set to deny and specific ports opened. Therefore, there is no question of SIP packets being NAT’ed.

So, in that sense, technically, asterisk should be listening on port 5060 on both interfaces since I have not bound it to any specific interface. However, responses are forthcoming only from the internal interface and not th external interface.

I have tried sending a UDP packet to port 5060 from external hosts and traceroutes come out fine. I have also checked with my ISP and neither 5060 or ports 10000-19000 are blocked.

I also need to do another test … I need to capture a dump and see whether there are any udp packets going out of the external interface when I try to register on an external SIP server.

However, IAX works just fine and I am using IAX trunks to connect to those VoIP providers who offer IAX termination.

Do you have anything defined under localnet settings in your sip.conf?

Nope …
All I have is this

bindport=5060
bindaddr=0.0.0.0

Do you think I should set externip & localnet ?

No, not if your Asterisk box is not NATed through a firewall. If you are running on a Linux box using IPtables make sure that the external interface has all RTP ports (UDP) open (check rtp.conf). I have run several multihomed Asterisk servers and the only problems that I have had have been routing. I tend to restrict the range of ports used for RTP so that you don’t have to open up too many. The other thing to check is your default gateway. It must be pointing out through the external interface and not the internal.

Well, UDP port 5060 and RTP Ports 10000-20000 are open for now – both ways in both interfaces. Also routing is proper. Other protocols (both tcp and udp are working fine).

The improvement though is this … I have been trying to connect with my Nokia E61 from my house to my office.

I am giving below the output of tcpdump. It seems that the Nokia is sending the request for registration but there is no response from Asterisk

00:09:57.171014 IP BTNL-TN-DSL-static-005.1.144.59.airtelbroadband.in.5060 > dsl-Chn-static-183.42.101.203.airtelbroadband.in.3478: UDP, length 20

Cheers,
Krish

Any help appreciated …

This is the issue which is coming in the way of an implementation for my Company …

Thanks in advance.

Publish your rtp.conf and your sip.conf here, perhaps we can discover something strange…

Here is my SIP.CONF

[general]
bindport=5060
bindaddr=0.0.0.0
context=incoming
srvlookup=yes
dtmfmode=rfc2833
UserAgent=Asterisk

; External SIP registrations
register => 1NNNNNNNNN:XXXXXXXX@proxy01.sipphone.com

; Outgoing settings for AudioCodes VodddIP-PSTN G/w
;[pstn-out]
;type=peer
;username=mp_fxo
;secret=’’
;context=internal
;dtmfmode=inband
;host=192.168.1.125
;allow=ulaw
;nat=no
;qualify=yes

; Incoming settings for AudioCodes VoIP-PSTN G/w
;[pstn-in]
;type=user
;context=default
;dtmfmode=inband
;host=192.168.1.125
;nat=never
;canreinvite=no
;insecure=invite

[pstn]
type=friend
username=mp_fxo
secret=’'
context=incoming
dtmfmode=inband
host=192.168.1.125
allow=ulaw
nat=no
qualify=yes
insecure=invite

[100]
type=friend
callerid=(“Operator” <100>)
username=100
secret=1234
regexten=100
host=dynamic
qualify=yes
nat=no
canreinvite=no
context=internal

… and so on

RTP.CONF is as under:

;
; RTP Configuration
;
[general]
;
; RTP start and RTP end configure start and end addresses
;
; Defaults are rtpstart=5000 and rtpend=31000
;
rtpstart=10000
rtpend=20000
;
; Whether to enable or disable UDP checksums on RTP traffic
;
;rtpchecksums=no
;
; The amount of time a DTMF digit with no ‘end’ marker should be
; allowed to continue (in ‘samples’, 1/8000 of a second)
;
;dtmftimeout=3000

Hope these help throw some light …

Ok, I’m not an expert but I have asterisk running for a few years on SIP now, also on the same machine where my firewalls runs. So let’s try some things.

First, try setting srvlookup=no, to be sure it’s not a DNS problem you’re dealing with.

Then, in my setup it is spelled useragent instead of UserAgent. I know this sounds silly, but I have been looking for an entire day for an Asterisk configuration problem which was caused by an extra space in a config-file…

Then the register command, I assume you are not literally using “1NNNNNNNNN:XXXXXXXX” but something valid to sipphone.com? Don’t laugh, you wouldn’t be the first one… :open_mouth:

I would insert:
localnet=192.168.0.0/255.255.0.0; All RFC 1918 addresses are local networks
localnet=10.0.0.0/255.0.0.0 ; Also RFC1918
just to be sure…

What section are you using for sipphone.com? If it is the pstn part, host=192.168.1.125 seems strange to me; I would expect something like host=sipphone.com there…

If it is the [100] section, why whould you choose context name “internal” then?

I suspect your are missing something like this:
[sipphone]
type=friend
host=sip.voipbuster.com ####change this
username=sipphoneusername
fromuser=sipphoneusername
secret=sipphone password
context=from_sipphone
disallow=all
allow=ulaw
allow=alaw
insecure=port,invite
qualify=yes
dtmfmode=auto

This should be below your register command, somehow register commands in these sections do not seem to work.

As said, I’m not an expert, but perhaps some of my suggestions help you out…

Would definitely like to get this working

I have checked that out. This is also the DNS server for the rest of the nodes on my office network.

I will make this change now and check.

While I dont fault you for asking that question. But yes, I am using a valid number and password – valid to sipphone.com

[quote]I would insert:
localnet=192.168.0.0/255.255.0.0; All RFC 1918 addresses are local networks
localnet=10.0.0.0/255.0.0.0 ; Also RFC1918
just to be sure…[/quote]

Willdo.

This section is to allow a connect to my AudioCodes MP-104 PSTN Gateway. This is to use my POTS line to dial local numbers. The IP address of this gateway is 192.168.1.125

If it is the [100] section, why whould you choose context name “internal” then?

[quote]
I suspect your are missing something like this:
[sipphone]
type=friend
host=sip.voipbuster.com ####change this
username=sipphoneusername
fromuser=sipphoneusername
secret=sipphone password
context=from_sipphone
disallow=all
allow=ulaw
allow=alaw
insecure=port,invite
qualify=yes
dtmfmode=auto[/quote]

Currently this is commented out. But I will go through it again and see what more can be done.

Yes it is.

Thanks a ton for all the pointers. But my issue is that I am unable to get a SIP phone to register via the pubic Interface. For example, I am currently in Singapore on a work cum holiday trip. Even if I can find a hotspot, my Nokia E61 will not register with the Asterisk server. The same phone registers fine when I am within my office network in India. Get the point …

However, if you can throw some more light, it would be good.

Thanks for all the inputs upto now.

anything show up in the asterisk log if you turn on SIP debugging?

OK, I think maybe you fell for some Hype about wifi SIP phones

Using a REAL HOTSPOT will not work many times for this.
you home wireless is not a REAL HOTSPOT, and it may work with many home brewed areas which allow others to surf using their inet connection.

A real “hotspot” (one setup correctly) would never allow you to connect and use your sip phone.
yes you may get “connected” but only have audio one way if audio at all.

If they are using a bundled software / hardware hotspot package they would have a captive DNS portal running, in other words they give you ip setup which only allows you access the portal system, at which time you must agree to the TOS, and then your connection is allowed to access the web. (they give you a dns setting which resolves everything back to the portal until you agree to the Terms Of Service)

And in many cases the system is a Double system the main,
Inet feed will have private subnet and the wireless side have a second private subnet using the first private sub net as the gateway.

Your phone would then send a request from say 192.168.x.x but it goes out as a 10.10.10.x and your box response is back to a 10.10.10.x ip and it never really hits your end.

this is why STUN / PROXY servers are used to “route” the packets to the correct end point.

SIP is not a good protocol by itself over the open net, it needs help to find it way.

Hotspots do not like you do anything but surf and check email, for many we kill everthing but port 80 even email clients will not work, you must use web based email.

I know this as I have setup “hotspots”.

@bubba - I am accessing the net from a Friend’s house in Singapore which is on a Dynamic Network – that could possibly be the reason why I am unable to get through.

I am currently on a work + holiday trip to Singapore and will be back in India on the 8th of January. Once I am back, I have a static Public IP both at home and at work and I can give more time and effort to sort this out.

However, one thing is let alone audio not coming thorough, my issue is more basis – I am unable to get the phone to register in the first place. I am able to see packets coming in.

Like I said, I will get back to base and then post all logs from the * Server as well as a capture of tcpdump.

Cheers and wishing everybody on this forum a very very Happy and Prosperous 2007.

Cheers,
Krish

OK if it that is the case, have a look at the router, is the wan IP of the router a REAL ip (can it be hit form outside (or is it a private non-routed IP.

I see this on telco DSL all the time, when the DSL modem is acting as a DHCP server and someone adds a router behind it.

If the Router has SPI (stateful Packet Inspection) turn it off for now.
SIP looks like DDOS to a “smart router” so it will block it.

[quote=“bubba”]OK if it that is the case, have a look at the router, is the wan IP of the router a REAL ip (can it be hit form outside (or is it a private non-routed IP.

I see this on telco DSL all the time, when the DSL modem is acting as a DHCP server and someone adds a router behind it.

If the Router has SPI (stateful Packet Inspection) turn it off for now.
SIP looks like DDOS to a “smart router” so it will block it.[/quote]

The DSL router (provided by the ISP) is in bridged mode. The REAL Public IP is allotted to the external interface of the multi-homed Asterisk box.

This box does not have SPI enabled.

Cheers,
Krish

OK I was speaking of the remote setup .

but anyway this is all pointless unless Nokia has released a firmware to allow the phones to work behind NAT (cuz as for I as know they are not DESIGNED for that, hence the falling for the b.s. about the phones being marketed as “use from any hotspot”)

Does your phone have a place for STUN server setop, if not then you are fighting a losing battle I fear…

[quote=“bubba”]
Does your phone have a place for STUN server setop, if not then you are fighting a losing battle I fear…[/quote]

At this point, though the Changelog for the latest firmware says “STUN Support implemented”, it does not give any dialog box to enter SIP proxy details.

The other thing I noticed, is that when I am connecting from a Public Network, even though I define a connection port as 5060, it connects to port 3478 … strange !!

Cheers,
Krish