I’d like to setup an Asterisk PBX conntected to a SIP-Provider over the Internet and with some SIP-Phones from the Intranet (LAN) conntected to it. Shall I put it in the Intranet, the DMZ or outside the Firewall (it’s a Checkpoint FW-1 NG)? I’m allowed to make changes to the FW-Ruleset but can’t change the NAT-Setup:
Intranet -> Internet = NAT
Intranet -> DMZ = NAT
SIP seems to suck over NAT. What solution would you recommend for this SIP-setup (yes, I know IAX wouldn’t be such a pain, so don’t tell me )? And why?
What kind of Ports have you opened in which direction in your solution?
This is not hard.
Forward udp port 5060 for SIP. (why does the range of ports that people recommend constantly change? what does 5061-5090 do? I don’t think anything, and I looked it up…)
Also pick a range of ports and forward that for RTP. This is defined in rtp.conf. Default is 10k-20k, but you only need a few, 10000-10100 is fine. UDP only. Set the same portrange on firewall and rtp.conf.
in sip.conf define the following:
externip=your network’s external IP (or the one that routes to *). If you have more than one IP, make sure * is NOT load-balanced, and is bound to one IP.
localnet= your LAN mask
and you are good to go. I have this exact setup running behind NAT.
My * server runs inside of my firewall and I have no problem with SIP or IAX. You will need to open up and forward the necessary ports but outside of that my setup runs without issue…that is as long as Comcast keeps the Internet connection up, which they sometimes have trouble doing.
[quote=“IronHelix”]This is not hard.
Forward udp port 5060 for SIP. (why does the range of ports that people recommend constantly change? what does 5061-5090 do? I don’t think anything, and I looked it up…)[/quote]
According to RFC-3261 the default SIP-Ports are:
5060 (TCP)
5060 (UDP)
5061 (TLS over TCP)
…not more and not less.
[quote=“IronHelix”]in sip.conf define the following:
externip=your network’s external IP (or the one that routes to *). If you have more than one IP, make sure * is NOT load-balanced, and is bound to one IP.
localnet= your LAN mask[/quote]
externip= …which network’s external IP? The IP I use to hide behind (NAT) my Intranet in the DMZ (if * is in the DMZ)?
hehe I found the same thing (and * doesn’t support TLS over TCP yet as far as I know)…
over the last few months the ‘recommended port range’ has changed several times. I’ve seen (many people recommending) first 5060-5082, then 5000-6000, then 5060-8000, now 5060-5090. I am wondering who creates these numbers… :\
Anyway, for externip:
Say your network is setup like this
internet -> (65.25.35.45)-NAT-(192.168.1.1) --lan-- (192.168.1.100)-Asterisk
you would set externip= to be 65.25.35.45. The reason for this is that SIP specifically tells a remote host where to send the actual audio data, it isnt automatically sent to the host that the request comes from. You need to put the right address in the SIP SDP packet so the audio data comes in to your network.
what you’re missing is that SIP is not used to transport the voice stream, RTP is, and that uses (potentially) a range of other ports. which is why SIP can be a nuisance - whereas with IAX, it all goes on the one port.
well, the human brain is a powerful device when it comes to imagination.
[quote=“IronHelix”]Say your network is setup like this
internet → (65.25.35.45)-NAT-(192.168.1.1) --lan-- (192.168.1.100)-Asterisk[/quote]
I’m in a business-enviroment, that’s why my network setup is similar to this:
Firewall with three interfaces:
LAN-Interface: 192.168.1.1
DMZ-Interface: 194.100.100.1
Internet-Interface: 194.100.101.1
Around the Firewall are the following networks (using the FW-interfaces as default router):
LAN-network: 192.168.1.0
DMZ-network: 194.100.100.0
Internet-network: 194.100.101.0
As I said, the LAN-network is NAT’ed to the DMZ and to the Internet (let’s say we use IP 194.100.101.10 as hiding-NAT to the world outside). The DMZ-network is not NAT’ed!
Let’s say I have a SIP-phone with the IP 192.168.1.20, the *-server with the IP 194.100.100.50 and my SIP-Provider somewhere in the internet (let’s say on the IP 87.65.43.21).
Now: What is “externip=” and what is “localnet=”?
Or do you think I should place the *-server in the LAN? I wouldn’t like to, as I’d feel much more comfortable having it in the DMZ-network.
To dswartz:
…nope, as you see we’re not missing a thing here and as I already said: I know that IAX wouldn’t be such a pain, but I just have to stick with SIP/RTP. Sometimes you just have to adjust to the world around you.
I would suggest put the * box behind NAT on the internal NAT’d network. Externip= would probably be 194.100.101.1, but if your NAT network has more than one external IP then you must ensure that only one will be used by asterisk, and put that one in externip.
Then port forward 5060 and (rtp port range) to the * box, this will work fine.
I suggest put it inside the NAT because it will make configuring SIP clients inside the NAT much easier. They will not need STUN or have to know their own external IP, they just connect to another internal IP and it deals with the NAT.
And of course set canreinvite=no…
)? And why?
