Incoming call - I do not hear the caller / Telekom VOIP

Hello my dears,

I am busy now for about 3 weeks with Asterisk and have a problem that I do not get solved. If I select from my SIP ZoiPer client on Android out and my interlocutor is tuned he can hear me and I him too. If I get a call from outside then I can hear the caller but he does not hear me. I look in the statistics of the SIP ZoiPer client so only see outgoing Träffik. Seems to be clear. Either codec or RTP Träffik does not fit! Right here I’m stuck. In my opinion, I’m trying everything to analyze network traffic on the network layer with Wireshark. I just can not find the problem. So you can help me, I’ll post you my network structure, my Asterisk configuration files and an excerpt of my incoming and outgoing network traffic. Arranged after call from my private network and from the public network.


My Asterisk server has the IP address 192.168.140.20 and the DNS name “asterisk.intern.example.com”. My SIP ZoiPer client has the IP address 192.168.30.129 and the DNS name “sgsthme01.intern.example.com”.
pjsip.conf

;=========== General settings ===========
[global]
type=global
user_agent=Asterisk PBX
endpoint_identifier_order=ip,username
default_from_user=0abcd900855      
[transport-tcp-nat]
type=transport
protocol=tcp
bind=192.168.140.20:5070
local_net=192.168.0.0/16
external_media_address=example.com
external_signaling_address=example.com


[transport-udp-nat]
type=transport
protocol=udp
bind=192.168.140.20:5070
local_net=192.168.0.0/16
external_media_address=example.com
external_signaling_address=exemple.com


[telekom_0abcd900855]
type=registration
transport=transport-udp-nat
outbound_auth=telekom_0abcd900855_auth
outbound_proxy = sip:+49abcd900855@tel.t-online.de:5060\;lr
server_uri=sip:tel.t-online.de:5060
client_uri=sip:+49abcd900855@tel.t-online.de:5060
contact_user=0abcd900855
retry_interval=60
forbidden_retry_interval=60
expiration=480
auth_rejection_permanent=false


[telekom_0abcd900857]
type=registration
transport=transport-udp-nat
outbound_auth=telekom_0abcd900857_auth
outbound_proxy = sip:+49abcd900857@tel.t-online.de:5060\;lr
server_uri=sip:tel.t-online.de:5060
client_uri=sip:+49abcd900857@tel.t-online.de:5060
contact_user=0abcd900857
retry_interval=60
forbidden_retry_interval=60
expiration=480
auth_rejection_permanent=false


[telekom_0abcd900855_auth]
type=auth
auth_type=userpass
password=yyyyyyyy:zzzzzzzzzzzz-0001@t-online.de
username=0abcd900855
realm=tel.t-online.de


[telekom_0abcd900857_auth]
type=auth
auth_type=userpass
password=yyyyyyyy:zzzzzzzzzzzz-0001@t-online.de
username=0abcd900857
realm=tel.t-online.de


[telekom_0abcd900855_out]
type=endpoint
transport=transport-udp-nat
context=unspecified
disallow=all
allow=g722
allow=alaw
outbound_auth=telekom_0abcd900855_auth
outbound_proxy = sip:+49abcd900855@tel.t-online.de:5060\;lr
aors=telekom_0abcd900855_out
callerid=0abcd900855
from_user=0abcd900855
from_domain=tel.t-online.de
timers=no
rtp_symmetric=yes
force_rport=yes
ice_support=yes
rewrite_contact=yes
direct_media=no


[telekom_0abcd900857_out]
type=endpoint
transport=transport-udp-nat
context=unspecified
disallow=all
allow=g722
allow=alaw
outbound_auth=telekom_0abcd900857_auth
outbound_proxy = sip:+49abcd900857@tel.t-online.de:5060\;lr
aors=telekom_0abcd900857_out
callerid=0abcd900857
from_user=0abcd900875
from_domain=tel.t-online.de
timers=no
rtp_symmetric=yes
force_rport=yes
ice_support=yes
rewrite_contact=yes
direct_media=no


[telekom_0abcd900855_out]
type=aor
contact=sip:+49abcd900855@tel.t-online.de


[telekom_0abcd900857_out]
type=aor
contact=sip:+49abcd900857@tel.t-online.de


[telekom_0abcd900855_in]
type=endpoint
transport=transport-udp-nat
context=telekom_0abcd900855_in
disallow=all
allow=g722
allow=alaw
outbound_auth=telekom_0abcd900855_auth
timers=no
rtp_symmetric=yes
force_rport=yes
ice_support=yes
rewrite_contact=yes
direct_media=no
media_use_received_transport=yes


[telekom_0abcd900855_in]
type=identify
endpoint=telekom_0abcd900855_in
match=217.0.0.0/13


[sgsthme01]
type=endpoint
transport=transport-udp-nat
context=internalsip
disallow=all
allow=g722
allow=alaw
auth=auth-sgsthme01
aors=sgsthme01
mailboxes=wie in voicemail.conf definiert
direct_media=no


[auth-sgsthme01]
type=auth
auth_type=userpass
username=sgsthme01
password=zzzzzzzzz
realm=sgsthme01realm


[sgsthme01]
type=aor
max_contacts=1
remove_existing=true


[sgsthme01]
type=identify
endpoint=sgsthme01
match=192.168.30.129
match=192.168.190.65


[ipmanme01]
type=endpoint
transport=transport-udp-nat
context=internalsip
disallow=all
allow=g722
allow=alaw
auth=auth-ipmanme01
aors=ipmanme01
mailboxes=wie in voicemail.conf definiert


[auth-ipmanme01]
type=auth
auth_type=userpass
username=ipmanme01
password=zzzzzzzzz
realm=ipmanme01realm


[ipmanme01]
type=aor
max_contacts=1
remove_existing=true


[ipmanme01]
type=identify
endpoint=ipmanme01
match=192.168.30.132


;=========== ACL's ===========
[acl]
type=acl
deny=0.0.0.0/0.0.0.0
permit=217.0.0.0/13
permit=192.168.0.0/16

extensions.conf

[general]
static=yes
writeprotect=yes
autofallthrough=yes
extenpatternmatchnew=no
clearglobalvars=no
userscontext=unspecified


[unspecified]
exten => _X.,1,Answer()
same => n,Verbose(D E F A U L T ==> ${CALLERID(num)} kam um ${STRFTIME(${EPOCH},,%Y%m%d-%H%M%S)} in UNSPECIFIED an, als es versuchte die Nummer ${EXTEN} anzurufen.)
  same => n,Playback(No_permissions)
  same => n,Hangup()

[internalsip]
; direkt einzelne User anwaehlen
exten => sgsthme01,1,Dial(PJSIP/sgsthme01)
exten => ipmanme01,1,Dial(PJSIP/ipmanme01)

;Mailboxabfrage von intern ohne PIN
exten => mailboxname,1,VoiceMailMain(mailboxname@VoiceMailContext,s)
exten => 5201,1,VoiceMailMain(5201@VoiceMail1,s)


;National, mit +49 gewaehlt
exten => _+49ZXX!.,1,Dial(PJSIP/telekom_0abcd900855_out/sip:0${EXTEN:3}@tel.t-online.de,60)
exten => _+49ZXX!.,n,Hangup()

;International
exten => _+X.,1,NoOp(Blocked: ${EXTEN})
  same => n,Playback(sorry-cant-let-you-do-that)
  same => n,Hangup()
exten => _00X.,1,NoOp(Blocked: ${EXTEN})
  same => n,Playback(sorry-cant-let-you-do-that)
  same => n,Hangup()

;National, mit 0 vorneweg
exten => _0Z.,1,Dial(PJSIP/telekom_0abcd900855_out/sip:${EXTEN}@tel.t-online.de,60)
exten => _0Z.,n,Hangup()
;Ortsnetz
exten => _Z.,1,Dial(PJSIP/telekom_0abcd900855_out/sip:${EXTEN}@tel.t-online.de,60)
exten => _Z.,n,Hangup()

;Notrufe gehen immer
exten => 110,1,Dial(PJSIP/telekom_0abcd900855_out/sip:110@tel.t-online.de,60)
exten => 110,n,Hangup()
exten => 112,1,Dial(PJSIP/telekom_0abcd900855_out/sip:112@tel.t-online.de,60)
exten => 112,n,Hangup()


; ********* Kostenpflichtige Sondernummern ***********
exten => _0137Z.,1,NoOp(Blocked: ${EXTEN}) ;Servicenummern für TeleVoting
  same => n,Playback(sorry-cant-let-you-do-that3)
  same => n,Hangup()
exten => _0138Z.,1,NoOp(Blocked: ${EXTEN})
  same => n,Playback(sorry-cant-let-you-do-that3)
  same => n,Hangup()
exten => _0180Z.,1,NoOp(Blocked: ${EXTEN}) ;Servicenummern für Service-Dienste
  same => n,Playback(sorry-cant-let-you-do-that3)
  same => n,Hangup()
exten => _0181Z.,1,NoOp(Blocked: ${EXTEN}) ;Zugang zu VPN, Kunden-Hotline
  same => n,Playback(sorry-cant-let-you-do-that3)
  same => n,Hangup()
exten => _0182Z.,1,NoOp(Blocked: ${EXTEN})
  same => n,Playback(sorry-cant-let-you-do-that3)
  same => n,Hangup()
exten => _0183Z.,1,NoOp(Blocked: ${EXTEN})
  same => n,Playback(sorry-cant-let-you-do-that3)
  same => n,Hangup()
exten => _0184Z.,1,NoOp(Blocked: ${EXTEN})
  same => n,Playback(sorry-cant-let-you-do-that3)
  same => n,Hangup()
exten => _0185Z.,1,NoOp(Blocked: ${EXTEN})
  same => n,Playback(sorry-cant-let-you-do-that3)
  same => n,Hangup()
exten => _0186Z.,1,NoOp(Blocked: ${EXTEN})
  same => n,Playback(sorry-cant-let-you-do-that3)
  same => n,Hangup()
exten => _0187Z.,1,NoOp(Blocked: ${EXTEN})
  same => n,Playback(sorry-cant-let-you-do-that3)
  same => n,Hangup()
exten => _0188Z.,1,NoOp(Blocked: ${EXTEN})
  same => n,Playback(sorry-cant-let-you-do-that3)
  same => n,Hangup()
exten => _032Z.,1,NoOp(Blocked: ${EXTEN}) ;Vorwahl für Internettelefonie-Nutzer
  same => n,Playback(sorry-cant-let-you-do-that3)
  same => n,Hangup()
exten => _0700Z.,1,NoOp(Blocked: ${EXTEN}) ;persönliche Rufnummer 0700
  same => n,Playback(sorry-cant-let-you-do-that3)
  same => n,Hangup()
exten => _09001Z.,1,NoOp(Blocked: ${EXTEN}) ;Premiumdienste Information
  same => n,Playback(sorry-cant-let-you-do-that3)
  same => n,Hangup()
exten => _09003Z.,1,NoOp(Blocked: ${EXTEN}) ;Premiumdienste Unterhaltung
  same => n,Playback(sorry-cant-let-you-do-that3)
  same => n,Hangup()
exten => _09005Z.,1,NoOp(Blocked: ${EXTEN}) ;Premiumdienste Sonstiges, Erotik
  same => n,Playback(sorry-cant-let-you-do-that3)
  same => n,Hangup()
exten => _09009Z.,1,NoOp(Blocked: ${EXTEN}) ;Dialer
 same => n,Playback(sorry-cant-let-you-do-that3)
 same => n,Hangup()


exten => 0abcd900855,1,Dial(PJSIP/sgsthme01,30)
exten => 0abcd900855,n,VoiceMail(mailboxname@mailboxcontext)
exten => 0abcd900855,n,Hangup()


[telekom_0abcd900855_in]
exten => 0abcd900855,1,Dial(PJSIP/sgsthme01,30)
  same => n,Playback(Ansagetext)
  same => n,VoiceMail(mailboxname@mailboxcontext)
  same => n,Hangup()

rtp.conf

[general]
rtpstart=30000
rtpend=31000
rtcpinterval=9998
rtpchecksums=no
strictrtp=no
icesupport=yes
stunaddr=stun.t-online.de:3478

I have set up the following port forwarding on the firewall of the OpenWRT router.

IPv4-UDP
Von IP range 217.0.0.0/13 in wan
Über IP 192.168.0.2 an port 5060	
IP 192.168.140.20, port 5060 in voip	

IPv4-UDP
Von IP range 217.0.0.0/13 in wan
Über IP 192.168.0.2 an port 5070	
IP 192.168.140.20, port 5070 in voip	

IPv4-UDP
Von IP range 217.0.0.0/13 in wan mit Quell-port 3478
Über IP 192.168.0.2 an ports 30000-31000	
IP 192.168.140.20, ports 30000-31000 in voip	

IPv4-UDP
Von IP range 217.0.0.0/13 in wan
Über IP 192.168.0.2 an ports 7078-7109	
IP 192.168.140.20, ports 7078-7109 in voip

Do you have a tip for me? I could also supply you with two cap files. Once a connection from internal to external and vice versa.

Greeting from Stefan

This is a complex setup, please reduce it to a minimum that still shows the audio problems. Audio problems are usually some kind of NAT problem, but do you really except someone to study your VLAN maze?

If a device claims to be smart, then it is usually dump as stump and I doubt that the bulk article Speedport for private customers allows to change certain internal settings in case this turns out to be necessary.