My Asterisk box is installed in the DMZ of an IPCop firewall.
The RED interface of IPCop has a static public IP address, and all traffic directed to that address is forwarded to the PBX in the DMZ.
The IPCop also routes traffic from LAN (192.168.2.0) to DMZ (172.16.0.0), so Asterisk is reachable from LAN and Internet.
Generally speaking everything works fine, but I’m facing a strange problem when remote SIP clients aren’t NATted and have a public IP address, that is they are connected to Internet via a bridge/modem rather than behind a firewall/router: the audio is only one-way, from Asterisk to the client, although one of the parties (the remote client) has a public IP address. If the remote client is instead behind a router - and indeed there is a double NAT - , it perfectly works and the audio is two-ways.
The following are the non-working scenarios (call flow from left to right, ‘->’ is the audio direction):
[color=red]SIP UA (public IP) -> bridge[/color] -> Internet -> RED|IPCop|DMZ -> Asterisk/chan_zap -> PSTN -> U
[color=red]SIP UA (public IP) -> bridge[/color] -> Internet -> RED|IPCop|DMZ -> Asterisk/chan_sip -> SIP UA (inside LAN/outside LAN)
These ones are the working scenario (call flow from left to right, ‘<->’ means audio in both directions):
[color=blue]SIP UA (private IP) <-> router (public IP)[/color] <-> Internet <-> RED|IPCop|DMZ <-> Asterisk/chan_zap <-> PSTN <-> U
[color=blue]SIP UA (private IP) <-> router (public IP)[/color] <-> Internet <-> RED|IPCop|DMZ <-> Asterisk/chan_sip <-> SIP UA (inside LAN/outside LAN)
I wonder at the fact that the most easy scenario is the only not working. Maybe a bug in Asterisk? Do I really have to prevent all remote clients from using a bridge and put them inside a private network class behind a router? Any idea, please? If it could help, I can supply tcpdump logs for traffic analysis.
Why not try configuring the sip.conf for each client that is using a bridge type configuration with nat=no and see what happens. The problem has to be with the ports being blocked in one direction but I am not sure at which point it would be. Try the above as a test and see what happens.
If it works fine with other users connecting via the internet then i can’t see how it can be anything other than a problem with the client’s firewall, NAT, network or phone config. Maybe their modem, router, or whatever isn’t doing what they think it is.
I was able to replicate the exact situation by myself: whatever client connecting to the Internet via a bridge (so that its ethernet interface has a public IP address instead of a private one) suffers this issue. I tried using a 56kbps modem, an USB ADSL modem and an ethernet router configured as a bridge. Client’s personal firewall was turned off, I looked at it as the first thing. If I give to that pc a private IP address and put it behind a router, then it works like a charm! I thought it could be something related to SIP… but before posting a bug report I’d prefer to hear from someone else if this scenario has already been tested and the configuration used.
Well, i’m not sure if my configuration is exactly what you’re describing, but my ADSL connection is using the modem/router in bridged mode - with PPPoE running on my linux box and the modem/router doing the ATM part and bridging ATM to ethernet. That sounds like what you’re describing.
I run Asterisk on the linux box and i have no problems with SIP connections from the Asterisk box and the various ITSPs i use. I don’t know how many of them are using Asterisk though - if any.
Yes, of course (see also my answer on Wed Nov 16, 2005 8:32 pm).
I’m going to make another test: I’ll move the Asterisk inside the LAN, so it will be in the same network of internal clients and NATted as well as now for external ones (it only needs that PAT settings are changed on firewall), and want to see what will happen. I just want to exclude that this issue is concerning IPCop’s DMZ…
I’ve run into this problem a fair number of times with softphones. Its hard to predict sometimes what exactly NAT’s, Firewalls, Proxies, Routers and other internet goodies on the internet will do to your SIP connection. Have you tried any softphones with IAX protocol? I’ve been using Firefy as an alternative phone for users who encounter this. Works pretty good and 99.9% of the time it works perfectly for us.
[quote=“DicksonC”]I’ve run into this problem a fair number of times with softphones. Its hard to predict sometimes what exactly NAT’s, Firewalls, Proxies, Routers and other internet goodies on the internet will do to your SIP connection. Have you tried any softphones with IAX protocol? I’ve been using Firefy as an alternative phone for users who encounter this. Works pretty good and 99.9% of the time it works perfectly for us.