NEED MORE INFO Connecting to Incredible Pi behind NAT

[sarichter]

I have Incredible Pi running on my Raspberry Pi behind a router running Tomato 1.28.
I can use the softphone on my computer that is on the same network as the Raspberry Pi as well as my android cell phone running Sipdroid.

However, when I try to connect with Sipdroid from outside my network using the public IP for my home internet connection it refuses to connect.

To my know knowledge, I forwarded the appropriate ports (i.e. RTP range, SIP port) to the local IP for my Raspberry Pi. I have also turned off the NAT helpers for SIP on my Tomato-based router because I have read that they interfere with data transmission.

I still have nothing... any help would be greatly appreciated! I'm almost there...

 

[leemason]

Do you have iptables configured on the Pi to allow inbound traffic to accepted from any address? You could temporarily stop iptables just to see if this makes any different but obviously you would not want to do that for long. I any cause it's a fairly bad idea to have 5060 generally open as it's an invitation to hackers.

 

[sarichter]

Do you have iptables configured on the Pi to allow inbound traffic to accepted from any address? You could temporarily stop iptables just to see if this makes any different but obviously you would not want to do that for long. I any cause it's a fairly bad idea to have 5060 generally open as it's an invitation to hackers.

I must have missed that part of the configuration because I didn't read about anything with iptables. Do you have a link?

I took a look and I don't have an iptables files at all. This was a fresh install of Incredible PBX and it doesn't come with a sample iptables? I can't seem to find anything on the web on how to set one up. Any ideas?

Thanks for your response!

 

[wardmundy]

You did read the tutorial, right?? You need to follow the Travelin' Man 3 tutorial to set it up.

 

[sarichter]

You did read the tutorial, right?? You need to follow the Travelin' Man 3 tutorial to set it up.

I didn't know I had to do that... but I tried to run it and got as far as trying to download travelinman3.tar.gz and it won't let me. Basically says it can't connect. I can see it on my network and I have SSH access to the Pi. However, my Pi cannot see the internet after I ran secure-iptables.

 

[sarichter]

I followed the tutorial step-by-step but to no avail. I don't understand why it won't work because I'm pretty much starting from a fresh install so it's not like I modified a bunch of settings. The system works from within the network, but I still can't reach the outside.

 

[wardmundy]

You didn't have to install it. It's already installed. You just have to configure it for your environment by running /root/secure-iptables and then /root/add-ip or /root/add-fqdn to add additional IP addresses to your whitelist.

Not sure I know what you mean by "can't reach the outside." IPtables has no effect on your calling out. It protects the system from SIP devices trying to connect from outside your LAN.

 

[sarichter]

You didn't have to install it. It's already installed. You just have to configure it for your environment by running /root/secure-iptables and then /root/add-ip or /root/add-fqdn to add additional IP addresses to your whitelist.

Not sure I know what you mean by "can't reach the outside." IPtables has no effect on your calling out. It protects the system from SIP devices trying to connect from outside your LAN.

I did configure them and added the IP of my phone to try and connect. No dice... I am thinking it's Tomato preventing the connection because the Pi can't even see the public IP address on the network. I type in 'status' and the Pi shows no IP address but everything seems to be up and running.

 

[wardmundy]

Incredible Pi will run without an IP address. You just can't make any calls... but it sounds like you've already figured that out.

 

[sarichter]

Incredible Pi will run without an IP address. You just can't make any calls... but it sounds like you've already figured that out.

Well what I don't understand is that I can make calls from behind the router but I can't from outside after I configured the iptables to allow my cell phone IP even with the ports forwarded properly.

 

[wardmundy]

Are you forwarding UDP 5060 from Tomato to the IP address of your Raspberry Pi? The packets have to know how to find their way to your server.

 

[sarichter]

Are you forwarding UDP 5060 from Tomato to the IP address of your Raspberry Pi? The packets have to know how to find their way to your server.

Yep... forwarding that port and the RTP ports as well. Triple checked to make sure that they are forwarded to the correct IP address in Tomato as well as the ports in FreePBX UI.

 

[wardmundy]

1. You're going to need to monitor the Asterisk CLI (asterisk -rvvvvvvvvvv) while attempting to connect from outside your network with SIPdroid AND report back what you see. If you see nothing, then it's either a router problem or an IPtables problem or a SIPdroid problem.

2. To rule out IPtables, do the following from the command console only NOT from an SSH session (or you'll lock yourself out and have to reboot Incredible Pi).

iptables -F
iptables -P INPUT ACCEPT
iptables -nL

At this point, you have effectively disabled all IPtables filters by allowing everything to pass in and out of Incredible Pi. DO NOT LEAVE YOUR SERVER IN THIS STATE FOR MORE THAN A COUPLE MINUTES!!! Now attempt to connect from your remote phone again and watch the Asterisk CLI. Report results.

3. If there is nothing shown on the CLI, then your hardware firewall is blocking the connection assuming you have properly configured SIPdroid. Report the results.

4. If the connection is allowed, then there is an IPtables issue. Report the results.

5. If you still can't connect, post the results shown in the Asterisk CLI while attempting to make the connection. If nothing is shown, it's either a SIPdroid configuration problem or your hardware firewall is blocking the connection. Check the log of your hardware firewall and post the results.

DON'T FORGET TO RELOAD IPTABLES!!! Either reboot the Raspberry Pi or...

iptables-restore /etc/network/iptables
iptables -nL

6. If you were able to connect with IPtables wide open, then post the results from running iptables -nL (sanitized with fake IP addresses that you can match to your real ones once we find the problem), and we'll go from there.


PLEASE POST YOUR RESULTS FROM EACH STEP # ABOVE if you need additional assistance.

 

[sarichter]

1. You're going to need to monitor the Asterisk CLI (asterisk -rvvvvvvvvvv) while attempting to connect from outside your network with SIPdroid AND report back what you see. If you see nothing, then it's either a router problem or an IPtables problem or a SIPdroid problem.

2. To rule out IPtables, do the following from the command console only NOT from an SSH session (or you'll lock yourself out and have to reboot Incredible Pi).

iptables -F
iptables -P INPUT ACCEPT
iptables -nL

At this point, you have effectively disabled all IPtables filters by allowing everything to pass in and out of Incredible Pi. DO NOT LEAVE YOUR SERVER IN THIS STATE FOR MORE THAN A COUPLE MINUTES!!! Now attempt to connect from your remote phone again and watch the Asterisk CLI. Report results.

3. If there is nothing shown on the CLI, then your hardware firewall is blocking the connection assuming you have properly configured SIPdroid. Report the results.

4. If the connection is allowed, then there is an IPtables issue. Report the results.

5. If you still can't connect, post the results shown in the Asterisk CLI while attempting to make the connection. If nothing is shown, it's either a SIPdroid configuration problem or your hardware firewall is blocking the connection. Check the log of your hardware firewall and post the results.

DON'T FORGET TO RELOAD IPTABLES!!! Either reboot the Raspberry Pi or...

iptables-restore /etc/network/iptables
iptables -nL

6. If you were able to connect with IPtables wide open, then post the results from running iptables -nL (sanitized with fake IP addresses that you can match to your real ones once we find the problem), and we'll go from there.


PLEASE POST YOUR RESULTS FROM EACH STEP # ABOVE if you need additional assistance.

OK... I got somewhere. Here are the results from the steps:

1. I saw nothing from 'asterisk -rvvvvvvvvvv'
2. I disabled IPtables and I did notice that Sipdroid would not 'timeout' but would get a different error message 'Bad Auth'. (I know I have put the proper authorization information in because it works fine when my phone is connected to the network behind the router).
3. I checked my firewall and did not find any BLOCKED warnings. I saw nothing but ACCEPT lines that were directed toward the local IP of the Pi on port 5060.
4. No connection was allowed.
5. There was nothing in Asterisk CLI while attempting to connect to report. The firewall is not blocking the connection. I don't see how I could possibly not have set up Sipdroid properly. There aren't too many things to set up.

I can only assume that IPtables is blocking the connection per Step #2.
However, I still cannot connect so Sipdroid is either not setup correctly or something is not working properly in my FreePBX setup (which I don't think is the case because I haven't done anything different then the tutorials).

My Sipdroid settings:

Authorization Username: 'my three digit extension number'
Password: 'my extension password'
Server or Proxy: 'my public IP address'
Domain:
Username:
Port: 5060
Protocol: UDP
Use 3G: 'checked'

 

[rossiv]

Something had to show up if you got a bad auth back. I generally see something about bad ACL or some such in the CLI. Did you change your permit/deny statements in FreePBX?

 

[sarichter]

Something had to show up if you got a bad auth back. I generally see something about bad ACL or some such in the CLI. Did you change your permit/deny statements in FreePBX?

I typed in that line 'asterisk -rvvvvvvvvvv' and I got a message about no warranty and that's it. Nothing else.

 

[wardmundy]

SIPdroid is not my favorite test bed. Try the same tests with the YateClient and let's see what we see. If you're getting nothing on the Asterisk CLI even with IPtables completely disabled, then you've typically got a firewall problem. But let's try the YateClient before we rule out a client issue.

 

[sarichter]

SIPdroid is not my favorite test bed. Try the same tests with the YateClient and let's see what we see. If you're getting nothing on the Asterisk CLI even with IPtables completely disabled, then you've typically got a firewall problem. But let's try the YateClient before we rule out a client issue.

Sorry it took me so long to respond (lots of overtime at work lately). I have successfully used YateClient on my desktop to make calls. I just can't with my cellphone outside of my local network. If I'm on my local network, Sipdroid works. I can't imagine it being a Sipdroid configuration problem since it works perfectly fine on the local network (just not off the network). I can't seem to find any information about Tomato and SIP that is useful via google. I'm forwarding the correct ports to the correct local IP address. It just doesn't seem to want to connect.

 

[wardmundy]

Just to make sure we haven't missed something obvious...

You did try disabling IPtables and attempting the connection, but saw nothing on the Asterisk CLI? Correct??

 

[sarichter]

Just to make sure we haven't missed something obvious...

You did try disabling IPtables and attempting the connection, but saw nothing on the Asterisk CLI? Correct??

I did disable IPtables per your tutorial above and saw nothing on the Asterisk CLI. However, my router just died (go figure). I can't get it to respond to pings and there is no IP address response. I am now using a backup router and will be purchasing a new one shortly. I'll have to set that new on up and see if it will work! I'll report in to see if it was just my dieing router that was the problem.