NAT questions

[jaray]

I am moving my pbx to behind my router finally and have to use dynamic DNS now. I've pretty much read all I can about what ports to open for phones outside to work.
I have 2 phones outside the network on public IP space, and a couple inside as well as a Linksys SPA gateway using private IP space.
I have opened on my router the sip ports ranged 5004-5082 for SIP and 10,000 - 20,000 for RTP (voice)
My phone outside the network has the 1 way audio problem.
I edited the info needed in /etc/asterisk/sip_custom with my dynamic dns info as well.
My one question is outside phones registering using port 5060.
Isn't the fact that my inside phones, and my SPA gateway are all using 5060 that that port can't be used again for my outside phone? Or does port re-use behind the router not matter?
I've always had my PBX on a public static IP so have never had to deal with the firewall fight yet.

Any help would be appreciated...

 

[Lavaman]

Shouldn't it be /etc/asterisk/sip_nat.conf that you enter your dynamic dns info in? I've got mine setup on a fixed IP but behind a router/firewall, so while the settings are a little different they are still done in the same place, and remote extensions work ok for me.

 

[tm1000]

Shouldn't it be /etc/asterisk/sip_nat.conf that you enter your dynamic dns info in? I've got mine setup on a fixed IP but behind a router/firewall, so while the settings are a little different they are still done in the same place, and remote extensions work ok for me.

I would say it's best to not even mess with the sip_nat.conf file and go to FreePBX and find the SIP Conf module (can't remember the exact name now) and configure your nat settings in there (this module directly edits the sip_nat.conf file). All of my nat and local network settings are in there and it works great. Plus you can enter a dynamic DNS entry in there for dynamic IP changes and you can also tell it how often to check that address for changes.

Quite nice if you ask me.

And I just went through the whole '1-way audio' issue that you are having now. Opening the ports and then turning nat to yes (or always or whatever it is) should help

 

[jaray]

Great suggestions. I read some of Wards instructions on the site and they mentioned to make the NAT entries in /etc/asterisk/sip_custom.conf. A different site said to put them in sip_nat.conf. I elected to just put them in sip_custom.conf. I had a phone registered earlier with 2-way audio but later on it became 1 way audio when I made no changes.
I don't have a problem getting the phone to register though at this time, just the audio. The pbx won't even recognize when I press a button to enter a voicemail password etc so I know communication back to the pbx is getting cut off.

tm1000, I would like to pick your brain a little more since it sounds like you got it all working quite well. Are you describing the /etc/asterisk/sip_custom.conf file that you edited or some other file? When I do edit that, it does not populate my sip_nat.conf file with anything...its just empty.

 

[Lavaman]

No I think he's suggesting settings in FreePBX itself, have a look under Tools > System Administration > Asterisk SIP Settings... I've never used this for my settings, as I say I have manually edited sip_nat.conf in the past, but it does give you a big warning about sip_nat.conf over riding these settings so I guess this is the more up to date way of going about it....

I've got a feeling this Sip Settings only appeared since FreePBX 2.6, but I could be wrong on that.

 

[jaray]

You're correct, 2.5 does not have Asterisk SIP Settings. I just don't know what I'm missing here. I'm pretty up on port forwarding, NAT issues etc and in theory port forwarding to get a phone working through NAT is not hard. There's gotta be something simple wrong here...

 

[jaray]

I've just discovered that using externhost=xxx.no-ip.org seems to be blocking my audio. I changed it to externip=xxx.xx.xx.xx and suddenly I had 2-way voice. Does anyone have any insight into why this is? My phones outside the network register just fine using the dynamic dns address but just seem to have 2-way voice issues. If this is indeed what fixed things, then I don't know how I'm going to be able to live with a dynamic IP address....any thoughts/suggestions?

 

[Hat]

I believe the problem you have run into is that externhost does not work very well even though it is supposed to be used with dynamic IP addresses. Using externip works as you have discovered, but, it is used for static addresses. What to do? Have you read this Nerdvittles article? If you have, did you follow the article regarding the Getting Rid of One Way Audio and implement the ip.sh script Ward has listed? That should do the trick. I using a slight variation of that ip.sh script as I too have a dynamic IP and have not had any problems with one way audio.

 

[jaray]

I just finished installing that ip.sh script in hopes that it will solve my issue. Thanks alot for chiming in on this one.
I'm interested in what modifications you made.
Is there anything else I should be doing or is that script alone enough to do it?

 

[tm1000]

Sorry it's taken so long to reply. Yes I am talking about FreePBX 2.6

However I can still post my sip_general_additional.conf settings that you could potentially plug into your custom.conf file:

vmexten=*97
context=from-sip-external
callerid=Unknown
notifyringing=yes
notifyhold=yes
limitonpeers=yes
tos_sip=cs3
tos_audio=ef
tos_video=af41
alwaysauthreject=yes
disallow=all
allow=ulaw
allow=alaw
allow=gsm
insecure=invite
jbenable=no
defaultexpiry=120
notifyhold=yes
registertimeout=20
registerattempts=0
maxexpiry=3600
minexpiry=60
checkmwi=10
rtpkeepalive=0
srvlookup=no
allowguest=yes
notifyringing=yes
g726nonstandard=no
videosupport=no
maxcallbitrate=384
canreinvite=no
rtptimeout=30
rtpholdtimeout=300
t38pt_udptl=no
nat=yes
externhost=xxx.xxx.sh
externrefresh=120
localnet=10.249.0.0/24
localnet=10.249.1.0/24
localnet=10.249.2.0/24
localnet=10.249.3.0/24

Something you might try that I remember having to add is "insecure=invite"

 

[Lost Trunk]

I will just say this much - the reuse of the same port is NOT as big a problem as you might imagine, though I think to some degree it may depend on the router used.

We've had an Asterisk/FreePBX system running here (FreePBX is still 2.5) so I'll give you a few details:

- Like one of the above posters, we found that externhost= just doesn't work (one way audio still), but externip= does.

- In the router we have UDP ports 5060-5067, 10000-20000, and the IAX port (4569 if I recall correctly) all forwarded to the Asterisk box (Webmin is on a port <10000 on our system, otherwise we'd have started RTP with 10001, because apparently Webmin DOES use both TCP and UDP). The reason we opened 8 ports for SIP is in case someday we ever get one of those VoiP adapters that does 8 lines on the same box (not likely, but figured might as well future-proof). I will point out that some occasionally say this is unnecessary, that Asterisk is perfectly capable of setting up its own port forwarding with the router. I don't know, but the above is what we were told to do when we set up the system, and it's always worked, so...

- We also have several VoIP adapters (Sipura and Linksys) on both the local network and at external locations. One is for a VoIP service from an outside provider that doesn't even go through the Asterisk box (long story). In all cases the adapters use port 5060 on line 1, and 5061 on line 2, and yet don't seem to get confused.

What I have determined is that a device is uniquely identified by IP address AND port number. So if you have an adapter such as a PAP2 that has two lines, AND both lines are being provisioned by the same switch (whether on or off the local network) then each line must be on a different port (5060 and 5061 generally). And setting up port forwarding in a router doesn't mean that other devices cannot use port 5060 for connections to the outside world - it just means that if something tries to connect to your local network (from the wide open Internet) using port 5060 AND it's not coming from a location that the router already knows about (because that location and an internal device have been exchanging packets within whatever the router's timeout period is), then those packets will be sent to the designated destination (your Asterisk server - actually I think I have over-simplified this a bit, so someone who truly understands networking may wish to chime in here).

The point is that if you have a decent router, having multiple devices using port 5060 is not going to be a problem as long as the same device is not trying to use port 5060 for two different lines (accounts) from the SAME provider. And very often, when things DON'T work automagically, swapping out the router with a higher quality unit often fixes the issue.

I know, it amazes me too that all those packets flying around the network somehow manage to find their way to the correct devices, but it does happen!