Luki wrote:
I always assumed that you can have multiple SIP phones behind a Linksys
firewall/router (WRT54G) all using the same STUN server/port.
I got 10-20 SPA942's behind a OpenWRT router (on WRT54G, WRTSL54GS,
...) at several sites, no STUN, no special configuration, no problems
at all. Just as a precaution, I set the SIP port and RTP port range
for each phone differently so that it's unique (i.e. Phone 1 SIP port
6001 and RTP 10100-10199, etc.) but that's really just a precaution to
help the the Linux' conntrack on the OpenWRT a bit. It's not really
needed as the router will resolve port conflicts by rewriting the
ports transparently.
Bottom line, a few phones behind a well-behaved NAT should work just fine.
/Luki
What do the iptables look like on OpenWRT? Are they configured as part
of the release, or left to the user to configure, or what?
I'm using a Soekris net5501 running Astlinux 0.5 trunk (with a patched
version of Arno's firewall script that has not yet been integrated into
the source tree): it supports the ip_conntrack_sip and ip_nat_sip modules.
I have the firewall/Asterisk running on this box at the "home office",
with a couple of SPA's behind it (942's and a PAP2-NA).
Then I have remote offices also with SPA-942's sitting behind a
similarly configured Soekris 942 (only difference being that Asterisk
isn't running on it).
I had all of the usual NAT related issues (one-way audio, no audio, etc)
until I patched in the NAT SIP modules.
I've attached it. This works with arno-iptables-firewall-1.8.8l.
Arno says he's working on a plug-in for 1.8.8m and 1.9.0? that will be
released separately, but I've haven't yet seen it.
-Philip
--- ./arno-iptables-firewall.sipnat 2008-01-22 01:10:19.000000000 -0800
+++ ./arno-iptables-firewall 1980-05-02 00:31:28.000000000 -0700
@@ -348,6 +353,14 @@
# write rules matching the state of a
connection
module_probe ip_conntrack_ftp # Permits active FTP; requires
ip_conntrack
+ if [ -n "$SIP_PORTS" ]; then
+ ports=""
+ for port in $SIP_PORTS; do
+ $ports="$ports${ports:+,}$port"
+ done
+ module_probe ip_conntrack_sip ports="$ports"
+ fi
+
module_probe ipt_conntrack # Allows tracking for various
protocols, placing entries
# in the conntrack table etc.
module_probe ipt_limit # Allows log limits
@@ -393,6 +403,10 @@
if [ "$NAT" = "1" ]; then
# module_probe iptable_nat # Implements nat table
module_probe ip_nat_ftp # Permits active FTP via nat; requires
ip_conntrack, iptables_nat
+ if [ -n "$SIP_PORTS" ]; then
+ module_probe ip_nat_sip
+ fi
+
module_probe ipt_MASQUERADE # Implements the MASQUERADE target
fi
@@ -3191,9 +3205,9 @@
# Adding UDP ports NOT to be firewalled
#######################################
- if [ -n "$OPEN_UDP" ]; then
+ if [ -n "$OPEN_UDP" -o -n "$SIP_PORTS" ]; then
echo " Allowing the whole world to connect to UDP port(s): $OPEN_UDP"
- for port in $OPEN_UDP; do
+ for port in $OPEN_UDP $SIP_PORTS; do
$IPTABLES -A EXT_INPUT_CHAIN -p udp --dport $port -j ACCEPT
done
fi
--- ./etc/arno-iptables-firewall/firewall.conf 2007-12-17 10:30:55.000000000
-0800
+++ ./etc/arno-iptables-firewall/firewall.conf.new 2008-01-28
09:47:37.000000000 -0800
@@ -1134,3 +1134,7 @@
# should always contain a carriage-return (enter)!
# -----------------------------------------------------------------------------
#BLOCK_HOSTS_FILE=/etc/arno-iptables-firewall/blocked-hosts
+
+# Specify UDP ports used by Asterisk registration end-points or by SIP
+# phones (8 max).
+#SIP_PORTS="5060 5061 5062 5063 5064"
_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
