Re: [asterisk-users] Multiple SIP phones behind a Linksys firewall
Luki wrote:
I always assumed that you can have multiple SIP phones behind a Linksys
firewall/router (WRT54G) all using the same STUN server/port.
I got 10-20 SPA942's behind a OpenWRT router (on WRT54G, WRTSL54GS,
...) at several sites, no STUN, no special configuration, no problems
at all. Just as a precaution, I set the SIP port and RTP port range
for each phone differently so that it's unique (i.e. Phone 1 SIP port
6001 and RTP 10100-10199, etc.) but that's really just a precaution to
help the the Linux' conntrack on the OpenWRT a bit. It's not really
needed as the router will resolve port conflicts by rewriting the
ports transparently.
Bottom line, a few phones behind a well-behaved NAT should work just fine.
/Luki
What do the iptables look like on OpenWRT? Are they configured as part
of the release, or left to the user to configure, or what?
I'm using a Soekris net5501 running Astlinux 0.5 trunk (with a patched
version of Arno's firewall script that has not yet been integrated into
the source tree): it supports the ip_conntrack_sip and ip_nat_sip modules.
I have the firewall/Asterisk running on this box at the home office,
with a couple of SPA's behind it (942's and a PAP2-NA).
Then I have remote offices also with SPA-942's sitting behind a
similarly configured Soekris 942 (only difference being that Asterisk
isn't running on it).
I had all of the usual NAT related issues (one-way audio, no audio, etc)
until I patched in the NAT SIP modules.
I've attached it. This works with arno-iptables-firewall-1.8.8l.
Arno says he's working on a plug-in for 1.8.8m and 1.9.0? that will be
released separately, but I've haven't yet seen it.
-Philip
--- ./arno-iptables-firewall.sipnat 2008-01-22 01:10:19.0 -0800
+++ ./arno-iptables-firewall1980-05-02 00:31:28.0 -0700
@@ -348,6 +353,14 @@
# write rules matching the state of a
connection
module_probe ip_conntrack_ftp# Permits active FTP; requires
ip_conntrack
+ if [ -n $SIP_PORTS ]; then
+ports=
+for port in $SIP_PORTS; do
+ $ports=$ports${ports:+,}$port
+done
+module_probe ip_conntrack_sip ports=$ports
+ fi
+
module_probe ipt_conntrack # Allows tracking for various
protocols, placing entries
# in the conntrack table etc.
module_probe ipt_limit # Allows log limits
@@ -393,6 +403,10 @@
if [ $NAT = 1 ]; then
#module_probe iptable_nat# Implements nat table
module_probe ip_nat_ftp # Permits active FTP via nat; requires
ip_conntrack, iptables_nat
+if [ -n $SIP_PORTS ]; then
+ module_probe ip_nat_sip
+fi
+
module_probe ipt_MASQUERADE # Implements the MASQUERADE target
fi
@@ -3191,9 +3205,9 @@
# Adding UDP ports NOT to be firewalled
###
- if [ -n $OPEN_UDP ]; then
+ if [ -n $OPEN_UDP -o -n $SIP_PORTS ]; then
echo Allowing the whole world to connect to UDP port(s): $OPEN_UDP
-for port in $OPEN_UDP; do
+for port in $OPEN_UDP $SIP_PORTS; do
$IPTABLES -A EXT_INPUT_CHAIN -p udp --dport $port -j ACCEPT
done
fi
--- ./etc/arno-iptables-firewall/firewall.conf 2007-12-17 10:30:55.0
-0800
+++ ./etc/arno-iptables-firewall/firewall.conf.new 2008-01-28
09:47:37.0 -0800
@@ -1134,3 +1134,7 @@
# should always contain a carriage-return (enter)!
# -
#BLOCK_HOSTS_FILE=/etc/arno-iptables-firewall/blocked-hosts
+
+# Specify UDP ports used by Asterisk registration end-points or by SIP
+# phones (8 max).
+#SIP_PORTS=5060 5061 5062 5063 5064
___
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Multiple SIP phones behind a Linksys firewall
My main problem is when I have two phones at the home office, the second phone cant register, and/or, you cant here the voicemail greeting when you try to check messages. I have seen this before on badly behaved home routers that have a hidden SIP Proxy, notably Zyxel wireless units. I've not seen it happening on either Linksys or Netgear units though. Do you actually need STUN? In my experience it can cause more problems than it solves, especially if the public IP changes and the STUN server isn't due to be queried for another X seconds. If possible, and assuming it won't create unreasonable load on your * server, try dropping the registration interval down to something small like 300 (5 minutes), and disable STUN entirely (obviously making sure nat=yes is defined in sip.conf for those devices). Regards, Chris -- C.M. Bagnall, Director, Minotaur I.T. Limited For full contact details visit http://www.minotaur.it This email is made from 100% recycled electrons ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Multiple SIP phones behind a Linksys firewall
Do you have a range of registration ports configured and forwarded through the firewall on the server end? Ie. 5060-5065 for example. On the Phone side you should forward 5060 to phone1 and 5061 to phone 2 etc. and configure the phones to use that port for registration. You may need to forward ports for the actual voice as well. 2 ports per phone so 1-10001 for phone1 and 10002-10003 for phone2. It's either that or mess around with STUN or Proxy servers or whatever. SIP+NAT=headache -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Saturday, February 02, 2008 8:23 PM To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] Multiple SIP phones behind a Linksys firewall The server is at a remote datacenter - no nat, no firewall, pure public IP. The phones are at home offices (i.e. DSL or Cable with Linksys-type firewall/routers). My initial testing was with a single SIP phone at the home office - and everything worked fine. But when I have two SIP phones at the home office, things start behaving badly. I understand the issue of phone-to-phone, where both phones are behind a nat at the home office - but that is not the issue I am having. My main problem is when I have two phones at the home office, the second phone cant register, and/or, you cant here the voicemail greeting when you try to check messages. ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Multiple SIP phones behind a Linksys firewall
I posted an email a few days regarding a problem with hearing the voicemail greeting on my sip phones. It turns out to be a phone/stun/linksys issue - not an asterisk issue. Which brings up a couple of questions I always assumed that you can have multiple SIP phones behind a Linksys firewall/router (WRT54G) all using the same STUN server/port. But apparently thats not the case. Is it a Linksys bug, a Grandstream bug in the BudgeTone-100 phone, or am I off base and just doing something wrong? I cleary have problems as soon as I try to use a second phone behind the Linksys - registration issues, cant hear voicemail greeting, etc.,. My next test was to run multiple STUN servers on the same machine with different ports. Then, for my multiple SIP phones behind the Linksys, have each phone use a different stun port. Any thoughts? John ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Multiple SIP phones behind a Linksys firewall
On Feb 2, 2008, at 2:11 PM, John Von Essen [EMAIL PROTECTED] wrote: I posted an email a few days regarding a problem with hearing the voicemail greeting on my sip phones. It turns out to be a phone/stun/linksys issue - not an asterisk issue. Which brings up a couple of questions I always assumed that you can have multiple SIP phones behind a Linksys firewall/router (WRT54G) all using the same STUN server/port. But apparently thats not the case. Is it a Linksys bug, a Grandstream bug in the BudgeTone-100 phone, or am I off base and just doing something wrong? I cleary have problems as soon as I try to use a second phone behind the Linksys - registration issues, cant hear voicemail greeting, etc.,. My next test was to run multiple STUN servers on the same machine with different ports. Then, for my multiple SIP phones behind the Linksys, have each phone use a different stun port. Any thoughts? John I have 3 phones connected to 2 servers behind a 54g running openwrt with no stun or any special configuration. I am running cisco phones which do nat well natively. -greg ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Multiple SIP phones behind a Linksys firewall
Greg, Without STUN how are the phones able to register? I was unable to get the Grandstream phones to work at all without STUN. -John From : Greg Oliver [EMAIL PROTECTED] To : Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Subject : Re: [asterisk-users] Multiple SIP phones behind a Linksys firewall Date : Sat, 2 Feb 2008 15:15:34 -0600 On Feb 2, 2008, at 2:11 PM, John Von Essen [EMAIL PROTECTED] wrote: I posted an email a few days regarding a problem with hearing the voicemail greeting on my sip phones. It turns out to be a phone/stun/linksys issue - not an asterisk issue. Which brings up a couple of questions I always assumed that you can have multiple SIP phones behind a Linksys firewall/router (WRT54G) all using the same STUN server/port. But apparently thats not the case. Is it a Linksys bug, a Grandstream bug in the BudgeTone-100 phone, or am I off base and just doing something wrong? I cleary have problems as soon as I try to use a second phone behind the Linksys - registration issues, cant hear voicemail greeting, etc.,. My next test was to run multiple STUN servers on the same machine with different ports. Then, for my multiple SIP phones behind the Linksys, have each phone use a different stun port. Any thoughts? John I have 3 phones connected to 2 servers behind a 54g running openwrt with no stun or any special configuration. I am running cisco phones which do nat well natively. -greg ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Multiple SIP phones behind a Linksys firewall
On Feb 2, 2008, at 3:43 PM, [EMAIL PROTECTED] wrote: Greg, Without STUN how are the phones able to register? I was unable to get the Grandstream phones to work at all without STUN. -John I have nat on in sip.conf and off on the phones. Works perfect for 7960/1 and 7971. When I get back home, I will login to the asterisk servers and tell you what IPs the registration requests have in them. From : Greg Oliver [EMAIL PROTECTED] To : Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Subject : Re: [asterisk-users] Multiple SIP phones behind a Linksys firewall Date : Sat, 2 Feb 2008 15:15:34 -0600 On Feb 2, 2008, at 2:11 PM, John Von Essen [EMAIL PROTECTED] wrote: I posted an email a few days regarding a problem with hearing the voicemail greeting on my sip phones. It turns out to be a phone/stun/linksys issue - not an asterisk issue. Which brings up a couple of questions I always assumed that you can have multiple SIP phones behind a Linksys firewall/router (WRT54G) all using the same STUN server/port. But apparently thats not the case. Is it a Linksys bug, a Grandstream bug in the BudgeTone-100 phone, or am I off base and just doing something wrong? I cleary have problems as soon as I try to use a second phone behind the Linksys - registration issues, cant hear voicemail greeting, etc.,. My next test was to run multiple STUN servers on the same machine with different ports. Then, for my multiple SIP phones behind the Linksys, have each phone use a different stun port. Any thoughts? John I have 3 phones connected to 2 servers behind a 54g running openwrt with no stun or any special configuration. I am running cisco phones which do nat well natively. -greg ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Multiple SIP phones behind a Linksys firewall
And the firewall is in between the phones and both servers or are you registering the phones on a local server and trunking to the other server through the firewall? In terms of nat and Cisco 7960s I've never had a issue registering two of them behind nat to a server on the other side, however, if you called one phone from the other, you'd end up with one way audio. -Original Message- From: Greg Oliver [EMAIL PROTECTED] Sent: Saturday, February 02, 2008 2:15 PM To: Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Subject: Re: [asterisk-users] Multiple SIP phones behind a Linksys firewall On Feb 2, 2008, at 2:11 PM, John Von Essen [EMAIL PROTECTED] wrote: I posted an email a few days regarding a problem with hearing the voicemail greeting on my sip phones. It turns out to be a phone/stun/linksys issue - not an asterisk issue. Which brings up a couple of questions I always assumed that you can have multiple SIP phones behind a Linksys firewall/router (WRT54G) all using the same STUN server/port. But apparently thats not the case. Is it a Linksys bug, a Grandstream bug in the BudgeTone-100 phone, or am I off base and just doing something wrong? I cleary have problems as soon as I try to use a second phone behind the Linksys - registration issues, cant hear voicemail greeting, etc.,. My next test was to run multiple STUN servers on the same machine with different ports. Then, for my multiple SIP phones behind the Linksys, have each phone use a different stun port. Any thoughts? John I have 3 phones connected to 2 servers behind a 54g running openwrt with no stun or any special configuration. I am running cisco phones which do nat well natively. -greg ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Multiple SIP phones behind a Linksys firewall
I always assumed that you can have multiple SIP phones behind a Linksys firewall/router (WRT54G) all using the same STUN server/port. I got 10-20 SPA942's behind a OpenWRT router (on WRT54G, WRTSL54GS, ...) at several sites, no STUN, no special configuration, no problems at all. Just as a precaution, I set the SIP port and RTP port range for each phone differently so that it's unique (i.e. Phone 1 SIP port 6001 and RTP 10100-10199, etc.) but that's really just a precaution to help the the Linux' conntrack on the OpenWRT a bit. It's not really needed as the router will resolve port conflicts by rewriting the ports transparently. Bottom line, a few phones behind a well-behaved NAT should work just fine. /Luki ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Multiple SIP phones behind a Linksys firewall
The server is at a remote datacenter - no nat, no firewall, pure public IP. The phones are at home offices (i.e. DSL or Cable with Linksys-type firewall/routers). My initial testing was with a single SIP phone at the home office - and everything worked fine. But when I have two SIP phones at the home office, things start behaving badly. I understand the issue of phone-to-phone, where both phones are behind a nat at the home office - but that is not the issue I am having. My main problem is when I have two phones at the home office, the second phone cant register, and/or, you cant here the voicemail greeting when you try to check messages. From : Robert Norton - SophTelecom.com [EMAIL PROTECTED] To : Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Subject : Re: [asterisk-users] Multiple SIP phones behind a Linksys firewall Date : Sat, 2 Feb 2008 18:25:16 -0700 And the firewall is in between the phones and both servers or are you registering the phones on a local server and trunking to the other server through the firewall? In terms of nat and Cisco 7960s I've never had a issue registering two of them behind nat to a server on the other side, however, if you called one phone from the other, you'd end up with one way audio. -Original Message- From: Greg Oliver [EMAIL PROTECTED] Sent: Saturday, February 02, 2008 2:15 PM To: Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Subject: Re: [asterisk-users] Multiple SIP phones behind a Linksys firewall On Feb 2, 2008, at 2:11 PM, John Von Essen [EMAIL PROTECTED] wrote: I posted an email a few days regarding a problem with hearing the voicemail greeting on my sip phones. It turns out to be a phone/stun/linksys issue - not an asterisk issue. Which brings up a couple of questions I always assumed that you can have multiple SIP phones behind a Linksys firewall/router (WRT54G) all using the same STUN server/port. But apparently thats not the case. Is it a Linksys bug, a Grandstream bug in the BudgeTone-100 phone, or am I off base and just doing something wrong? I cleary have problems as soon as I try to use a second phone behind the Linksys - registration issues, cant hear voicemail greeting, etc.,. My next test was to run multiple STUN servers on the same machine with different ports. Then, for my multiple SIP phones behind the Linksys, have each phone use a different stun port. Any thoughts? John I have 3 phones connected to 2 servers behind a 54g running openwrt with no stun or any special configuration. I am running cisco phones which do nat well natively. -greg ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
