Disable SIP ALG

Adam_Reed · December 1, 2016, 8:20pm

Yes, STUN is configured, and No, barebones clean install of Neth, no firewall setting set. The issue is the RTP Packets contain the machines local IP when ran through Neth (the Brias don’t tho, oddly), but when ran through the Netgear, they work perfect.

Adam · December 1, 2016, 8:26pm

Try this:

Adam_Reed · December 2, 2016, 2:14pm

@Adam I had tried that, but got errors:

This is on a fresh install on a VM.

Adam · December 2, 2016, 3:09pm

If I understand correctly, it’s not being unloaded because it’s currently in use by iptables and the rmmod command is just so you don’t have to reboot for the change to apply. Once you’ve added the modules to the DONT_LOAD lines and reboot, you should be good.

You can also try rmmod -f nf_nat_sip nf_conntrack_sip, but I’d try that as a last resort. I’ll spin up a VM right now to see if I can replicate this.

Edit: I’m not able to replicate the error you’re getting on a fresh install, which sort-of confirms that the nf_conntrack_sip module is being used by iptables on your install due to some rules referencing the state module.

Edit2: Just saw the previous screenshot is from a test VM. Did you install the required software packages before testing?

Adam_Reed · December 2, 2016, 5:15pm

I used the 7.2RC Release ISO and did interactive install, as I did on my physical box? What required software packages?

Adam · December 2, 2016, 5:35pm

I tested with 6.8. I’ll try with 7.2, but I’m pretty sure you’d need the the “Basic firewall” package at least.

We should change the category of this thread from 6.8 to 7.2 to reduce confusion.

Adam · December 2, 2016, 9:09pm

I suppose the aforementioned fix to disable SIP ALG only applies to 6.x. This worked on 7.x:

Edit this line:

DONT_LOAD=

In these two files:

/etc/e-smith/templates/etc/shorewall/shorewall.conf/60options
/etc/shorewall/shorewall.conf

to:

DONT_LOAD=nf_conntrack_sip

Edit /etc/shorewall/conntrack and comment out the lines for SIP

create /etc/modprobe.d/blacklist.conf and add this line:
blacklist nf_conntrack_sip

Reboot

Adam_Reed · December 3, 2016, 10:12pm

Even after those changes, it is still using a Local IP

SIP Log from PBX: http://pastebin.com/Qu2AxR97

Also, even tho I have a green all on the firewall, it isn’t possible to add a port range (ex, 10000-20000 for RTP in the firewall…, only comma seperated?)

Adam_Reed · December 6, 2016, 2:10pm

Any thoughts?

alefattorini · December 6, 2016, 2:26pm

Done. Thanks for the clarification

Adam · December 6, 2016, 3:34pm

Port ranges are separated by a semicolon rather than a hyphen in NS.

If you can enable the nf_nat_sip module, that’d be worth a shot.

Adam_Reed · December 6, 2016, 3:35pm

I’ll give that a try! Thanks!

ertank · April 12, 2020, 10:14am

I am using NethServer version: 7.7.1908
All updates are installed.
shorewall firewall is installed.

Without doing file modifications above, out 3CX is not passing SIP ALG tests.
After doing file modifications, it works as expected.

Just wanted to wake an old thread.

It might help to add some feature for users like 3CX, FreePBX for easier setup from UI.

Thanks & regards,
Ertan

stephdl · November 5, 2020, 4:15pm

we have in development a feature related to this