Disable SIP ALG

How to disable Shorewalls SIP ALG!

http://www.shorewall.net/FAQ.htm#faq77

Not sure if this helps any but this article came to mind again I do not have experience with this yet… I am still running nethserver 6.8 and in the process of testing the beta right as we speak…

1 Like

When I attempt this, my softphones (eyebeam) lose their NAT, and start sending Local IPs, I am baffled.

That’s odd, those commands are safe and tested.

I have been getting random dropped calls from a lack of RTP data, and I was directed to the shorewall FAQ that says when using Asterisk to disable those modules. When I do so, I actually get one legged calls as my phones stop getting NAT, and start sending Local IPs.

My random drops happen with these issues… doesn’t make any sense.

When the call is terminated:
X-Asterisk-HangupCause: Requested channel not available
X-Asterisk-HangupCauseCode: 44

This all started occuring after my update to the latest Neth.

So are we talking about Beta2?

Latest Stable, sorry. I was previously on

CentOS release 6.7 (Final)
NethServer release 6.7 (final)

I am now on 6.8 Final

We have a VPS running FreePBX on a Cloud Provider, and we are running eyeBeam Softphones behind our NethServer, out to that VPS.

For some reason random, but consistent calls are getting

X-Asterisk-HangupCause: Requested channel not available
X-Asterisk-HangupCauseCode: 44

Look at firewall log.
If sip alg problems hang up your calls, you must have lines with packets drop on 5060 port.

1 Like

So, I finally figured out what the issue is! I NEED to ENABLE the modification for SIP/RTP packets.

Neth is configured to allow SIP/RTP to pass through unmodified, in our use case, we have VoIP users BEHIND a Nethserver, connecting OUT to a remote PBX. So the phones are sending LOCAL IPs in the RTP packets, which are usually modified by a local router.

How can we enable this functionality on Shorewall? @alefattorini @Adam @giacomo

Sorry but I don’t get it.
What modifications are needed to Shorewall? Disable the sip_contract module?

Let me try to illustrate.

VoIP Users (10.0.0.*) ~~> Nethserver (10.0.0.1) ~~> Internet ~~> PBX

The RTP packets coming out of Nethserver contain the Local IP of the PC (Ex: 10.0.0.81), they are not being modified by SIP ALG (and having NAT correction done on them). I need to ENABLE not DISABLE SIP ALG in Neth, is this possible?

SIP ALG should be enabled by default.

Please, take a look to these docs:

I am using the 7-release, it looks like shorewall reccomends:

loadmodule nf_conntrack_sip ports=0

I see that Nethserver is using:

loadmodule nf_conntrack_sip sip_direct_media=0

Do you suppose that could be it?

I also found this:

sip_direct_media= Expect Media streams between signalling endpoints
only, default is 1, 0 will disable it, this is for RTP, direct media
would need 0.

sip_timeout= Timeout for the master SIP session, default is 3600, any
integer will override the default value of 3600 seconds.

ports= Port numbers of SIP servers, default is 5060, List of up to 8
port numbers (comma-separated) eg. 5060,5070,5080.

It sounds like you have a configuration issue with your PBX. You shouldn’t need ALG translation.

I have a few FreeSwitch and Asterisk PBXs and have no issues registering phones and placing calls from phones behind different NAT with no ALG. If you rely on ALG, what happens when you bring a softphone (on your cell) onto someone elses network? (hint: it won’t work. lol)

SIP ALG is enabled by default, so disable it and continue testing.

Eyebeam isn’t working Bria 4 is. And if I use a basic netgear router it works perfect with Eyebeam. So it’s definitely something going on with my Neth setup thoughts?

Would you suggest following this: http://shorewall.net/FAQ.htm#faq77, I see 4 SIP related helpers in the helpers file under /usr/share/shorewall, think I should disable them all?

Do you have STUN server configured in your eyebeam client?

Do you have any other rule on the firewall? Some port forwards?