Disable SIP ALG

SIP ALG should be enabled by default.

Please, take a look to these docs:

• http://shorewall.net/manpages/shorewall-conntrack.html
• http://shorewall.net/Helpers.html

I am using the 7-release, it looks like shorewall reccomends:

loadmodule nf_conntrack_sip ports=0

I see that Nethserver is using:

loadmodule nf_conntrack_sip sip_direct_media=0

Do you suppose that could be it?

I also found this:

sip_direct_media= Expect Media streams between signalling endpoints
only, default is 1, 0 will disable it, this is for RTP, direct media
would need 0.

sip_timeout= Timeout for the master SIP session, default is 3600, any
integer will override the default value of 3600 seconds.

ports= Port numbers of SIP servers, default is 5060, List of up to 8
port numbers (comma-separated) eg. 5060,5070,5080.

It sounds like you have a configuration issue with your PBX. You shouldn’t need ALG translation.

I have a few FreeSwitch and Asterisk PBXs and have no issues registering phones and placing calls from phones behind different NAT with no ALG. If you rely on ALG, what happens when you bring a softphone (on your cell) onto someone elses network? (hint: it won’t work. lol)

SIP ALG is enabled by default, so disable it and continue testing.

Eyebeam isn’t working Bria 4 is. And if I use a basic netgear router it works perfect with Eyebeam. So it’s definitely something going on with my Neth setup thoughts?

Would you suggest following this: http://shorewall.net/FAQ.htm#faq77, I see 4 SIP related helpers in the helpers file under /usr/share/shorewall, think I should disable them all?

Do you have STUN server configured in your eyebeam client?

Do you have any other rule on the firewall? Some port forwards?

Yes, STUN is configured, and No, barebones clean install of Neth, no firewall setting set. The issue is the RTP Packets contain the machines local IP when ran through Neth (the Brias don’t tho, oddly), but when ran through the Netgear, they work perfect.

Try this:

@Adam I had tried that, but got errors:

739c57e406.png743×414 4.33 KB

This is on a fresh install on a VM.

If I understand correctly, it’s not being unloaded because it’s currently in use by iptables and the rmmod command is just so you don’t have to reboot for the change to apply. Once you’ve added the modules to the DONT_LOAD lines and reboot, you should be good.

You can also try rmmod -f nf_nat_sip nf_conntrack_sip, but I’d try that as a last resort. I’ll spin up a VM right now to see if I can replicate this.

Edit: I’m not able to replicate the error you’re getting on a fresh install, which sort-of confirms that the nf_conntrack_sip module is being used by iptables on your install due to some rules referencing the state module.

Edit2: Just saw the previous screenshot is from a test VM. Did you install the required software packages before testing?

I used the 7.2RC Release ISO and did interactive install, as I did on my physical box? What required software packages?

I tested with 6.8. I’ll try with 7.2, but I’m pretty sure you’d need the the “Basic firewall” package at least.

We should change the category of this thread from 6.8 to 7.2 to reduce confusion.

I suppose the aforementioned fix to disable SIP ALG only applies to 6.x. This worked on 7.x:

Edit this line:

DONT_LOAD=

In these two files:

/etc/e-smith/templates/etc/shorewall/shorewall.conf/60options
/etc/shorewall/shorewall.conf

to:

DONT_LOAD=nf_conntrack_sip

Edit /etc/shorewall/conntrack and comment out the lines for SIP

create /etc/modprobe.d/blacklist.conf and add this line:
blacklist nf_conntrack_sip

Reboot

Even after those changes, it is still using a Local IP

SIP Log from PBX: http://pastebin.com/Qu2AxR97

Also, even tho I have a green all on the firewall, it isn’t possible to add a port range (ex, 10000-20000 for RTP in the firewall…, only comma seperated?)

Any thoughts?

Done. Thanks for the clarification

Port ranges are separated by a semicolon rather than a hyphen in NS.

If you can enable the nf_nat_sip module, that’d be worth a shot.

I’ll give that a try! Thanks!

I am using NethServer version: 7.7.1908
All updates are installed.
shorewall firewall is installed.

Without doing file modifications above, out 3CX is not passing SIP ALG tests.
After doing file modifications, it works as expected.

Just wanted to wake an old thread.

It might help to add some feature for users like 3CX, FreePBX for easier setup from UI.

Thanks & regards,
Ertan

we have in development a feature related to this