VoIP behind NethServer


(Adam) #1

I put a small Asterisk based VoIP appliance behind my test NethServer appliance today. I forwarded the sip ports and management interface ports to the VoIP appliance’s IP.

I can access the web interface for the VoIP appliance externally, I can call in and out, but all voice traffic is being blocked; there’s always silence on the line.

I don’t see anything relevant being logged in firewall.log. I’ve tried restarting shorewall in debug mode. I still see(hear :wink:) the same result. I temporarily put a cheap Linksys router in place with the same port forwards and it works perfectly.

Can anyone else give me ideas of things I should look at and/or try?


Unable to have SIP call through the firewall
(Artem Fedai) #2

have you added RTP port to firewall NAT ? UDP from 8000:20000 ?


(Adam) #3

I’m not sure what you mean. I’m using the same port forwarding as with the Linksys router that worked:
5060 UDP & TCP
443 TCP

I’m still a little unclear on what firewall rules would be required, so I added these two rules, which I thought would allow everything:

I don’t see a way to add a range of ports in a firewall service object, which may be a problem. As far as forwarding RTP ports, I shouldn’t need to. The SIP provider says this in their documentation after listing their server IPs:
“You must ensure that each of these IPs is allowed to pass UDP 5060 traffic into your network and that this traffic is port‐forwarded (if necessary) to the internal IP of your PBX.”


(Artem Fedai) #4

Dear ADAM,

Let me clarify that RTP ports are useing for Voice and Video streaming , so you have to make DNAT rules for your internal IP with Asterisk.


(Adam) #5

I’m aware that RTP ports are UDP ports used for streaming. I’m not clear on what you’re saying here:

I have the required port forwards. I even tried adding the port forwarding you mentioned.

I tried adding 1:1 NAT, but I had to create an alias, which should be a separate WAN IP address, right? Since this test is supposed to be testing for a customer who has a single static IP, I set the alias as the same as the WAN IP I’m using for testing. It still doesn’t work.

Anyone want to PM me so I can give access to poke around in my NS?


(Artem Fedai) #6

ok i can help you


(Artem Fedai) #7

lets try to make a call :slight_smile:


(Rafael Tavares) #8

I have the same problem, only multiport 10000:20000 redirect to pbx dont send audio, the 5060 port function correct, sip client register but dont have audio.


(Adam) #9

Glad I’m not alone. I’ve tried a fresh install of NS and with Nas’s help, tweaking a bunch of settings. He’s still attempting to help, but at this point I have random occurrences of either one of the three:
-no audio
-one-way audio
-two-way audio (working! …but never happens two calls in a row)


(Adam) #10

Bump. Any troubleshooting ideas?


#11

Hi,

I’m not a specialist, but at first look I see two things that hurt my eyes.

  1. you had opened entirely your firewall from red to green for any service. It’s really risky. Remove this rules. And the fisrt rule green to red is pointless.
    Let your green network safe !
  2. why your asterisk instance is on the green part? Put it on the DMZ ( orange). And adjust only what you need to open.

(Adam) #12

That was a troubleshooting step and did not help. It was almost immediately removed.

Green or Orange zone shouldn’t matter. It should work in either… right?


#13

I don’t know well the internals policy rules, so perhaps it’s matter…for the NAT.


(Adam) #14

From what I’ve read, it’s likely the following modules for ALG in shorewall:
nf_nat_sip
nf_conntrack_sip

Is there a recommended method of enabling and disabling shorewall modules in nethserver?


(Artem Fedai) #15

Try it who knows it may help all the community


(Rafael Tavares) #16

Solved the problem mannualy

rmmod nf_nat_sip
rmmod nf_conntrack_sip

Then change the DONT_LOAD specification

in your shorewall.conf to:

DONT_LOAD=nf_nat_sip,nf_conntrack_sip

Enable this on nethserver, i dont help to create a module for this, Nas help the peaple.

Sorry my bad english.

Thanks


(Rafael Tavares) #17

I edit /etc/e-smith/templates/etc/shorewall/shorewall.conf/60options and add this info

nf_nat_sip,nf_conntrack_sip

on line have DONT_LOAD=

result DONT_LOAD=nf_nat_sip,nf_conntrack_sip


(Rafael Tavares) #18

I make more test and only nf_nat_sip its necessary remove

:wink:


(Adam) #19

What is this for?


(Artem Fedai) #20

It is preferable to make custom template