TIPS NAT & STUN, Grandstream endpoints over WAN

[MacNix]

We've got several locations now on RentPBX (thx for the recommendation Ward - they're very happy in general, and the setup is great).

One new location as of yesterday is in a subleased location, running on the parent company's fiber network (windstream), which is running on the same network where they've got their own VOIP system (windstream based)....

We've got a half-dozen Grandstream (21xx series) units there, all pointing to the corresponding RentPBX box.

ALL have one-way audio. They can't receive calls, and while they can make calls, no audio comes back to them..

We can't (currently) get a static IP for the location, and can't yet put in our own router, so we're attempting to devise a work-around for the next few weeks (until the fiber is properly pulled into location and we're given static IPs and our own bandwidth).

My guess is that this is partially due to it being Windstream (not easy to deal with, and often techs don't know what's going on in the box), and partially due to the on-site voip box & router possibly side-lining all RTP ports to their VOIP platform...

So the Windstream router is passing out DHCP addresses, and the phones are connecting to that, then thru the router to the RentPBX. I have emulated the outside router's IP with a secondary router (Untangle box, which is pretty happy to handle SIP traffic) and for a few minutes all worked great.. but then of course the Windstream router got unhappy about losing its IP, so that wasn't going to last...

My hope was to use a STUN address in the Grandstream, to help them 'self-NAT'..

So, I'm a bit lost as to making this operational - I looked up various STUN addresses and attempted to punch some in, but haven't been able to get the phones to get audio back with this process. Is there a recommended procedure to pull this off? I thought all I'd need to do was to punch in a good STUN server address in the Grandstreams config area, and it would do the rest.. am I missing something?

Tangentially, i've got the same issue at my house-can never get my cordless Grandstream to do audio both directions when at my house (i'm hooking it to the same RentPBX sites, for testing purposes).

 

[atsak]

OpenVPN, which is not supported on Grandstream phones AFAIK is likely required here. There could be a double NAT or there's a port conflict for the RTP ports. Switch to Yealink temporarily and setup OpenVPN (or Snom if you like).

Or, setup a router that supports PPTP and set that up on the RentPBX box then work it that way. While not 100% secure (PPTP is prone to man in the middle attacks) you aren't encrypting your VOIP traffic anyway so it's relatively low risk.

 

[MacNix]

I was considering openVPN anyway - the untangle routers are great for that..

However I've read that openVPN is sometimes really problematic in terms of latency. Is that not the case?

and the bonus question: is the STUN option very helpful (or useful at all) in resolving IP/NAT issues?

 

[billsimon]

Do the Grandstream phones do SIP over TCP?

I think you can avoid any ISP hijacking of SIP and RTP by going a little non-standard with your RentPBX setup. And by "a little non-standard" I mean perfectly acceptable for VoIP, just not default.

First, SIP over TCP should take care of the NAT and defeat any deep-packet inspection of UDP that might be going on with your provider.

Second, change the RTP range. By default it uses high-numbered ports but you could set it to a lower range like 8000-9600. For six phones, you don't need a range of 16,000 UDP ports.

 

[atsak]

I have never been able to have STUN solve any NAT issues myself. . . . others?

 

[MacNix]

Do the Grandstream phones do SIP over TCP?

I think you can avoid any ISP hijacking of SIP and RTP by going a little non-standard with your RentPBX setup. And by "a little non-standard" I mean perfectly acceptable for VoIP, just not default.

First, SIP over TCP should take care of the NAT and defeat any deep-packet inspection of UDP that might be going on with your provider.

Second, change the RTP range. By default it uses high-numbered ports but you could set it to a lower range like 8000-9600. For six phones, you don't need a range of 16,000 UDP ports.

thx for the idea.

So Grandstream offers the following SIP Transport options: UDP, TCP, or TLS/TCP

What will I need to do on the RentPBX end, or is this ONLY necessary on the client end??

Additionally, will it affect anything at other campus locations for the client??

 

[MacNix]

Seeking a tip on how to do this in Piaf.. I went to that extension, chose "TCP" as the transport, and then config'd the endpoing as well.. no luck.

also tried "all", no luck there either.

what do i need to do, to get the PBX working in TCP mode??

 

[billsimon]

Things to set on PIAF:

go to Settings -> Asterisk SIP Settings and add the following two custom options to enable SIP over TCP

tcpenable=yes
tcpbindaddr=0.0.0.0

screenshot:


Change the RTP range:



Go back to your extensions and find the Transport option, making sure that TCP is allowed (either set to TCP or set to ALL).

Lastly, update the iptables firewall to allow your new range of RTP (8000-9600 UDP) and port 5060 TCP for SIP. I don't know the PIAF way of doing this but you should be able to insert these rules for testing:

# iptables -I INPUT 10 -m udp -p udp --dport 8000:9600 -j ACCEPT
# iptables -I INPUT 11 -m tcp -p tcp --dport 5060 -j ACCEPT

Let us know how it goes.

 

[MacNix]

thx... trying this - not much success.

- am I gonna something by adding those lines in /etc/sysconfig/iptables ?

 

[billsimon]

Use netstat -pan | grep LISTENING to verify that Asterisk is listening on TCP port 5060 after you've made the changes in the SIP Settings module.

The iptables commands listed above are for inserting the rules from the command line. If you put the rules in the /etc/sysconfig/iptables file then omit the initial iptables part and just append them somewhere in the middle of the set, before any drop or reject rules, using the same syntax as you see in the file.