TIPS Problems with 13-13 setup NAT and Flowroute

Status
Not open for further replies.

AndyInNYC

Active Member
Joined
May 23, 2013
Messages
639
Reaction score
86
I'm having the dickens of a time getting this to work. I currently have 2 issues:

1 - remote phones can't get audio (clearly a NAT issue)
2 - flowroute calls are getting rejected when the IP which initially registers is different from the IP flowroute sends calls in from.
More below:

Background - I'm using 13-13 on an Intel platform. I took my analog phones off the Digium board and they now sit on an ATA device and register fine as SIP. I have disabled PJSip on the system. I have every NAT setting I can find turned on. There have been no changes to the network since I've tried to set up the new system. I'm using 13-13 because Ward has said 16-15 doesn't correctly handle faxes.

FIOS router forwards to Netgear. Netgear forwards to 192.168.40.29 (PBX). I'm forwarding 5060-5069 (TCP & UDP), 10000-20000 (TCP & UDP), my portknock ports, my openvpn port 1194 and my IAX port. I've checked and rechecked that all ports are forwarded all the way through. My internal network is 192.168.40.29 from the Netgear forward. The FIOS box identifies as 192.168.1.1.

Problem 1: (perhaps related to point 2 also).

A hard phone in CA is having this problem, and I recreated it with an extension on my cellphone and disabled wifi. I opened the PBX to the phone via my DDNS address - iptables confirms the PBX will take ALL packets/ports from this IP.

When I call my home line (extension on the PBX) from the cellphone extension I get no audio:

Code:
- Connected line update to SIP/flowrouteNJSIP_ASB-0000005c prevented.
-- SIP/1100-0000005d answered SIP/flowrouteNJSIP_ASB-0000005c
-- Channel SIP/1100-0000005d joined 'simple_bridge' basic-bridge <696ca793-89c8-4f6c-8ac2-3cd53b8919cf>
-- Channel SIP/flowrouteNJSIP_ASB-0000005c joined 'simple_bridge' basic-bridge <696ca793-89c8-4f6c-8ac2-3cd53b8919cf>
> 0x7f6c7c0184f0 -- Strict RTP qualifying stream type: audio
> 0x7f6c7c0184f0 -- Strict RTP switching source address to 192.168.1.1:16476
-- SIP/flowrouteNJSIP_ASB-0000005b answered SIP/3000-0000005a
-- Channel SIP/flowrouteNJSIP_ASB-0000005b joined 'simple_bridge' basic-bridge <cfc3ca54-89da-4222-bbf9-d77d503d75f0>
-- Channel SIP/3000-0000005a joined 'simple_bridge' basic-bridge <cfc3ca54-89da-4222-bbf9-d77d503d75f0>
> 0x7f6c6002fbf0 -- Strict RTP learning complete - Locking on source address 174.200.19.235:38474
> 0x7f6c7801b090 -- Strict RTP learning complete - Locking on source address 23.29.23.42:22040
> 0x7f6c7c0184f0 -- Strict RTP learning complete - Locking on source address 192.168.1.1:16476
[2019-10-12 10:11:33] WARNING[2509]: chan_sip.c:4069 retrans_pkt: Retransmission timeout reached on transmission [email protected] for seqno 6987 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 6400ms with no response
[2019-10-12 10:11:33] WARNING[2509]: chan_sip.c:4093 retrans_pkt: Hanging up call [email protected] - no reply to our critical packet (see https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions).
Clearly Not Good

On the SIP Settings page, I have:

External Address - my network's public IP. I'm using Ward's routine to keep it updated from the Pi install directions.
Local Networks - 192.168.40.0 / 255.255.255.255 and 10.0.0.0 / 255.255.255.255 (VPN network)
RTP Ports are 10K-20K (per above)
RTP Checksums is yes
Strict RTP is yes
ulaw, alaw, gsm, g726, g722 are allowed codecs

Chan Sip Settings Page, I have

Nat = Yes
Static IP and the IP box has my public IP
Reinvite is No

On the Asterisk Settings page, I have
Sip NAT = yes

On the Extension, I have
NAT mode = Yes, (force_rport,comedia)

I can think of nothing else to change.


2. Flowroute. I have my Trunk set to use us-east-nj.sip.flowroute.com (forgive any misspellings). I have the full range of NJ sip IP's allowed in my iptables. Flowroute will connect using (say) X.X.X.194 and this shows up in my sip show peers list. The problem is that the IP will 'migrate' over time and flowroute will send calls using (say) X.X.X.193. This IP is seen as foreign and is rejected - and the call won't get in. My Trunk settings match what everyone else is using. Prior to this upgrade I have been using the fixed POP in the LA and LV predefined Trunks - unfortunately, at least one of those is dead.

Ward posted a 'fix' for pjsip using a list of all the IP's but never answered if this can be used to 'alias' the IPs for chan_sip. I added all of the IPs for flowroute’s NJ pop per the bulkvs posting, but it doesn’t seem to work – still getting the rejection.

Code:
 -- Executing [[email protected]:6] Log("SIP/fl.gg-00000002", "WARNING,"Rejecting unknown SIP connection from 147.75.65.195"") in new stack
[2019-10-12 10:44:26] WARNING[3823][C-00000001]: Ext. s:6 @ from-sip-external: "Rejecting unknown SIP connection from 147.75.65.195"
and, to top it off, I even get the retransmission error (since I called from an external to the network SIP phone).

What can I do to stop the rejection and allow external callers to actually get a ring on my phone?


Sorry for the long post. I've been trying for 3+ weeks to get either 13-13 or 16-15 working correctly.





Andrew
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
674
Reaction score
249
How well does your fios router process SIP (think sip helper/alg here)?

sngrep is a an easy starting point.
 
  • Like
Reactions: ostridge

AndyInNYC

Active Member
Joined
May 23, 2013
Messages
639
Reaction score
86
I’ll try the tool. Please remember, I’ve changed nothing on my network after having PIAF Green running for years.
 

AndyInNYC

Active Member
Joined
May 23, 2013
Messages
639
Reaction score
86
So, I plugged the old PBX machine back in and reassigned it the correct IP address. Bang! The remote phone works just fine.

So, the problem is in the setup on the new machine.

I have:

1. Remote phone's IP is whitelisted for SIP
2. Remote phone registers
3. All NAT settings I can find are set to yes.

Have there been any updates from Green to current for NAT settings. I'm seeing things like 'Strict RTP' which I have never seen before.

I'd really like to upgrade to a newer base system, but they just don't work. I'm doing something wrong, but I can't figure out what.

Andrew
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,317
Reaction score
2,697
@AndyInNYC: For openers, your CIDR mask is not correct.

Local Networks - 192.168.40.0 / 255.255.255.255 and 10.0.0.0 / 255.255.255.255 (VPN network)

should be

Local Networks - 192.168.40.0 / 255.255.255.0 and 10.0.0.0 / 255.255.255.0 (VPN network)

 
  • Like
Reactions: dicko

AndyInNYC

Active Member
Joined
May 23, 2013
Messages
639
Reaction score
86
Would that error cause my problem, or am I still chasing ghosts?

Andrew
 

AndyInNYC

Active Member
Joined
May 23, 2013
Messages
639
Reaction score
86
I can. But I've swapped back the the old machine into place. Neither of us likes to chase ghosts (mine or otherwise); I'd rather exorcise them. To drop the machine back in and get all the IP's swapped over, etc. is disruptive and my distant user and I are trying to have phones that ring <g>.

I'll coordinate a time to check it out.

Andrew
 

AndyInNYC

Active Member
Joined
May 23, 2013
Messages
639
Reaction score
86
@wardmundy,

I never got an answer to an earlier (related) question: You have bulkvs setup directions for pjsip which uses aliases (my word) for all of the IPs they use. Is there an equivalent for SIP to allow bulkvs/flowroute to avoid the issues I'm getting with the IP they send from being different than the IP I registered on, even when all the IPs are whitelisted?

Thanks


Andrew
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,317
Reaction score
2,697
I can. But I've swapped back the the old machine into place. Neither of us likes to chase ghosts (mine or otherwise); I'd rather exorcise them. To drop the machine back in and get all the IP's swapped over, etc. is disruptive and my distant user and I are trying to have phones that ring <g>.

I'll coordinate a time to check it out.

Andrew
This is what (free) sandbox platforms like VirtualBox are for. Or you can spin up a VM at Vultr or Digital Ocean and use it for 4 hours for about two cents. Give one of them a try.
 
  • Like
Reactions: billsimon and dicko

billsimon

Experienced in Asterisk, FreePBX, and SIP
Joined
Jan 2, 2011
Messages
1,001
Reaction score
333
I never got an answer to an earlier (related) question: You have bulkvs setup directions for pjsip which uses aliases (my word) for all of the IPs they use. Is there an equivalent for SIP to allow bulkvs/flowroute to avoid the issues I'm getting with the IP they send from being different than the IP I registered on, even when all the IPs are whitelisted?
No. Just one more good reason to use PJSIP. In chan_sip, either define a trunk for every IP that can send you calls, or allow sip guest + allow anonymous in your SIP settings so that you don't have to match against a trunk. Better to use pjsip with its ability to match a list of IPs or subnets.
 
  • Like
Reactions: wardmundy

AndyInNYC

Active Member
Joined
May 23, 2013
Messages
639
Reaction score
86
/True, but I'm in a catch 22. PJSIP doesn't work (per @wardmundy) in 13-13 and faxing doesn't work in 16-15 (again, per @wardmundy). So I have to work in 13-13.

So, your suggestion is that I make 'IncomingFlowRoute1', 'IncomingFlowRoute2', etc. for each of the [24], us-east-nj.sip.flowroute.com IPs and have them with identical destinations? What about dialing out? Can I be sure that the IP I register'd with will be the outgoing and incoming for all packets?

Andrew
 

billsimon

Experienced in Asterisk, FreePBX, and SIP
Joined
Jan 2, 2011
Messages
1,001
Reaction score
333
So, your suggestion is...
FreePBX 13 is end of life. I wouldn't use it for a new install.

I'd go with 16-15 and figure out the fax side of things separately. Use PJSIP for your trunk.

make 'IncomingFlowRoute1', 'IncomingFlowRoute2', etc. for each of the [24], us-east-nj.sip.flowroute.com IPs
No, that's tedious. If you're determined to do this with chan_sip, I'd do it like this. Make the "outbound" trunk in the GUI. Then in the sip_custom_post.conf file, use asterisk template style to duplicate it for all the other IPs. Example: if you create the trunk with peer name "flowroute" in the GUI, you can duplicate it in the custom file like this,

Code:
[flowroute-ip1](flowroute)
host=IP-ADDRESS-1

[flowroute-ip2](flowroute)
host=IP-ADDRESS-2

... 24 times total ...
and have them with identical destinations?
Inbound Routes are associated with DIDs, not trunks. You don't need to set up any destinations.

What about dialing out? Can I be sure that the IP I register'd with will be the outgoing and incoming for all packets?
You will direct your Outbound Route to the trunk you set up in the GUI (that I previously just called "flowroute"). No, it won't necessarily be that your incoming and outgoing traffic use the same IP. That's why you configured that whole list of 24 possible inbound IPs.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,317
Reaction score
2,697
The other obvious answer is DITCH FLOWROUTE. Plenty of other providers to choose from.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,317
Reaction score
2,697
The other obvious answer is DITCH FLOWROUTE. Plenty of other providers to choose from.
 

AndyInNYC

Active Member
Joined
May 23, 2013
Messages
639
Reaction score
86
I asked the question about using entries in sip_custom_post.conf in post #9. In post #11 I understood that it only works for PJSip, and not chan_sip (SIP). Did I misunderstand the answer, or are we all talking across one another.

I used these entries on my 13-13 machine to no avail with SIP and Flowroute.

Flowroute is working on my Green PBX, albeit using us-east-nj.sip.flowroute.com. No problems or issues.

I'm wondering if turning off 'strict rtp' will have any impact.

So, just to be clear.

If I stick with 13-13 and chan_sip (no PJSIP) will changing sip_custom_post.conf work or is there some other workaround (again for SIP) to allow multiple IPs to track correctly?

As we speak I'm setting up an Intel machine to run VirtualBox.


Andrew
 

AndyInNYC

Active Member
Joined
May 23, 2013
Messages
639
Reaction score
86
@billsimon and @wardmundy

I'm trying to fully understand the directions for the edits to sip_custom_post.conf

I'm using 16-15 and PJSIP.

Flowroute has POPs NJ, VA, WA,OR. each has 24 or so IP addresses. I'm using NJ and VA.

I have 2 users, each with their own flowroute account (or bulkvs, for that matter).

For this example, the trunks are named:
My Trunks are FlowRouteNJ_Me, FlowrouteVA_Me (us-east-nj.sip.flowroute.com, us-east-va.sip.flowroute.com)
His Trunks are FlowRouteNJ_Him, FlowrouteVA_Him.(same identification for the IP)

So,

in your example:
Code:
[flowroute-ip1](flowroute)
host=IP-ADDRESS-1

[flowroute-ip2](flowroute)
host=IP-ADDRESS-2
Is (flowroute) the Trunk Name?

Would I do:

Code:
[FlowRouteNJ_Me1](FlowrouteNJ_Me);
host=1.2.3.4
[FlowRouteNJ_Me2](FlowRouteNJ_Me);
host=1.2.3.5
...

[FlowRouteNJ_Him1](FlowRouteNJ_Him);
host=1.2.3.4
[FlowRouteNJ_Him2](FlowRouteNJ_Him);
host=1.2.3.5
If not, what does the text represent and what's the correct way with, effectively a duplicate trunk with different credentials. It's a cut and paste, so I don't care if I need lots of entries to get all the combinations.

Thanks.


Andrew
 
Status
Not open for further replies.

Members online

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,508
Messages
138,485
Members
14,636
Latest member
REMOCOSTA