Not Logged in - No Account?
Logging in allows you to post to forums, track new posts, subscribe to threads, pm (private message) other members, and receive periodic news letters. Once logged in this message disappears. No account? Create one by registering here. Lost your password, request a new password. We respect your privacy and collect minimal information when you register and we do not resell that information or use it in any objectionable way. You can review our privacy policy for details.
IP Phone over WAN to Asterisk
I have a dozen or so IP phones set up on a LAN using Asterisk/FreePBX which work just fine, when I try to connect one externally (WAN, not VPN) it doesn't get connected. I've put in the Company's public IP as the Proxy in the IP Phone's settings and directed traffic on UDP 5060 to the PBX on the router/firewall but it can't get though. Is there anything else to set or anything I can check in my configuration which might indicate why it fails to connect?
Thanks
Please be more specific as
Please be more specific as to what isnt working.
Moshe Brevda, FreePBX Development Team
New to asterisk? Download the Asterisk book FREE!
My IP phone just doesn't
My IP phone just doesn't connect, it says "Failed" on the status menu. It won't connect to the PBX, I don't know if this is a routing problem or a firewall probelm, or if I have to set up some extra permissions in some configuration files somewhere, I don't know what's wrong. Is there any way I cna check to find out?
logs
Logs would help
have you confiured your sip_nat.conf file ????
http://www.voip-info.org/wiki/index.php?page_id=2917
2.9.3 When asterisk is behind a NAT do not forget to specify:
in sip_nat.conf
externip = X.X.X.X ;(substitute your public ip address)
localnet = 192.168.X.0/255.255.255.0 ;(substitute your lan subnet address)
nat=yes
Ports to forward on router:
4569 TCP/UDP - iax
5004-5082 TCP/UDP - sip
10000-20000 TCP/UDP - sip
Bubba
My
My sip_nat.conf:
nat=yes
externip=EDITED
localnet=192.168.2.0/255.255.255.0
qualify=yes
I've opened all the ports you mentioned but it dint' make a difference
as bubba mentioned, your
as bubba mentioned, your going to have to do some debugging (and post the logs here if you want our help). In the asterisk cli type:
if you know the IP address that you trying ot connect from, then type:
then, using the Asterisk Logfile module, post the relevant portion of the log file
Moshe Brevda, FreePBX Development Team
New to asterisk? Download the Asterisk book FREE!
What type of phones are you
What type of phones are you using?
They're Linksys IP Phones
They're Linksys IP Phones (SPA942)
I tried:
core set verbose 5
sip set debug 5
Nothing happens on the console when I try to connect the phone and fail so I've nothing to post.
I DO see it outputting information when I answer/make calls, etc. but it doesn't do anything when I attempt to connect a phone and fail (even if i sucessfully connect a phone on the LAN that CLI screen doesn't show anything) Have I checked this right?
not sure what else to try,
not sure what else to try, anyone?
would it be better to use a VPN? How are IP phones usually connected remotely? By VPN or just using public IP address of the server.
Any time I have done it I
Any time I have done it I have just connected to the public IP.
I know with my Aastra phones I had to go into the phone config and set the nat ip to the public ip of the server to get them to register.
Is your phone sitting behind a router or firewall at the remote end?
Set the phone back to factory defaults. And then set up the phone from scratch. I assume it asks for a server IP and such. Maybe it has some stuff stuck in the config on the phone.
Here is what the
Here is what the configuration on my phone looks like:
http://leechristie.com/hotlinks/ext1.png
I can't figure out what's wrong with it.
And the phone will be on a firewall but it's not yet. The pbx server is on a firewall
First under Nat settings
First under Nat settings change nat mapping to yes. Under proxy and registration put in the servers public IP in both proxy and outbound proxy. Change use outbound proxy from yes to no.
See if that helps.
Okay thanks, it still didn't
Okay thanks, it still didn't do anything differently though :(
Is there a log in the phone
Is there a log in the phone that you can access? What is the phone saying.
good point unfortunatly i
good point unfortunatly i cna't seem to find any log, it's a Linksys SPA942 and i tried googling to find out if it has one and i looked around the configuration menus but doesn't seem to.
Do you have it set for DHCP.
Do you have it set for DHCP. Is it getting the proper info?
The pbx is static, the phone
The pbx is static, the phone is on DHCP. If it try the phone on the internal network using the pbx's internal IP it works even though the phone is still using DHCP there too. I just can't get in using the public ip.
I'm starting to think it is
I'm starting to think it is a network issue.
You do have the correct entries in your sip_nat.conf file right?
This is all I have in mine
externip=10.10.10.10 <-- Your External IP provided by your provider. Not the gateway IP.
localnet=192.168.2.0/255.255.255.0 <----- Make sure this is correct and that the netmask is the same as on your net
On firewall
Ports 5060 open UDP/TCP
Ports 10001 - 20000 open UDP/TCP
Download the xlite softphone and try it and see if it connects. It's very simple to setup
I agree with bubba on this,
I agree with bubba on this, it is a network/router issue. If the phone works internal then the userID and password parts are right, the extension is configured correctly. But when the the phone is external it does not work then it is a firewall/router issue. The sip_nat.conf looks with assuming the IP EDITED is the external IP of the firewall that has the ports being forwarded. That's the problem with editing config files you are removing a important part of the info.
Basically if the firewall is setup properly then packets would be forwarded to the asterisk box and you WOULD have output, since you have none the firewall is not forwarding properly.
So are you SURE you forwarded UDP ports and NOT TCP ports? as sip is a UDP based forwarding TCP ports will get you nowhere which is basically what you have now.
I don't know the firewall you are using it might not properly forward udp?
Nobody has asked if there is a firewall on the remote side? Sometimes port 5060 needs to be forwarded on that to the phone (older non-sip aware firewalls for example).
as I said here's my settings
as I said here's my settings in sip_nat.conf
nat=yes
externip=EDITED
localnet=192.168.2.0/255.255.255.0
qualify=yes
and i've forwarded and opened:
4569, 5004-5082, 10000-20000 on TCP/UDP
I have just tried xlite and if i connect using the local network IP of the PBX it connect just fine, if i use the public IP I get Registration error 403 - Forbidden (Bad auth), bearing in mind I'm using the exact same SIP login extention/password. I guess it must be something in the asterisk configuration not the linksys phone since xlite responds the same way.
If the phone is hitting the
If the phone is hitting the remote server, the has to be something in
sip set debug 5that can help.Also, what router do you have back at the office?
Moshe Brevda, FreePBX Development Team
New to asterisk? Download the Asterisk book FREE!
The router is a DrayTek
The router is a DrayTek Vigor2600 annex A.
Perhaps I'm using sip set debug 5 wrongly because nothing came up, can you expain how to use it for a linux/asterisk newbie please? Thanks.
Sure, go to the asterisk cli
Sure, go to the asterisk cli by typing
then type:
Moshe Brevda, FreePBX Development Team
New to asterisk? Download the Asterisk book FREE!
I had to put what should go
I had to put what should go in sip_nat.conf in sip_general_custom.conf to get it to work, so you might try that.
Also, if your phone is behind a NAT, you may have to specify a STUN server. (My remote phones aren't, so that isn't an issue for me. Maybe someone else can chime in on this)
baldbrad. It should not
baldbrad. It should not make a difference which file it is placed in currently unless somebody or something has played with your sip.conf file. Double check your sip.conf to see that it is loading sip_nat.conf. It should be the include right after the sip_general_custom.conf so placing it in one or the other will not make a difference.
ok i've tried copying
ok i've tried copying sip_nat to sip_general_custom but that didn't do anything.
I have now tried enabling sip debug and I tried connecting from home then searching /var/log/asterisk/full for my ip address but it's not there. I know I forwarded the ports correctly because I've worked with this router before. Is there anything else it can be?
Can it be anything in my extention set up?
http://leechristie.com/hotlinks/sip501.png
If I have to specify a STUN server, what is that and how do I do that?
Edit: By the way, I just tried X-lite again from inside the network but by specifying the public IP of the PBX (X-lite works fine for me if I specify the internal IP of the PBX, but with the public IP it says 403 Bad Auth), here is the sip debug log for that attempt:
http://leechristie.com/hotlinks/sip-debug.txt
In etc/asterisk double check
In etc/asterisk double check your rtp.conf file. There should be a rtpstart = 10001 and rtpend= 20000 . If the end is set higher than 20000 you will have to widen your port range in the firewall or change the rtpend number to 20000.
Checked rtp.conf, it looks
Checked rtp.conf, it looks fine
Are you sure you have the
Are you sure you have the correct ip for external ip set in sip_nat.conf.
Go to www.whatismyip.com and see if it comes up with what you have. This is really sounding like a nat or firewall problem.
I have x-lite on my laptop and no matter where I am in the world I can register and make calls. So if you cannot do it with x-lite outside your lan it has to be a network issue.
Who is your ISP (at home and work). Do they also provide VoIP service? They COULD be blocking you.
i was using whatismyip
i was using whatismyip anyway.
xlite doesn't even work when i'm INSIDE the lan (but addressing the pbx by the public IP), the firewal is configured correctly if all the ports i listed are the correct ones and they are forwarded to the pbx on TCP and UDP.
The ISP is Demon, I don't see why it matters though, I though net neutrality prevented ISPs from blocking specific packets such as VoIP, BitTorrent, etc.
Lee Christie, When you are
Lee Christie,
When you are behind a firewall you can't use the external IP as it would have to go out the firewall and loop back on the same interface. Most firewalls do not do/allow this (cisco pix and asa's are the exception to that if the loopback option is enabled).
sip debug will show ANY traffic that hit's the sip port (5060). So if you are not getting anything then you are NOT getting stuff forwarded.
So when you hit it from the outside you are not seeing sip being info being displayed then it is NOT making it to the machine. Like I stated earlier that becomes a network/firewall/router issue. If the traffic can't get to the server then nothing you do at the server will fix that.
So please double check the firewall, make sure that the ports being forwarded are UDP, opening tcp ports are useless and potentially a security risk. Next check all the other equipment that might be in between like a router. It might not be allowing something also.
Once you start getting info displayed via the sip debug you know your network is set right and then if it still does not connect properly it can be a server config issue.
The ONLY acception to that would be if you have any IPtables rules running on the box. If so disable them until you get things working...
NAT
First think, check on the SIP sever Asterisk when use x-lite register to sip server. If the sip server receiver the registrar invite message so that mean the e-lite was send to Asterisk invite message over port 5060. if x-lite can't register to sip server that mean the sip server configure something wrong.
If sip server no have invite message register from e-lite => firewall have problem. normally, we need NAT port from 5060 to 5069 for SIP and RTP from 10000 to 20000.
hope you can fix that.
Trung Do
Tried addressing by name, instead of IP address?
It's a long time since I set mine up, and (like any good IT specialist) I didn't thoroughly document it at the time. Of course, the configs ARE fairly self-documenting though... :-)
With my own configuration, I've got all my extensions (at least, the ones that can) set to use the DNS name of the server.
That way, if they're inside the LAN, they work, if they're out on the net, they work. No programming changes required. This assumes of course that you have control of the DNS (and know how to configure a split DNS).
It seems a silly question, but are you able to ping the PABX using DNS name (ie ping pabx.somedomain.dom)? From inside the LAN, and from the Internet?
If so, I suggest using that name, not the IP.
Also, in addition to setting that name as the SIP server, set it as the Outbound Proxy as well.
Oh, Trung: If the extension is configured to hit the public IP whilst inside the LAN, the usual result is that the router will silently drop the packet (anti-spoofing). The configs could all be perfect...
Useful information: http://www.freepbx.org/support/documentation/howtos/howto-setup-a-remote...
RebelOz69: Like I said, I'm
RebelOz69: Like I said, I'm addressing it by private IP internally and by public IP externally not by DNS name, the PBX does not have a DNS name.
LOGS
OK if you are not getting anything form the server how about the soft phone log???
Did you use the stun server setup in the softphone??
And do not take this wrong, but you do know what a public ip is right??? Just asking....
I have seen folks fighting remote access and they are double natted they have a non - routed IP on a second router behind the device from the ISP. just forwarding thru the two devices is not going to cut it.
So you need to lay out your network from the pipe in (your ISP) to the PBX.
If you are worried about your IP addy change the LAST set of numbers but give us something to chew on.
ngrep -d any -Wbyline -t port 5060
will show the port on the box in real time
Bubba
bubba: I'll get logs to you
bubba: I'll get logs to you asap, but I'm having trouble wiht my MacBook right now. Also, I don't know what a stun server is, so no I didn't use the stun server setup in X-lite. Yes I know what a public IP is.
Okay, still not working. But
Okay, still not working. But what I've done is change the settings in the phone so that it is now on the correct domain and it is now connecting to the PBX. Asterisk reports it as connected however, on the FOP it is greyed out and if I try to call it I get "The person is 501 is unavailable...". But I CAN make calls FROM that extention remotely now.
Where do I look to find out what it thinks it's doing now?
P.S. ngrep doesn't seem to be installed on my CentOS box and running the command bubba suggested with just grep doens't seem to work.
trouble shooting
at the asterisk CLI
sip show peers
sip show registry
Bubba
501-504 are the extentions
501-504 are the extentions assigned to the remote phone.
Update
Since the last post, I got the person using the phone to try calling into the office from it, now ententions 501-502 have changed from UNKNOWN to UNRECHABLE. (Extention 504 has not changed, I may have configured it wrongly in the phone but that shouldn't affect other 3)
503/503 {IP DELETED} D N 5063 UNREACHABLE 502/502 {IP DELETED} D N 5061 UNREACHABLE 501/501 {IP DELETED} D N 5060 UNREACHABLEWe've given up on getting it
We've given up on getting it to work with the public ip. We have set up a VPN between the office and the house. The two routers are the same draytec vigor. The phone started working perfectly for a while then just stopped. :( Any idea what I should do to figure out why?
If it will work or did work
If it will work or did work with a VPN then it is a network NAT issue.
Try removing the firewall at the remote end. Place the phone on the DMZ or plug it directly into your network connection. See if you can get service then.
Also, in your router/firewall see if there are settings for ALG's (Application Level Gateway). You may have a check box for sip. If you do and it is checked uncheck it. If it is unchecked then check it and try again. I found on one of the DLink routers I have setup that I had to play with the ALG's to get rid of one way audio and registration. Also check in your router that you have the lease restrictive nat setting available. Again in the DLink there are a couple of options and the one that worked for me I think was endpoint independent.
Rob
newbie question here. When
I had a look around the router and couldn't see any refer to ALGs.
newbie question here. When people say "one way audio", are they refering to the problem i'm having (my phone at the house can make calls to the office, but the office phones cant make calls to it because asterisk reports it's status as unknown or unreachable) or are they refering to a slightly different thing?
Generally one way audio is
Generally one way audio is you can hear the other person and they cannot hear you or you can hear them and they cannot hear you.
one way audio normally means
one way audio normally means that a call connects and one side can hear the call and the other side can't. It's like when you take a phone handset, open it up and take out the speaker portion that goes next to your ear.
Your problem as your decsribed it is that the Classic firewall NAT issue where a remote phone can't or doesn't register and communicate properly with the server.
Assuming you have all the proper registration information setup properly (that is user ID/Auth ID, secret, sip registation/registrar IP, sip proxy IP are all set properly) then you just have a NAT/firewall issue.
Now what is interesting is that both have the same basic problem, one way audio is normally a partially setup firewall, but not registering and working means you've not even gotten that far.
you need to have the following settings
In the extensions that are remote set NAT to yes in the extension settings.
In sip_nat.conf or sip_general_custom.cong put the following lines:
nat=yes
externalip= (the external IP of your box as the outside see's it).
localnet= (The IP subnet of your network, if you use a VPN or have multiple subnets you'll need multiple lines covering each subnet).
Then in the firewall you need to port forward UDP ports 5060 (for sip), 4569 (if you use IAX only), and range 10000 to 20000 from the external IP to the internal phone system.
Now sometimes on the remote side you might need to also port forward UDP 5060 to point to the phone. But only do this if you can't get it working without it. On the remote side in the phone you point the SIP registration addresses at the external address of the phone server. While for internal phones you point it at the internal IP of the phone system.
This was in my
This was in my sip_nat.conf:
we have 5060-5081 UDP&TCP, and 10000-20000 UDP&TCP forwarded on the pbx side and 5060 forwarded on the phone side plus we tried setting the phone as that side's DMZ. We also tried a router-to-router VPN so we could use the private IPs but that didn't work either, actually it worked for half a day then stopped.
when you add the VPN you
when you add the VPN you need to do two things. include an additional localnet=(vpnsubnte/mask) in the sip_nat.conf, make sure that the system reloads to read it. and also make sure that the phones on the otherside of the VPN are then using the internal IP of the server.
Otherwise things get weird.
I quickly scanned all the postings. and I didn't see it... Who's firewall and firmware rev are you using? There might be a issue with it...
whta exactly to do i need to
whta exactly to do i need to add to sip_nat? (192.168.2.* is our office subnet and 192.168.0.* is the house)
The router at the Asterisk end is Vigor2600 annex A with Firmware v2.5.5_UK, I'ld have to check the other end later.
you need to have these lines
you need to have these lines in your sip_nat.conf file
nat=yes
exterhost=
localnet-192.168.2.0/255.255.255.0
localnet=192.168.0.0/255.255.255.0
I'll try and dig up some doc's on the router and see if there is anything that sticks out.