HOWTO Setup A Remote SIP Extension

This HOWTO assumes that your FreePBX system is sitting behind a NATed firewall with no direct connection to the outside world and it is NOT in the DMZ zone. If you are relying on this article to set-up your system, DO NOT place your system on a public IP address or a DMZ zone. This article does not address the potential security implications involved in such a setup.

The four key considerations in setting up remote extensions are:

  • 1. Ensure that your PBX is as secure as it can possibly be
  • 2. Configure Asterisk so that it knows which IP addresses are inside your network and which ones are on the public internet
  • 3. Forward the required ports from your firewall to your PBX
  • 4. Configure the Extensions for External Use

In order to accomplish the above we need to apply some configuration information into FreePBX, some Asterisk configuration files and on your firewall/router.

Secure Your System

Anytime you access your PBX using a remote extension, you are exposing your PBX to the public internet. If you can access your system from the internet, so can anyone else. Before you begin, you might want to consider several security measures.

First, ensure that IPTables and Fail2Ban are installed and properly configured to protect Asterisk and FreePBX. Fail2Ban will temporarily ban any IP address that repeatedly attempts to connect to your PBX using the wrong password. This can effectively deter hackers, by making it take impossibly long to guess a password using brute force. Fail2Ban is already installed on the FreePBX distro, and can be configured from the System Administration module.

Second, make sure that all of your extensions are secured with a strong password. A strong password is composed of random letters (upper and lower case), numbers, and symbols, and is at least 15 characters long.

Third, you may wish to consider changing the default SIP Signaling Port from 5060 to an alternative. Port 5060 is widely used for VOIP services, and there are a number of hacking programs in the wild that scan for computers that have port 5060 open, and then attempt hack into any available PBX. If these hacking attacks succeed in obtaining a valid user/extension number and password, the hacker can use your system to place calls at your expense. Even if they don't succeed in obtaining a valid password, they can interfere with legitimate users (or crash asterisk) and thus cause your PBX to become inoperative.

In addition, Port 10000 is used for webmin (a tool that can be used to make substantial configuration changes on your machine using a web browser). If you have webmin on port 10000, either change webmin's default port to something else (such as 9001), or change the default RTP Media Ports from 10000-20000 to 10001-20000.

A range of 10000 ports available for RTP Media is often unnecessarily large for most small systems, because one call requires only 4 active ports. Thus, you might consider narrowing the range of ports used for RTP Media. If you do narrow the range, keep the range somewhere within 10000 to 20000 (i.e. don't select 43500 to 44500), as going outside this range can lead to call quality issues.

For all of these reasons, you may wish to change the default ports to alternative ports in order to enhance the security of your system.

To change the RTP Media Ports, you have to edit an Asterisk file from the command line. Open a command prompt on your machine (either by sitting in front of your machine or by using the FreePBX Java SSH module) and type the following:

cd /etc/asterisk

nano rtp.conf

In the file, you'll see the options for the low and high ports used by Asterisk. Change them to something that is still within the range of 10000 to 20000 (using ports outside this range can lead to call quality issues). At a minimum, change the lower port to start at 10001 if you use webmin.

When you're done, hit CTRL-O, hit ENTER, and then hit CTRL-X.

You now need to restart the amportal to get Asterisk to use the new ports. Type:

amportal stop

and then:

amportal start

Note: Whenever you restart amportal, you may lose Busy Lamp Fields until your phones re-register. Aastra phones default to a 3,600 second re-registration time, and so it could take up to an hour before these services come back. You can change the registration time by changing those settings in your phone's configuration settings, or simply reboot the phones to cause them to re-register immediately.

To change the SIP Signaling Port from the default of 5060, open your browser and access the FreePBX GUI. Click on "Tools," and then "Asterisk SIP Settings." If this module is not available on your installation of FreePBX, you can install it using the "Module Admin" module.

Scroll down to Advanced General Settings, and fill-in the desired port to the right of the Bind Port field. If the field is left blank, the FreePBX should default to port 5060. Click "Submit Changes" at the bottom of the screen, and then click the orange "Apply Configuration Changes" bar at the top of the screen.

Remember that if you change any of these default ports, you'll want to change the port forwarding on your router to match the correct ports. If you change your SIP signaling port, you'll need to change your phones to use the new port you selected instead of port 5060.

Tell Asterisk Which IPs are Internal and which IPs are Public

Unless you have your PBX on a public IP address (which is a very bad idea), then you need to tell FreePBX which IP addresses are internal addresses and which IP addresses are external, public IP addresses. It is important for FreePBX to have this information so that it can adjust the SIP headers to use your external IP address when it is contacting extensions outside of your local network.

Open your browser and access the FreePBX GUI. Click on "Tools," and then "Asterisk SIP Settings." If this module is not available on your installation of FreePBX, you can install it using the "Module Admin" module.

Under NAT Settings, click "Auto Configure." If FreePBX correctly enters your static IP address, your internal network address ending in .0 (i.e., 192.168.1.0), and your subnet (usually 255.255.255.0), then click "submit changes" and then click the orange bar to reload Asterisk.

If FreePBX doesn't accurately enter your static IP address and local address, enter them manually. If you have an IP address that never changes (i.e., a static IP addresss), you can select "Static IP," and enter the IP address into the "External IP" field. If your external IP address changes, you may wish to register for a Dynamic IP address (for example, using dyndns.org), and then select "Dynamic IP." Your internal IP address should be the IP address on the machines on your network, but ending in a zero. For example, if your PBX is 192.168.1.101, then you should enter 192.168.1.0 in the internal IP address field. Your subnet mask will probably be 255.255.255.0.

If you plan to connect to your PBX using a VPN from another network, click on the "Add Local Network Field," and enter the internal address used on that VPN (i.e., 192.168.2.0) along with the subnet mask (usually 255.255.255.0).

Forward the Required Ports from your Router to your PBX

You also have to forward some ports on your Firewall/Router, so that phones that are outside of your local network can reach the PBX through your router/firewall.

The default installation of FreePBX is configured to use UDP port 5060 as the SIP signaling port and UDP ports 10000-20000 as the RTP Media ports.

These ports must be forwarded to your FreePBX System using your router/firwall configuration. How to do this varies widely depending on the firewall or equipment that you are using. It is commonly referred to as Port Forwarding or maybe Destination NAT (DNAT). However it is referred, if we assume in this example that your FreePBX system has an internal IP address of 192.168.1.100, that you didn't change the default 5060 port, and that you changed the lower range of the RTP Media Port from 10000 to 10001, then you will want:

  • UDP/5060 -> Forward to 192.168.1.100
  • UDP/10000-20000 -> Forward to 192.168.1.100

NEVER, EVER, EVER, EVER forward port 80 from your Router to your PBX. If you need remote access to FreePBX, the FOP, or the recording interface, set-up a VPN. You have been warned!

Configure Your Extensions for Remote Access

First, select a secure password. If you are making your system available over the internet, then anyone who has a valid extension password can connect to your system and make calls, unless you take action to lock the extensions down using the deny and permit fields (which can be used to limit access to certain extensions to local users).

Second, if possible, use the deny/permit fields in the Device/Extension modules to limit access to known IP addresses for every extension. For Devices/Extensions that don't need remote access, placing the entry "192.168.1.0/255.255.255.0" in the permit field should restrict access to your local network (change 192.168.1.0 to your internal IP addresses if they are different, but end in a .0). If you know the specific IP address from which you will access the remote Device/Extension, place it and the subnet mask in the permit field for the remote Device/Extension and subnet mask of 255.255.255.255 (not 255.255.255.0).

Third, you need to configure the remote Device/Extension with NAT enabled so that Asterisk knows this device is NATed and can apply the SIP rewriting rules that you previously configured above. Navigate to the desired extension and scroll down to the Device Options Section, it should look like:

Device Options - NATDevice Options - NAT

The configuration option nat must be set to yes, and you may want to set qualify to yes as well although not necessary.

With these steps, when properly configured, your external device should be able to communicate with your FreePBX server unless you have issues on the remote end where the device is located because of badly behaved Firewalls. The remote device should be configured to use your external IP address or domain name as specified above.

 

Taxonomy upgrade extras: 

Comments

jscanlan's picture

Have a SIP extension at a remote user's house? You may notice that the phone can place calls, and can receive them for a short period of time thereafter; then voice disappears.
Routers with poorly done SIP ALGs do the same thing. Best to just turn that feature off.
The problem is the stateful NAT on the device, deciding what's a valid UDP session and what's not.
You can either:
a) redirect SIP and RTP ports to the device in question (usually 5060 and 10000-20000, but this varies depending on your asterisk settings). Not a good plan if there are other VOIP services at the remote location (like a consumer VOIP ata).
or
b) set the registration EXPIRY to 60 seconds. This makes the phone keep registering and keeps the firewall open.
or
c) use a phone with STUN

fubar101's picture

What is the best way to have frepbx dial an outside number when customer dials extension? e.g customer dials an extension XXXX, free pbx will then dial an out side number XXX XXX XXXX? I thinnk it can be done in custom dialing but I do not know how . Any examples would be helpful. THanks

UForgotten's picture

Install the misc. destination module, then you can set up a misc destination that dials a number. Then you can make an option on an IVR to dial the misc. dest.
OR you can do a Custom extension and just put a dial string like Local/XXXXXXXXXX.
Also, you might want to start a new thread when you ask a new question, so your question doesn't get lost.

JohnnyMac_NMD's picture

You could try adding the external phone number (with a # at the end) into a "follow me" group attached to the xxxx extension. This way if the client reaches the extension, but the extension isn't answered, then it will divert to external number. Hope it helps.

Johnny Mac
Network Management Division

Dan-Arewa's picture

The type of phone used remotely determines if one is going to have smooth registration of device located externally. An example of such devices or Ip phones are the polycom which don't do well behind the firewall having in mind previous versions of firmware. Unlike Cisco the 7940's and rest do quite well if located remotely. I tried different configurations with Polycom 301, 501 like setting the refresh rates, setting qualify to NO, getting static IP and modifying the sip_nat.conf file all efforts made did not help, the 301's and 501's will not register. Cisco 7940 on the hand registred with no hassles. Wondering, if it is possible for FReepbx to integrate Openser as a registration module to take care of NAT issues since ASterisk can handle the media portion very well. Consequently, less overload and more user agents. Just a thought.

p_lindheimer's picture

Polycom's have not been the most NAT friendly devices compared to some. However, with the right settings they can be configured to work in almost every remote NAT environment that we have had to address. We have many deployed as such.
------------------------------------
Philippe Lindheimer - FreePBX Project Lead
http//freepbx.org - IRC #freepbx

Dan-Arewa's picture

Could you please post your setup or settings that made your remote Polycoms work.
And also the version of firmware used on these phones. I know that Polycoms do very well when used internally.

lbenzo's picture

Hello,

I've followed this steps carefully, but I'm still having problems.
I'm using two remote extensions with:
1 X-Lite
1 Thomson ST2022
PSTN and communication with extensions in the same network than Asterisk is working fine, but when I try to call between the two remote extensions, there is no sound in any way.

Any ideas? I've tryed this with FreePBX 2.3 and 2.4 with same results.

Thanks,
Luis

Enzo's picture

Hello, same problem here without a solution.

I too am having the silent extension syndrome. From inside my 192.168.1.0 lan, I can receive calls from any extension, including those outside the lan, and incoming DIDs, and anonymous SIP connections as well. All the calls have audio except for extensions outside my lan, althrough they can ring and accept the calls.

When I call from inside lan extension to outside lan extension, it rings, and the call initiated, but no audio is sent in or out, both directions.
When I call an incoming DID that is routed to that outside lan extension, it rings, and the call initiated, but no audio in or out, both directions.

I can use the FOP and move the call from outside extension to inside extension and the audio works.

I have tried many updates to sip_nat.conf, nothing seems to resolve the issue. Not sure if I need to apply changes after editing that file, so I amportal restart just to be safe. Both the externip and the externhost don't seem to resolve the problem, together, separate or otherwise not included. I have a dyndns account and have mostly been focusing on using the externhost value.

I have checked multiple times to make sure the remote extension is set up to use nat=yes, all my extensions, even internal are set up the same way, with nat=yes. I have been looking at the console and sip show user XXX to make sure NAT is on and enabled, and it is.

For good measure, the internal extension soft phones used to test are using the dyndns'ed hostname to connect and register, as is the external soft phone extension, all can register and initiate calls, but only the internal extensions get any audio. All internal extensions have 2 way audio.

I have tried 3 different installations, with 2 different linux varieties + pbx-in-a-flash. I am currently on Debian 4.0, and despite 1 issue with the default www-data user not have chmod/access permissions even when in the asterisk group to the files in the /var/lib/asterisk/agi-bin causing an error alert in freepbx upon each "save changes/update", I am happy, but that is a side issue right now with bin/retreive_conf.

With this latest build, I tried to remove the current stack (pbx-in-a-flash) from the issue, and compiled the software myself, and I arrived at the same result. I am currently using asterisk 1.6.0 beta 4 with freepbx 2.4.0. on a linux kernel of 2.6.18. All freepbx modules are installed and up2date as of this post.

I have debugging on, and have been tailing the /var/log/asterisk/full and haven't seen any problems/errors that weren't empty config warnings or empty context warnings.

I hope some of the above makes sense, it has been a long day here with my pbx Smile Any suggestions or things to try to determine why the nat=yes doesn't seem to resolve the problem would be greatly appreciated. In the mean time I am searching, reading and testing.

Thanks,

enzo

P.S. The compile and installation worked like a charm on debian. Thank you.

P.P.S. Forgot to mention that my machine is in the DMZ and I am also port forwarding like a crazy person.
UDP -> 10000 - 20000 RTP
UDP -> 5004 - 5082 SIP
UDP -> 4569 IAX2
UDP -> 2727 Media Gateway

chikkis's picture

i a facin similar issue please advice. i have one way speech from lan to remote extension is there
there is voice.

dimnet2000's picture

Hi,

I would like to know if I can use public stun address like stun.fwdnet.net:3478 with my X-Lite client connected remotly to my Trixbox CE Server?

In both end I have NAt-FIREWALL router with modem cable, dsl modem.

Also the FWD Stun address working only with FWDNUMBER or its universal?

Regards,

dimnet

prolap's picture

Thanks It worked for me.

chikkis's picture

what is the solution for it Please advice

jliberm's picture

Hi,
I defined the remote extension as describe here, but I have some problem, I can call from the extension, but I can't call to the extension.
does somebody have any ideas?

Yvgeni Liberman
System Integration Engineer - Solver Communication Solutions Ltd.
Mobile: 972-54-4608636
Fax: 972-3-5422966

p_lindheimer's picture

the issue is most likely on the remote extension's side and lack of keepalive or equivalent on the phone. When Asterisk tries to call the remote extension, it sends a SIP signal to the remote extension. If there is not a session between Asterisk and the remote firewall open, then the call request will be blocked. Keeping a session open involved keepalive 'pings' originating from the remote extension to Asterisk. This can also be achieved by reducing registration time on the extension to 30-60 seconds. In extreme cases, with very aggressive and problematic firewalls, you may need to forward port 5060 to the remote extension (or what ever port it is using for signaling).

jliberm's picture

I try to connect (from client side) with Dialup (it's enough for signaling) and I have no Firewall (on SJPhone I can see: NAT/Firewall: Open Internet.
Firewall before Trixbox is open "any to any" and I have the "Static NAT"
In my Softphone (SJPhone) defined "Sugested experation: 60 sec"
Do You have any other ideas?

Yvgeni Liberman
System Integration Engineer - Solver Communication Solutions Ltd.
Mobile: 972-54-4608636
Fax: 972-3-5422966

ambroisie's picture

hi

i am running freepbx 2.4 on trixbox 2.2

i have taken a Polycom 550 from the office to setup as a remote extension at home. it dont work but i dont think the problem can be too difficult to resolve now (says he hopefully).

situation is as follows (and yes i have taken on board everything i can find in the forum, hopefully this will come out in the description below).

i am not using VPN. routers at home and office both have static ip.

remote (ie at home) extension 223 can call any other extension in the office and it will ring out - but on answer there is no audio path in either direction. other users that dial 223 get a busy tone. the asterisk gui shows 223 as unreachable. typically "active channels" shows an IP address of the LAN IP of the phone on the home router (192.168.1.208 in this case). however under the SIP Registry it shows 223 as being a host at [home public IP]

office Trixbox has an IP of 10.10.99.109 and is accessible via a Cisco 877 Router/DSL Modem which is running IOS 12.4 (it is a beast to say the least !). the static ip associated with the office is [office public ip]. The Cisco 877 has UDP 5060, 5061, 5062 and 10001-10021 (enough for me - and the "beast" cannot block forward ports !) forwarded to the trixbox.

all extensions on the trixbox have
canreinvite=no
nat=yes
qualify=yes

sip_nat.conf is set with
externip=192.168.1.208 (dont know if i need this but it made no difefrence)
externip=[home public ip]
externip=[office public ip]
externhost=[office domain]
localnet=10.10.99.109.255.255.255.0
externrefresh-10

also rtp.conf is set for udp ports 10001-10021

the only changes i made to the Polycom were to set
a) outbound proxy - [office public ip]
b) rtp port start 10001 (cannot specify range)

the home router, which is a Netgear DG834, has port forwarding set as follows -

inbound - udp 10001-10021 from any source to 192.168.1.208 (the Polycom)
inbound - udp 5060-5062 from any source to 192.168.1.208
outbound - explicitly allow the aforementioned UDP from any LAN source to route to any WAN source

so, my understanding is that the Polycom is registering (asterisk cli shows registration at the [home public ip] but the process of setting up the phone and of course of routing any RTP seems to be falling apart.i can see initial logs on the Netgear at home showing 5060 requests going out, but no return; similarly i see requests going out from trixbox sip debug (refer below)....but not appearing at the hmoe router (apparently)

so my conclusion in all this is that the Cisco 877 is blocking the return traffic - but how or why i do not know. can anyone help, or otehrwise suggest another reason ?

i should also note the following: IAX on a softphone from home works fine. SIP and IAX trunks into and out of the office work fine. all goes via the same broadband connection on the aforementioned Cisco 877. i should however point out that from one ITSP inbound SIP traffic that hits voicemail or IVR also suffers from lack of audio in one direction (the return path). this does not occur on any inbound IAX trunks so i happen to have inbound from this one SIP trunk diverted to teh IAX out in ITSP land. not sure if this is red herring or the source of that problem may also be related to this issue.

a typical SIP trace on the trixbox shows -

Retransmitting #1 (NAT) to [Home PUBLIC IP]:5060:
OPTIONS sip:223@192.168.1.208 SIP/2.0
Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK7bc7cf6b;rport
From: "Unknown" ;tag=as7c882181
To:
Contact:
Call-ID:

CSeq: 102 OPTIONS
User-Agent: Asterisk PBX
Max-Forwards: 70
Date: Mon, 14 Apr 2008 12:07:09 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Content-Length: 0

Retransmitting #2 (NAT) to [Home PUBLIC IP]:5060:
OPTIONS sip:223@192.168.1.208 SIP/2.0
Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK7bc7cf6b;rport
From: "Unknown" ;tag=as7c882181
To:
Contact:
Call-ID:

CSeq: 102 OPTIONS
User-Agent: Asterisk PBX
Max-Forwards: 70
Date: Mon, 14 Apr 2008 12:07:09 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Content-Length: 0

Retransmitting #3 (NAT) to [Home PUBLIC IP]:5060:
OPTIONS sip:223@192.168.1.208 SIP/2.0
Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK7bc7cf6b;rport
From: "Unknown" ;tag=as7c882181
To:
Contact:
Call-ID:

CSeq: 102 OPTIONS
User-Agent: Asterisk PBX
Max-Forwards: 70
Date: Mon, 14 Apr 2008 12:07:09 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Content-Length: 0

sorry for the long post but hopefully this contains allof the relevant info to assist someone to assist me in resolving this issue !!! any feedback or suggestions would be much aprpeciated !

cheers

david

ambroisie's picture

hi

modified SIP_NAT.CONF slightly to only have the external IP of the office to which my trixbox is assigned - as that is what i was told to do ! details and traces below..for registration and options

nat=yes
externip=[office public ip]
externhost=[my trix_office domain - as before]
localnet=10.10.99.109/255.255.255.0 %%note this is my trixbox static ip address
externrefresh=10

registration:

Found peer '223'
Looking for 223 in from-internal (domain 10.10.99.109)
Transmitting (NAT) to [home public ip]:5060:
SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.1.208;branch=z9hG4bKab109d2839F9EFFF;received=[home public ip]
From: "David" ;tag=31CDF91C-818D4073
To: ;tag=as047299df
Call-ID:

CSeq: 8 SUBSCRIBE
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Expires: 0
Content-Length: 0

options:

Retransmitting #3 (NAT) to [home public ip]:5060:
OPTIONS sip:223@192.168.1.208 SIP/2.0
Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK222e795c;rport
From: "Unknown" ;tag=as5490fef1
To:
Contact:
Call-ID:

CSeq: 102 OPTIONS
User-Agent: Asterisk PBX
Max-Forwards: 70
Date: Tue, 15 Apr 2008 11:15:48 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Content-Length: 0

Retransmitting #4 (NAT) to [home public ip]:5060:
OPTIONS sip:223@192.168.1.208 SIP/2.0
Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK222e795c;rport
From: "Unknown" ;tag=as5490fef1
To:
Contact:
Call-ID:

CSeq: 102 OPTIONS
User-Agent: Asterisk PBX
Max-Forwards: 70
Date: Tue, 15 Apr 2008 11:15:48 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Content-Length: 0

so whilst no expert the response being sent to the Polycom in each case is a little different - i note the

and

latter in the registration message could explain why the phone appears to get registered but no further. i am not really sure what to make of this or what to change next...are my settings correct now ?

i also note that my netgear router logged a single UDP message from [office public ip] to [home public ip] at one time this afternoon.....but i was out at the time and have no idea if anything useful happened (eg the trixbox logo appeared on the phone ). no idea whny just one message shoudl get thru or what enabled it as there were no changes on the system or the phone at the time

BTW, i noted i took the polycom direct from the office and only change the port start and the outbound proxy. is there anything else i should or would need to change to make all of this work ? i dont think so, but if Polycom's are so hard to work with, one never knows...

any other ideas ?

cheers

david

fskrotzki's picture

you need to change the localnet line also

it is supposed to define a subnet using standard notation not a IP and it's subnet. So use localnet=10.10.99.0/255.255.255.0 instead.

ambroisie's picture

hi, from vast amounts of trawling i see this......i changed this but it had no effect on the issue

i found a couple of threads online that suggested

a) the localnet and externip should be set in sip.conf not sip_nat.conf
b) the localnet should be set for the far end (remote extension subnet) as well as the subnet for the extensions on trixbox

what do you think ?

cheers

david

ambroisie's picture

hope i am not jamming up the pages here with all this info but maybe someone else will find this useful.....

okay so i have removed the externhost entry in sip_nat.conf, fixed the localnet entry for the local trixbox network (10.10.99.0/255.255.255.0) and added in the localnet entry for the local network at home to which the polycom 550 is connected (192.168.1.0/255.255.255.0)

so far so good...now the testing...

extension(remote - "223") and extension internal (kind of remote, not in the office so using an IAX softphone) - works both ways fine (audio present both ways)

externsion(remote - "223") to external PSTN/Mobile works fine (audio present both ways)

however, when an external number calls in, the example i am having in this case is from an IAX2 trunk, the call is disconnected on answer; ie when extension 223, the rmeote extension, answers the call, it disconnects immediately, without fail every time.

any ideas why this should be ? note that the extension when it was in the office, same call scenario, worked perfectly every time.

i have a trace and some trunk settings below,,,if anyone can glean anything from this...

appreciate all the help so far, nearly there...and getting happier by the minute !

cheers

david

Connected to Asterisk 1.2.24 svn rev 79171 currently running on ambroisietrix (p id = 15373)
Verbosity was 19 and is now 29
-- Accepting AUTHENTICATED call from 203.161.130.133:
> requested format = ulaw,
> requested prefs = (ulaw|g729|ilbc|gsm),
> actual format = ilbc,
> host prefs = (ilbc|ulaw|alaw|gsm),
> priority = mine
-- Executing Set("IAX2/faktortel-7", "__FROM_DID=0284040304") in new stack
-- Executing Gosub("IAX2/faktortel-7", "app-blacklist-check|s|1") in new stack
-- Executing LookupBlacklist("IAX2/faktortel-7", "") in new stack
-- Executing GotoIf("IAX2/faktortel-7", "0?blacklisted") in new stack
-- Executing Return("IAX2/faktortel-7", "") in new stack
-- Executing GotoIf("IAX2/faktortel-7", "0 ?cidok") in new stack
-- Executing Set("IAX2/faktortel-7", "CALLERID(name)=0419005710") in new stack
-- Executing NoOp("IAX2/faktortel-7", "CallerID is "0419005710" <0419005710>") in new stack
-- Executing Set("IAX2/faktortel-7", "FAX_RX=disabled") in new stack
-- Executing Goto("IAX2/faktortel-7", "from-did-direct|223|1") in new stack
-- Goto (from-did-direct,223,1)
-- Executing GotoIf("IAX2/faktortel-7", "0?ext-local|223|1") in new stack
-- Executing Macro("IAX2/faktortel-7", "user-callerid|") in new stack
-- Executing NoOp("IAX2/faktortel-7", "user-callerid: 0419005710 0419005710") in new stack
-- Executing Set("IAX2/faktortel-7", "AMPUSER=0419005710") in new stack
-- Executing GotoIf("IAX2/faktortel-7", "0?report") in new stack
-- Executing ExecIf("IAX2/faktortel-7", "1|Set|REALCALLERIDNUM=0419005710") in new stack
-- Executing NoOp("IAX2/faktortel-7", "REALCALLERIDNUM is 0419005710") in new stack
-- Executing Set("IAX2/faktortel-7", "AMPUSER=") in new stack
-- Executing Set("IAX2/faktortel-7", "AMPUSERCIDNAME=") in new stack
-- Executing GotoIf("IAX2/faktortel-7", "1?report") in new stack
-- Goto (macro-user-callerid,s,13)
-- Executing NoOp("IAX2/faktortel-7", "TTL: ARG1: ") in new stack
-- Executing GotoIf("IAX2/faktortel-7", "0?continue") in new stack
-- Executing Set("IAX2/faktortel-7", "__TTL=64") in new stack
-- Executing GotoIf("IAX2/faktortel-7", "1?continue") in new stack
-- Goto (macro-user-callerid,s,23)
-- Executing NoOp("IAX2/faktortel-7", "Using CallerID "0419005710" <0419005710>") in new stack
-- Executing GotoIf("IAX2/faktortel-7", "1?skipdb") in new stack
-- Goto (from-did-direct,223,5)
-- Executing Set("IAX2/faktortel-7", "__NODEST=") in new stack
-- Executing Set("IAX2/faktortel-7", "__BLKVM_OVERRIDE=BLKVM/223/IAX2/faktortel-7") in new stack
-- Executing Set("IAX2/faktortel-7", "__BLKVM_BASE=223") in new stack
-- Executing Set("IAX2/faktortel-7", "DB(BLKVM/223/IAX2/faktortel-7)=TRUE") in new stack
-- Executing Set("IAX2/faktortel-7", "RRNODEST=") in new stack
-- Executing Set("IAX2/faktortel-7", "__NODEST=223") in new stack
-- Executing GotoIf("IAX2/faktortel-7", "0 ?skipsimple") in new stack
-- Executing Macro("IAX2/faktortel-7", "simple-dial|223|5") in new stack
-- Executing Macro("IAX2/faktortel-7", "user-callerid|SKIPTTL") in new stack
-- Executing NoOp("IAX2/faktortel-7", "user-callerid: 0419005710 0419005710") in new stack
-- Executing Set("IAX2/faktortel-7", "AMPUSER=0419005710") in new stack
-- Executing GotoIf("IAX2/faktortel-7", "0?report") in new stack
-- Executing ExecIf("IAX2/faktortel-7", "0|Set|REALCALLERIDNUM=0419005710") in new stack
-- Executing NoOp("IAX2/faktortel-7", "REALCALLERIDNUM is 0419005710") in new stack
-- Executing Set("IAX2/faktortel-7", "AMPUSER=") in new stack
-- Executing Set("IAX2/faktortel-7", "AMPUSERCIDNAME=") in new stack
-- Executing GotoIf("IAX2/faktortel-7", "1?report") in new stack
-- Goto (macro-user-callerid,s,13)
-- Executing NoOp("IAX2/faktortel-7", "TTL: 64 ARG1: SKIPTTL") in new stack
-- Executing GotoIf("IAX2/faktortel-7", "1?continue") in new stack
-- Goto (macro-user-callerid,s,23)
-- Executing NoOp("IAX2/faktortel-7", "Using CallerID "0419005710" <0419005710>") in new stack
-- Executing Set("IAX2/faktortel-7", "EXTTOCALL=223") in new stack
-- Executing Set("IAX2/faktortel-7", "RT=5") in new stack
-- Executing Set("IAX2/faktortel-7", "CFUEXT=") in new stack
-- Executing Set("IAX2/faktortel-7", "CFBEXT=") in new stack
-- Executing Macro("IAX2/faktortel-7", "record-enable|223|IN") in new stack
-- Executing GotoIf("IAX2/faktortel-7", "0?2:4") in new stack
-- Goto (macro-record-enable,s,4)
-- Executing AGI("IAX2/faktortel-7", "recordingcheck|20080416-222023|1208348423.145") in new stack
-- Launched AGI Script /var/lib/asterisk/agi-bin/recordingcheck
recordingcheck|20080416-222023|1208348423.145: Inbound recording not enabled
-- AGI Script recordingcheck completed, returning 0
-- Executing NoOp("IAX2/faktortel-7", "No recording needed") in new stack
-- Executing Macro("IAX2/faktortel-7", "dial|5|Ttr|223") in new stack
-- Executing GotoIf("IAX2/faktortel-7", "1?dial") in new stack
-- Goto (macro-dial,s,3)
-- Executing AGI("IAX2/faktortel-7", "dialparties.agi") in new stack
-- Launched AGI Script /var/lib/asterisk/agi-bin/dialparties.agi
dialparties.agi: Starting New Dialparties.agi
== Parsing '/etc/asterisk/manager.conf': Found
== Parsing '/etc/asterisk/manager_additional.conf': Found
== Parsing '/etc/asterisk/manager_custom.conf': Found
== Manager 'admin' logged on from 127.0.0.1
dialparties.agi: Caller ID name is '0419005710' number is '0419005710'
dialparties.agi: USE_CONFIRMATION: 'FALSE'
dialparties.agi: RINGGROUP_INDEX: ''
dialparties.agi: Methodology of ring is 'none'
-- dialparties.agi: Added extension 223 to extension map
-- dialparties.agi: Extension 223 cf is disabled
-- dialparties.agi: Extension 223 do not disturb is disabled
> dialparties.agi: extnum 223 has: cw: 1; hascfb: 0 [] hascfu: 0 []
> dialparties.agi: ExtensionState: 0
-- dialparties.agi: dbset CALLTRACE/223 to 0419005710
-- dialparties.agi: Filtered ARG3: 223
> dialparties.agi: NODEST: 223 adding M(auto-blkvm) to dialopts: TtrM(auto-blkvm)
> dialparties.agi: NODEST: 223 blkvm enabled macro already in dialopts: TtrM(auto-blkvm)
== Manager 'admin' logged off from 127.0.0.1
-- AGI Script dialparties.agi completed, returning 0
-- Executing Dial("IAX2/faktortel-7", "SIP/223|5|TtrM(auto-blkvm)") in new stack
-- Called 223
-- SIP/223-09d2d3b8 is ringing
-- SIP/223-09d2d3b8 answered IAX2/faktortel-7
-- Executing Set("SIP/223-09d2d3b8", "__MACRO_RESULT=") in new stack
-- Executing Set("SIP/223-09d2d3b8", "__CWIGNORE=") in new stack
-- Executing DBdel("SIP/223-09d2d3b8", "BLKVM/223/IAX2/faktortel-7") in new stack
-- DBdel: family=BLKVM, key=223/IAX2/faktortel-7
== Spawn extension (macro-dial, s, 7) exited non-zero on 'IAX2/faktortel-7' in macro 'dial'
== Spawn extension (macro-dial, s, 7) exited non-zero on 'IAX2/faktortel-7' in macro 'simple-dial'
== Spawn extension (macro-dial, s, 7) exited non-zero on 'IAX2/faktortel-7'
-- Executing Macro("IAX2/faktortel-7", "hangupcall") in new stack
-- Executing ResetCDR("IAX2/faktortel-7", "w") in new stack
-- Executing NoCDR("IAX2/faktortel-7", "") in new stack
-- Executing GotoIf("IAX2/faktortel-7", "1?skiprg") in new stack
-- Goto (macro-hangupcall,s,6)
-- Executing GotoIf("IAX2/faktortel-7", "0?skipblkvm") in new stack
-- Executing NoOp("IAX2/faktortel-7", "Cleaning Up Block VM Flag: BLKVM/223/IAX2/faktortel-7") in new stack
-- Executing DBdel("IAX2/faktortel-7", "BLKVM/223/IAX2/faktortel-7") in new stack
-- DBdel: family=BLKVM, key=223/IAX2/faktortel-7
-- DBdel: Error deleting key from database.
-- Executing GotoIf("IAX2/faktortel-7", "1?theend") in new stack
-- Goto (macro-hangupcall,s,11)
-- Executing Hangup("IAX2/faktortel-7", "") in new stack
== Spawn extension (macro-hangupcall, s, 11) exited non-zero on 'IAX2/faktortel-7' in macro 'hangupcall'
== Spawn extension (macro-hangupcall, s, 11) exited non-zero on 'IAX2/faktortel-7'
-- Hungup 'IAX2/faktortel-7'

Inbound IAX2 trunk details –

username=[removed for security]
type=friend
secret=[removed for security]
qualify=yes
pedantic=no
nat=no
jitterbuffer=yes
insecure=very
host=iax.faktortel.com.au
dtmfmode=rfc2833
disallow=all
canreinvite=no
auth=md5
allow=ilbc&ulaw&alaw&gsm

applied's picture

Did you solve the problems.

halfbrainj's picture

Can someone resolve this MISTERY!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!11

fskrotzki's picture

halfbrainj,

Not the most helpfull posting or way to getting help. You attached to the end of a existing post with 99.9% missing information, you never posted to this thread with any details, etc.

Please consider posting a new topic and providing detailed information for us to start with and look at in an attempt to help you.

The most common reason for a remote extension not getting audo is a firewall and not having natting setup properly. Please double, no make that triple check all your settings on both the server and client side.

second most common reason is you have not configured sip_nat.conf correctly. If you need help it has been decussed here and if you google it there are hundreds of places that provide full and complete details if what is needed.

wiseoldowl's picture

Just as a data point, we have never been able to get this to work reliably using the externhost= and externrefresh= statements in sip_nat.conf. However, when we use the following...

nat=yes
externip=our.dotted.ip.address
fromdomain=our.dyndns.address
localnet=192.168.0.0/255.255.255.0

... it works reliably almost 100% of the time. The only time it doesn't work is the once a year or so when the ISP changes the IP address. To fix that, we use a perl script that is run by a cron job ever five minutes:

#!/usr/bin/perl
#
#This program gets the current IP address (as assigned by the ISP) from
#whatismyip.org and modifies etc/asterisk/sip_nat.conf if the external IP
#address has changed. Use Webmin to invoke it as cron job that runs every 5 mins
#
use strict;
use warnings;
use WWW::Mechanize;
use Tie::IxHash;
use Data::Validate::IP qw(is_public_ipv4);
my $s_filepath = "/etc/asterisk/sip_nat.conf";
my $mech = WWW::Mechanize->new( autocheck => 1 );
$mech->get('http://whatismyip.com/automation/n09230945.asp');
$mech->success or die 'Cannot connect to http://whatismyip.com/automation/n09230945.asp';
my ($ip) = ($mech->content() =~ /(\d+\.\d+\.\d+\.\d+)/);
if (is_public_ipv4($ip)) {
	tie my %configvars, 'Tie::IxHash';
	%configvars = ('nat' => 'yes', 'externip' => '0.0.0.0','fromdomain' => 'our.dyndns.address','localnet' => '192.168.0.0/255.255.255.0') ;
	open IN,"<$s_filepath";
	while (my $i = ) {
		chop $i;
		if ($i =~ /=/) {
			$i =~ s/\s//g;
			my ($key,$value) = split /=/,$i;
			$configvars{$key} = $value;
		}
	}
	close IN;
	if ($configvars{'externip'} ne $ip) {
		$configvars{'externip'} = $ip;
		open OUT,">$s_filepath";
		while (my ($key, $value) = each %configvars) {
			select OUT;
			print "$key=$value\n";
		};
		select STDOUT;
		close OUT;
		`/usr/sbin/asterisk -rx reload`;
	};
};

You do need to plug valid values for fromdomain (and possibly localnet, if yours is different) into this line:
%configvars = ('nat' => 'yes', 'externip' => '0.0.0.0','fromdomain' => 'our.dyndns.domain','localnet' => '192.168.0.0/255.255.255.0') ;
In addition you might have to install any missing perl modules.

I am NOT saying anyone else should do this, but it solved the problem for us, whereas using externhost= and externrefresh= just did not work, either on our original Asterisk@Home/Trixbox server or on our current Elastix server. I have no idea why it works for some and not for us.

jonh.nathan's picture

it`s mean there are some bugs so we could not accomplish the connection between internet network with internet ?
I also tried to configure many ways like your directs above but still has same result.
Maybe i will try to look for another solution.

fskrotzki's picture

john_nathan,

what bugs? You seem to be interjecting a fresh comment here but you are not the one who posted above (or did and am now using a different username which is frowned upon).

The documentation section is really for Documentation and not for posting a problem and expecting to get help. So please post a new message in the forums restating your problem clearly and somebody will help.

I can say that nat'ing remote extensions across a file wall, bunched through a firewall via VPN connection and with multiple local subnets works flawlessly as I've been doing all of that for over 2 1/2 years now.

trugraffix's picture

Hi everyone, not sure if I've got this in the right place, because my problem is a little different than everyone has here.

My asterisk system is in a remote location. I can register my extensions and use my trunks for outgoing calls.

It's just that I can't call from one extension to another. It errors out with 603.

The extensions show as online in FOP. They will go to voicemail if it's set up under followme and the audio there works fine, regardless of what extension you're calling from. Echo tests work great from any individual ext as well.

Any insight would be appreciated. Thanks.

fskrotzki's picture

trugraffix,

Please post this as a new thread in the forum section as most don't go looking in the documentation and howto section(s) to provide support for issues such as this.

When you do re-post, please provide some details on the system and network setup as we don't know what version of things you are using, firewalls that might be involved, etc. all of which can have a big impact. Also do the extensions show as registered and stay registered?

Thanks

trugraffix's picture

Thanks for your help, I have reposted a new thread here:

http://www.freepbx.org/forum/freepbx/users/extens-work-trunks-work-cant-dial-btwn-extns

jkockler's picture

Enzo,

I noticed that you have your dyndns hostname, entered in the softphones that are on the same LAN, as the freepbx server. Try using the local ip address of the freepbx server, on the softphones that are on the same LAN as the freepbx server. Using the dyndns hostname is great for good measure, but your firewall may not like the behavior of a packet traveling to the gateway, just to come right back in. Use your dyndns hostnames, static public ip addresses, and public hostnames, only on phones that are outside the LAN where freepbx is located.

NFlight Technologies's picture

Hi,

I too had no RTP audio. Control worked fine. I could place and receive calls.

Here is my simple fix -

From the Web GUI, go to Tools/System Administration/Asterisk SIP settings. I selected "Public IP" instead of "Static IP" (with my static outside IP in the line below it of course)and it all works fine now.

Donnie

okahmad's picture

Donnie,

which version of FreePBX are you using? I am using 2.6.0.1. Tools/System Administration only has the following subitems: Asterisk Info, Astersk CLI, Asterisk Phonebook, Backup and Restore, and PHP Info.

Don't see how you select Public IP. Also, not sure what the difference is.

My problem is that sound is not working from the freepbx box to the remote extension (it only works one way).

Thx.

mnastasi's picture

Can someone help me with adding my Polycom 331 phones to my system which is asterisknow and FreePBX 2.4? Thank you,
Mark N

ITSupportLondon's picture

There's a full write up of the settings (including pictures) that you need to follow to set up External SIP for FreePBX. I have battled with this problem for many months but the solution here is invaluable!.

http://www.sysfix.co.uk/blog/2011/01/no-sound-on-external-sip-asterisk/

IT Support London

HuaYu's picture

Could anyone help me config a remote extention? I've tried for a while but failed. Thus it'll be pparecited if someone would provide help. Thanks.

Sincerely,
Hua

newbefreepbxuser's picture

I’m trying to configure external extensions. I tried with mobile sip (over 3G) and external softphones. Both of them works when I define the Local Network, which is explained in the Tell Asterisk Which IPs are Internal and which IPs are Public section of this article BUT....when I do that, this is what happens:
1 - Communication with external extensions start to work
2 – I miss all communications with all of my vpn “external” extensions.
3 – I can’t use the Add Local Network Field, so, I can´t add my other lans behind vpns as local networks. That button doesn’t work.

I would like to know how to configure my Asterisk to work with External and VPN extensions simultaneously.
I am using FreePBX 2.8.0.3
Tank you all of you.

Nice to share knowledge...

newbie911's picture

I have no problems with signaling or dialing, just that RTP (voice) is not getting through.

Like someone above, externhost (Asterisk SIP Settings/Dyanmic Host) does not work for me. But the moment I update externip (Asterisk SIP Settings/External IP) it works beautifully.

Is this a bug? I am sure my externhost is correct. I did a trace, and found that the PBX was responding with internal IP addresses. My details are here: http://forums.asterisk.org/viewtopic.php?f=1&t=82800&p=173704#p173704.