Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

ForumsWorldxChange / XNet / VFXAsterisk behind NAT


2378 posts

Uber Geek

Trusted
Subscriber
Topic # 107193 8-Aug-2012 14:23 Send private message

Hey guys,
I'm deploying my first ever Asterisk system behind NAT (done a half dozen on public IPs). For context I have the following:

2x internal subnets:
192.168.0.0/24: clients
192.168.2.0/24: servers

I have the asterisk on 192.168.2.4. This is behind Unleash ADSL through Draytek 120 in bridge and onto PFsense 2.0.

I have put a NAT rule of SIP (5060) to 192.168.2.4 and added a firewall rule that allows access from source address 58.28.20.150 to all ports.

My problem is it will work for a while and then when I try to make calls into it they get bounced with the WxC unavailable message. If I reboot the system I'm OK again. Am I missing something?





Create new topic
Awesome
3008 posts

Uber Geek

Trusted
Subscriber
  Reply # 669636 8-Aug-2012 14:46 Send private message

How many concurrent SIP registrations? Do you need to open up more ports?

(Doesn't SIP use one port per reg?)




Twitter: ajobbins



2378 posts

Uber Geek

Trusted
Subscriber
  Reply # 669644 8-Aug-2012 14:57 Send private message

Yea I thought that may be the case so forwarded port 5061 aswell. But there is only a single VFX trunk registration?





784 posts

Ultimate Geek

Trusted
Orcon
Subscriber
  Reply # 669656 8-Aug-2012 15:37 Send private message

Sounds like your box is not registering often enough to keep the registration alive.  Try shortening the re-registration period.



2378 posts

Uber Geek

Trusted
Subscriber
  Reply # 669687 8-Aug-2012 16:12 Send private message

Thanks for the idea. I've changed the following line in the TRUNK configuration:

regseconds=180 (default given by wxc)

To:

regseconds=30


I have left the following as the default WxC value:
registertimeout=20

Will report back!







2378 posts

Uber Geek

Trusted
Subscriber
  Reply # 669727 8-Aug-2012 16:58 Send private message

Na sometimes it works, sometimes it is the WxC man saying:

"the party you are trying to reach"... etc. etc.

I have a feeling it may be to do with NAT on PFSense. Just doing some searches now. Man can't wait till IPv6 is common place and no more of this NAT nonsense ;p.





784 posts

Ultimate Geek

Trusted
Orcon
Subscriber
  Reply # 669728 8-Aug-2012 17:02 Send private message

Zeon: Na sometimes it works, sometimes it is the WxC man saying:

"the party you are trying to reach"... etc. etc.

I have a feeling it may be to do with NAT on PFSense. Just doing some searches now. Man can't wait till IPv6 is common place and no more of this NAT nonsense ;p.


Hmm, could be a NAT issue, although with port forwarding it shouldn't matter.

Are you using port 5060 on your Asterisk box to listen?

Can you send me a tcpdump from the asterisk box?  Might be able to tell what's going on.



2378 posts

Uber Geek

Trusted
Subscriber
  Reply # 669738 8-Aug-2012 17:12 Send private message

Hey guys I think it may have something to do with static port on outbound NAT in PFSense:

http://doc.pfsense.org/index.php/Static_Port

By default it is dynamic and can change however I have forced a rule to keep it static and it looks to be working.







2378 posts

Uber Geek

Trusted
Subscriber
  Reply # 669745 8-Aug-2012 17:37 Send private message

ubergeeknz:
Zeon: Na sometimes it works, sometimes it is the WxC man saying:

"the party you are trying to reach"... etc. etc.

I have a feeling it may be to do with NAT on PFSense. Just doing some searches now. Man can't wait till IPv6 is common place and no more of this NAT nonsense ;p.


Hmm, could be a NAT issue, although with port forwarding it shouldn't matter.

Are you using port 5060 on your Asterisk box to listen?

Can you send me a tcpdump from the asterisk box?  Might be able to tell what's going on.


Yea it was using port 5060. Definitely looks to be that static port issue. Seriously, NAT can DIAF. Thanks very much for the offer to check TCPDump data though Smile





5 posts

Wannabe Geek
  Reply # 669755 8-Aug-2012 18:00 Send private message

Zeon: Seriously, NAT can DIAF. Thanks very much for the offer to check TCPDump data though Smile


For the most part NAT is fine, it's when the router/firewall doing the NAT tries to be 'clever' that things like SIP start to fall down.

SIP-ALG/SIP-NAT, now that can go DIAF - causes more problems than it claims to solve.



2378 posts

Uber Geek

Trusted
Subscriber
  Reply # 670167 9-Aug-2012 16:18 Send private message

impsycho:
Zeon: Seriously, NAT can DIAF. Thanks very much for the offer to check TCPDump data though Smile


For the most part NAT is fine, it's when the router/firewall doing the NAT tries to be 'clever' that things like SIP start to fall down.

SIP-ALG/SIP-NAT, now that can go DIAF - causes more problems than it claims to solve.


Haha I think I must have gotten used to native connectivity where you only needed to worry about firewall rules.

Yea I have had problems with phones and SIP-ALG before. In this case I'm not sure 100% of what static port does but looks to randomize outgoing ports as a security measure?





8 posts

Wannabe Geek
  Reply # 678034 28-Aug-2012 10:25 Send private message

Hi,
I have an SPA2102 behind pfsense, and it gave problems at first due to double-NAT (pfsense doing NAT and then the ADSL modem doing NAT too). I changed the modem to a Draytek Vigor 120 that does PPoE to PPPoA bridging, and then the pfSense box gets the public IP and all good after that.
Not sure if there's anything in that that will help you?
Cheers,
Craig

Create new topic
Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when new jobs are posted to our jobs board:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:




News »
Gen-i and SAP partner in mobile business
Posted 23-May-2013 09:23

Ericsson to close down telecom cable manufacturing
Posted 23-May-2013 08:46

FaceToFace Communications and StarLeaf bring unique cloud-based videoconferencing to Australia and New Zealand
Posted 22-May-2013 09:12

IBM Watson finds a new job: customer services
Posted 22-May-2013 08:37

Microsoft unveils Xbox One
Posted 22-May-2013 08:11

InternetNZ and AUT University form strategic partnership
Posted 21-May-2013 09:29


Trending now »
Hot discussions in our forums right now:

Fecked up religious people strike again :-(
Created by Mark, last reply by nicnzl on 23-May-2013 16:41 (42 replies)
Pages... 2 3

Entire house HTPC concept
Created by InfiniteLoop, last reply by kiwijunglist on 23-May-2013 23:15 (25 replies)
Pages... 2

Cannabis is illegal yet we have really strong 'legal highs' ?
Created by qwerty7, last reply by freitasm on 23-May-2013 23:20 (74 replies)
Pages... 3 4 5

Xbox One
Created by DjShadow, last reply by jtbthatsme on 24-May-2013 01:04 (58 replies)
Pages... 2 3 4

Truenet Article - VoIP in New Zealand ----- Based on what Mr Butt ???
Created by maverick, last reply by Foiler on 23-May-2013 23:23 (18 replies)
Pages... 2

A new project coming to Geekzone
Created by freitasm, last reply by hamish225 on 23-May-2013 19:14 (278 replies)
Pages... 17 18 19

HTC One (2013) owners' discussion
Created by Dingbatt, last reply by bradstewart on 24-May-2013 00:53 (1546 replies)
Pages... 102 103 104

"igov" online passport renewals
Created by Linuxluver, last reply by profrink on 22-May-2013 22:22 (29 replies)
Pages... 2


Geekzone Jobs »
Most recent NZ jobs in technology:

Systems Analyst - mix BA, design & infrastructure
Posted 23-May-2013 22:28

Network Engineer - Urgent Requirement
Posted 23-May-2013 22:28

Senior Java developer - Contract Role
Posted 23-May-2013 22:28

Enterprise Architect
Posted 23-May-2013 22:28

Computer Programmer
Posted 23-May-2013 21:28

Software Developer - Queenstown
Posted 23-May-2013 19:28

Network Performance Engineer
Posted 23-May-2013 19:28


Geekzone Live »
Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Updates »
Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.