How to set up 2talk and Asterisk

Forums › VoIP › How to set up 2talk and Asterisk

DonGould

3892 posts

Uber Geek

#127020 26-Jul-2013 22:11

I've got a basic system running ok but a few little gremlins so some pointers could be great! :)

"Handle SIP trunk signalling as behind NAT (ignoring Private IP addressing in Contact/SDP and VIA headers etc.)"

Can any one explain what this setting is and if I need to choose it?

My set up is a machine behind my router with port 5060 forwarded to the machines private IP address.

"My phone/device is not behind NAT (e.g. It has a public IP address or port forwarding is setup). NOTE: When SIP peering is enabled NAT is always disabled"

Do I need to choose this setting, does it make any difference?

In my set up I've got this...

X
host=peering.2talk.co.nz
username=03aaaaa
secret=aaaaabbcc
type=friend
context=from-trunk
dtmfmode=rfc2833
insecure=very
nat=never
qualify=no
canreinvite=no
disallow=all
allow=gsm&alaw

In the 'incoming settings' I've got this...

secret=aaaabbbc
type=friend
context=from-trunk
dtmfmode=rfc2833
insecure=very
nat=never
qualify=yes
canreinvite=no
disallow=all
allow=gsm&alaw

Have I done anything bad here?

I've also been in and set 2talk to only use gsm and alaw.

What happens if I've allowed ulaw in the 2talk but not my pabx?

My pabx seems to stop talking to 2talk form time to time and I'm trying to understand why.

Disable Qualify (OPTIONS) polling events for this line (This is used to track the registration status)

Enable RFC2833 Compensate Feature (Sometimes required for older versions of Asterisk 1.2 etc.)

Do I need to set either of these two?

Can anyone explain what they actually do?

Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - don@i.am.a.can.do.kiwi.nz

coffeebaron

6235 posts

Uber Geek

Trusted

Lifetime subscriber

#866905 26-Jul-2013 23:25

So you have port 5060 open to the world? Very bad!

Rural IT and Broadband support.

Broadband troubleshooting and master filter installs.
Starlink installer - one month free: https://www.starlink.com/?referral=RC-32845-88860-71
Wi-Fi and networking
Cel-Fi supply and installer - boost your mobile phone coverage legally

Need help in Auckland, Waikato or BoP? Click my email button, or email me direct: [my user name] at geekzonemail dot com

DonGould

3892 posts

Uber Geek

#866907 26-Jul-2013 23:31

coffeebaron: So you have port 5060 open to the world? Very bad!

That's right off topic, but an interesting question.

How are sip to sip servers meant to talk to each other if you don't have sip open to the world?

Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - don@i.am.a.can.do.kiwi.nz

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#866967 27-Jul-2013 08:15

With 5060 open to the world on an Asterisk box it won't be long before you're hacked.

coffeebaron

6235 posts

Uber Geek

Trusted

Lifetime subscriber

#866978 27-Jul-2013 09:02

DonGould:
coffeebaron: So you have port 5060 open to the world? Very bad!

That's right off topic, but an interesting question.

How are sip to sip servers meant to talk to each other if you don't have sip open to the world?

Was on topic in reply to your question "am I doing anything bad"
Use a VPN. Also the very fact you are asking such a question is even more reason to not have port 5060 open.

Rural IT and Broadband support.

Need help in Auckland, Waikato or BoP? Click my email button, or email me direct: [my user name] at geekzonemail dot com

DonGould

3892 posts

Uber Geek

#867374 28-Jul-2013 13:59

coffeebaron: Was on topic in reply to your question "am I doing anything bad"
Use a VPN. Also the very fact you are asking such a question is even more reason to not have port 5060 open.

Ok fair comments. Sorry, I didn't read what you were saying properly and understand.

I don't know that I can use a VPN with 2talk. You have to forward the 2talk account to an IP address for SIP trunking.

2Talk then recommend firewalling the port to just their server IP.

I doubt I've been hacked. I suspect that this is more a case of my having not configured everything correctly in the first place, hence my questions about the parameter I don't understand.

D

Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - don@i.am.a.can.do.kiwi.nz

vespaman

88 posts

Master Geek

#868001 29-Jul-2013 17:23

don gould

vpn is fine with 2talk if you have a static ip.

are you using 2talk voice trunk ? isn't it a private address with no internet exposure?

retain the qualify as asterisk likes to know hes connected

dns is the key for reliable connectivity

the older asterisk versions had their quirks, use a later one 1.8 - 1.11 depending on what you are doing

wud recommend PIAF or rasPBX to learn on.

chevrolux

4962 posts

Uber Geek
Inactive user

#868006 29-Jul-2013 17:55

While opening 5060 isn't awesome there are things that can be done to prevent hacking. SIP peering is way easier when there are lots of DDI's involved but often not really required so standard registration with no port forwards works well. Anyway, you have chosen peering so just make sure you do the following....

Really strong passwords on all apsects of the box (root, admin, extensions etc) is an obvious must.

Set rules in your firewall to only allow packets on 5060 to come from the 2Talk subnet (27.111.14.0/24)

Fail2Ban is pretty much mandatory on any Asterisk install. So get that up and running and set the Allow/Block list to mirror that firewall rule. Also make sure it is automatically blocking failed authentication attempts for a decent period of time.

Here is what I use for a peering arrangement on my box....

context=from-trunk
host=peering.2talk.co.nz
dtmfmode=rfc2833
insecure=very
nat=never
qualify=yes
canreinvite=no
disallow=all
allow=alaw
allow=g722

Authentication isn't required because you have a trusted peering relationship with 2Talk.

In 2Talk I have that 'Handle SIP trunking as behind NAT' enabled but if I'm honest I don't know that it truly means.

My system never seems to miss a beat. Don't get dropped calls and calls always go out first time every time so I assume it is set up correctly haha.

I like the offical FreePBX distro as it does everything for you in the install for things that would normally have to get manually installed. Is getting quite a few ad's in it though which is annoying me a bit.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

DonGould

3892 posts

Uber Geek

#868209 29-Jul-2013 22:53

Thanks guys,

http://www.geekzone.co.nz/forums.asp?forumid=43&topicid=100651

This is a very helpful link that I found as well.

The answer in the end was that I'd put a wrong firewall rule in place. I'd been trying to do something else which I'd already established wouldn't work, but then managed to copy that firewall rule by mistake.

However in the process I've discovered a few other issues.

I still don't understand what all those other 2talk settings are and I'd kinda like to know what they are for.

However in the mean time I do seem to be getting the calls heading in the right direction which is the important thing.

Thanks again.

D

Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - don@i.am.a.can.do.kiwi.nz

didwah

6 posts

Wannabe Geek

Lifetime subscriber

#882861 22-Aug-2013 16:09

Hi DonGould

I always found the 2talk guide on how to setup Asterisk as good as any. http://blog.2talk.co.nz/asterisk.html

No need to change firewall rules etc. Works fine for me at 3 commercial sites.

Cheers