Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


3889 posts

Uber Geek
+1 received by user: 163


Topic # 127020 26-Jul-2013 22:11
Send private message

I've got a basic system running ok but a few little gremlins so some pointers could be great! :)

"Handle SIP trunk signalling as behind NAT (ignoring Private IP addressing in Contact/SDP and VIA headers etc.)"

Can any one explain what this setting is and if I need to choose it?

My set up is a machine behind my router with port 5060 forwarded to the machines private IP address.

"My phone/device is not behind NAT (e.g. It has a public IP address or port forwarding is setup). NOTE: When SIP peering is enabled NAT is always disabled"


Do I need to choose this setting, does it make any difference?


In my set up I've got this...

X
host=peering.2talk.co.nz
username=03aaaaa
secret=aaaaabbcc
type=friend
context=from-trunk
dtmfmode=rfc2833
insecure=very
nat=never
qualify=no
canreinvite=no
disallow=all
allow=gsm&alaw

In the 'incoming settings' I've got this...


secret=aaaabbbc
type=friend
context=from-trunk
dtmfmode=rfc2833
insecure=very
nat=never
qualify=yes
canreinvite=no
disallow=all
allow=gsm&alaw


Have I done anything bad here?

I've also been in and set 2talk to only use gsm and alaw. 

What happens if I've allowed ulaw in the 2talk but not my pabx?

My pabx seems to stop talking to 2talk form time to time and I'm trying to understand why.




  • Disable Qualify (OPTIONS) polling events for this line (This is used to track the registration status)

  •  Enable RFC2833 Compensate Feature (Sometimes required for older versions of Asterisk 1.2 etc.)




Do I need to set either of these two?


Can anyone explain what they actually do?






Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - don@i.am.a.can.do.kiwi.nz


Filter this topic showing only the reply marked as answer Create new topic
5275 posts

Uber Geek
+1 received by user: 2290

Trusted
Lifetime subscriber

  Reply # 866905 26-Jul-2013 23:25
Send private message

So you have port 5060 open to the world? Very bad!




Chorus has spent $1.4 billion on making their xDSL broadband network faster. If your still stuck on ADSL or VDSL, why not spend from $150 on a master filter install to make sure you are getting the most out of your connection?
I install - Naked DSL, DSL Master Splitters, VoIP, data cabling and general computer support for home and small business.
Rural Broadband RBI installer for Ultimate Broadband and Full Flavour

 

Need help in Auckland, Waikato or BoP? Click my email button, or email me direct: [my user name] at geekzonemail dot com




3889 posts

Uber Geek
+1 received by user: 163


  Reply # 866907 26-Jul-2013 23:31
Send private message

coffeebaron: So you have port 5060 open to the world? Very bad!


That's right off topic, but an interesting question.

How are sip to sip servers meant to talk to each other if you don't have sip open to the world?






Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - don@i.am.a.can.do.kiwi.nz


27148 posts

Uber Geek
+1 received by user: 6580

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 866967 27-Jul-2013 08:15
Send private message

With 5060 open to the world on an Asterisk box it won't be long before you're hacked.

5275 posts

Uber Geek
+1 received by user: 2290

Trusted
Lifetime subscriber

  Reply # 866978 27-Jul-2013 09:02
Send private message

DonGould:
coffeebaron: So you have port 5060 open to the world? Very bad!


That's right off topic, but an interesting question.

How are sip to sip servers meant to talk to each other if you don't have sip open to the world?



Was on topic in reply to your question "am I doing anything bad"
Use a VPN. Also the very fact you are asking such a question is even more reason to not have port 5060 open.




Chorus has spent $1.4 billion on making their xDSL broadband network faster. If your still stuck on ADSL or VDSL, why not spend from $150 on a master filter install to make sure you are getting the most out of your connection?
I install - Naked DSL, DSL Master Splitters, VoIP, data cabling and general computer support for home and small business.
Rural Broadband RBI installer for Ultimate Broadband and Full Flavour

 

Need help in Auckland, Waikato or BoP? Click my email button, or email me direct: [my user name] at geekzonemail dot com




3889 posts

Uber Geek
+1 received by user: 163


  Reply # 867374 28-Jul-2013 13:59
Send private message

coffeebaron: Was on topic in reply to your question "am I doing anything bad"
Use a VPN. Also the very fact you are asking such a question is even more reason to not have port 5060 open.


Ok fair comments.  Sorry, I didn't read what you were saying properly and understand.

I don't know that I can use a VPN with 2talk.  You have to forward the 2talk account to an IP address for SIP trunking.

2Talk then recommend firewalling the port to just their server IP.

I doubt I've been hacked.  I suspect that this is more a case of my having not configured everything correctly in the first place, hence my questions about the parameter I don't understand.

D




Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - don@i.am.a.can.do.kiwi.nz


88 posts

Master Geek
+1 received by user: 2


  Reply # 868001 29-Jul-2013 17:23
Send private message

don gould

vpn is fine with 2talk if you have a static ip.

are you using 2talk voice trunk ? isn't it a private address with no internet exposure?

retain the qualify as asterisk likes to know hes connected

dns is the key for reliable connectivity

the older asterisk versions had their quirks, use a later one 1.8 - 1.11 depending on what you are doing

wud recommend PIAF or rasPBX to learn on.

3621 posts

Uber Geek
+1 received by user: 1343

Subscriber

  Reply # 868006 29-Jul-2013 17:55
Send private message

While opening 5060 isn't awesome there are things that can be done to prevent hacking. SIP peering is way easier when there are lots of DDI's involved but often not really required so standard registration with no port forwards works well. Anyway, you have chosen peering so just make sure you do the following....

Really strong passwords on all apsects of the box (root, admin, extensions etc) is an obvious must.

Set rules in your firewall to only allow packets on 5060 to come from the 2Talk subnet (27.111.14.0/24)

Fail2Ban is pretty much mandatory on any Asterisk install. So get that up and running and set the Allow/Block list to mirror that firewall rule. Also make sure it is automatically blocking failed authentication attempts for a decent period of time.

Here is what I use for a peering arrangement on my box....

context=from-trunk
host=peering.2talk.co.nz
dtmfmode=rfc2833
insecure=very
nat=never
qualify=yes
canreinvite=no
disallow=all
allow=alaw
allow=g722

Authentication isn't required because you have a trusted peering relationship with 2Talk.

In 2Talk I have that 'Handle SIP trunking as behind NAT' enabled but if I'm honest I don't know that it truly means.

My system never seems to miss a beat. Don't get dropped calls and calls always go out first time every time so I assume it is set up correctly haha.

I like the offical FreePBX distro as it does everything for you in the install for things that would normally have to get manually installed. Is getting quite a few ad's in it though which is annoying me a bit.



3889 posts

Uber Geek
+1 received by user: 163


  Reply # 868209 29-Jul-2013 22:53
Send private message

Thanks guys,

http://www.geekzone.co.nz/forums.asp?forumid=43&topicid=100651

This is a very helpful link that I found as well.

The answer in the end was that I'd put a wrong firewall rule in place. I'd been trying to do something else which I'd already established wouldn't work, but then managed to copy that firewall rule by mistake.

However in the process I've discovered a few other issues.

I still don't understand what all those other 2talk settings are and I'd kinda like to know what they are for.

However in the mean time I do seem to be getting the calls heading in the right direction which is the important thing.

Thanks again.

D




Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - don@i.am.a.can.do.kiwi.nz


6 posts

Wannabe Geek
+1 received by user: 1

Lifetime subscriber

  Reply # 882861 22-Aug-2013 16:09
One person supports this post
Send private message

Hi DonGould

 

I always found the 2talk guide on how to setup Asterisk as good as any. http://blog.2talk.co.nz/asterisk.html

 

No need to change firewall rules etc. Works fine for me at 3 commercial sites.

 

Cheers

Filter this topic showing only the reply marked as answer Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.