Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


26 posts

Geek


Topic # 236121 18-May-2018 18:38
Send private message

I have been migrating from the Orcon router to an EdgeRouter Lite but am having troubles getting the VOIP service working.

 

I have the following set up:

 

         Chorus NTU -> EdgeRouter Lite -> Unmanaged Switch -> NF4V

 

 

 

This works!  But when I remove the unmanaged switch and connect the NF4V directly into the ERL the VOIP status stays down. 

 

The NF4V can still ping external addresses including voice.orcon.net.nz.

 

I just don't know what the unmanaged switch could be doing that's making a difference.

 

 

 

 


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
1256 posts

Uber Geek
+1 received by user: 288


  Reply # 2018513 18-May-2018 18:52
Send private message

Have you turned off the VLAN tagged WAN interface on the NF4V?

 

 

This is under
Advanced setup
--Layer 2 Interface
---ETH interface

Connection Mode should be DefaultMode or similar.

314 posts

Ultimate Geek
+1 received by user: 78


  Reply # 2018521 18-May-2018 19:10
Send private message

The other ERL3 port you are using is on another subnet and can't communicate to main LAN
You need to do some more fiddling with settings to get the port the NF4V is on to link with main LAN

 

Below is modified version of what I use to see modem on eth0 (WAN) side of my setup
You will need to port forward port 5060 to the IP you give the NF4V
UPNP2 might also be needed as you are crossing Subnets
Below assuming eth1 = LAN and 192.168.1.xxx, eth2 is where NF4V will be an on 192.168.2.xxx
Give the NF4V and ip in the 192.168.2.xxx range (not 001) before putting on ERL3

 

CLI commands to setup, you may need to play with these to allow for your settings

 

configure
#setup eth2
set interfaces ethernet eth2 address 192.168.2.1/24
set interfaces ethernet eth2 description 'NF4V/VOIP'
set interfaces ethernet eth2 duplex auto
set interfaces ethernet eth2 mtu 1500
set interfaces ethernet eth2 speed auto

 

#allow  eth2 to be seen from eth1
set service nat rule 5000 description 'Call this what you want'
set service nat rule 5000 destination address 192.168.2.0/24
set service nat rule 5000 outbound-interface eth2
set service nat rule 5000 source address 192.168.1.1/24
set service nat rule 5000 type masquerade

 

#Port forward setup
set port-forward auto-firewall enable
set port-forward hairpin-nat enable
set port-forward lan-interface eth1
set port-forward lan-interface eth2
set port-forward rule 10 description VOIP
set port-forward rule 10 forward-to address 192.168.2.xxx
set port-forward rule 10 forward-to port 5060
set port-forward rule 10 original-port 5060
set port-forward rule 10 protocol udp
commit
save
exit

 


Hope this helps and makes sense




26 posts

Geek


  Reply # 2018532 18-May-2018 19:30
Send private message

I have deleted and recreated the eth4.1 interface under "WAN Service" so I could remove the VLAN 10 tag.

 

Under the Layer2 interface, ETH interface setup it has eth4/eth4 Connection Mode set to "VlanMuxMode".  I tried recreating this interface in case there was another option available for the connection mode, however, I wasn't able to select anything else.

 

 




26 posts

Geek


  Reply # 2018533 18-May-2018 19:34
Send private message

freakngeek - I'm not trying to pass traffic between the two LAN ports.  Just have the NF4V connect out to the internet for VOIP 5060 traffic.

 

 

 

It's my understanding that you don't need port forwarding for a SIP client. And this seems correct as VOIP services work fine if I have an unmanaged switch between the ERL and NF4V.

 

But I'll review what you've posted and maybe try applying those settings in case there's some aspect that will help.

 

 


314 posts

Ultimate Geek
+1 received by user: 78


  Reply # 2018562 18-May-2018 19:52
Send private message

Is the NF4V in AP mode ?
Or it will try and route against the ERL3 also trying to route, the switch would have allowed double NAT ?

I set my FB7390 in AP mode and it does my VOIP with the ERL3

 

 




26 posts

Geek


  Reply # 2018590 18-May-2018 20:36
Send private message

Not sure I follow you re AP?  Access Point mode?

 

No - Wireless is disabled. 


314 posts

Ultimate Geek
+1 received by user: 78


  Reply # 2018599 18-May-2018 21:03
Send private message

Hard to tell how you've setup your network, but looks like double routing happening

 

AP mode turns the NF4V into a switch then the ERL3 does all the routing
Not sure if in AP mode VOIP turns off, I don't have my NF4V yet
If it does, then turn off DHCP on the NF4V, plug ERL3 into a LAN port as WAN port may not work, VOIP should still work

 

Why even have have the ERL3 ?
Does it do anything else ?


366 posts

Ultimate Geek
+1 received by user: 75


  Reply # 2018685 18-May-2018 23:19
Send private message

shadsnz:

 

freakngeek - I'm not trying to pass traffic between the two LAN ports.  Just have the NF4V connect out to the internet for VOIP 5060 traffic.

 

 

 

It's my understanding that you don't need port forwarding for a SIP client. And this seems correct as VOIP services work fine if I have an unmanaged switch between the ERL and NF4V.

 

But I'll review what you've posted and maybe try applying those settings in case there's some aspect that will help.

 

 

For VOIP to work, you do need to open or forward the ports, and you need more than just port 5060.

 

Port 5060 is used for the SIP connection that sets up and manages the VOIP connections, but the actual phone calls are sent on different ports using RTP protocol.  For my FritzBox to operate behind my ERL3, I have to open UDP 5060 for SIP and UDP 7078-7109 for RTP.  The RTP connections come in pairs, one for the RTP with the actual call packets, and one for RTCP, which provides feedback about the call in progress, with error counts and sync data.  So the first call through the FritzBox will allocate UDP 7078 for RTP and UDP 7079 for RTCP.  If that call is still in progress and another call starts, it will use UDP 7080 for RTP and UDP 7081 for RTCP.  And so on up to the maximum number of calls the FritzBox will support.  The RTP/RCTP ports used commonly start at 7078, but it can vary between VOIP boxes, so you need to find out what the NF4V actually uses.  The RTP port numbers are negotiated using the SIP protocol on UDP 5060.  I think TCP 5060 can also be used for SIP, or both TCP and UDP, depending on your VOIP provider.

 

You might be able to get away with not opening port 5060, but only if the keepalive packets for the SIP connection to your VOIP provider happen often enough that the ERL3 will not timeout and close that port.  My experience says it needs to be open, as the keepalive packets send by my FritzBox are way too far apart and it will timeout.  The keepalive packet frequency is dependent on the VOIP software, so maybe the NF4V will do them often enough to keep the port open, but I would not risk it.

 

You do have to have the RTP UDP ports open, as the direction the first RTP or RTCP packet comes from depends on the direction on the call, inbound or outbound.  If the first RTP or RTCP packets are inbound from your VOIP provider, the ports will likely not be open and the call will fail.

 

One of the reasons for having a nice router like the ERL3 is all the extra things you can do with it.  So in this case, if the worst comes to the worst and you can not find out the correct RTP port numbers for the NF4V with Orcon firmware, you can use the ERL3 to see what is actually happening.  You set up SSH access to the ERL3 and using that, install tshark (the command line version of Wireshark) and use that to capture the port 5060 traffic, then use SSHFS or scp to download the capture file to your PC and get Wireshark to read it.  Wireshark knows the SIP protocol and you can see the port numbers being negotiated.  If you use tshark on the ERL3, make sure it stores its capture file to RAM disk - having it save to the internal flash stick kills the flash stick rapidly with too many fast writes.  The /var/log directory is where I store capture files.  PM me if you want help doing that.

 

https://en.wikipedia.org/wiki/Session_Initiation_Protocol

 

https://en.wikipedia.org/wiki/Real-time_Transport_Protocol


314 posts

Ultimate Geek
+1 received by user: 78


  Reply # 2018768 19-May-2018 08:01
Send private message

I just forward port 5060, nothing else on the FB7390 behind the ERL3
I think UPNP does the rest (incase of ERL3 UPNP2)

 

I bought the ERL3 to do the nice things it can do, but I don't run other routers in Router mode.
It's a brilliant router that needs some thought with all the other bits around it.
My Netgear R7800 does Wifi in AP mode, the FB7390 does VOIP in AP mode


314 posts

Ultimate Geek
+1 received by user: 78


  Reply # 2018808 19-May-2018 10:02
Send private message

Just turned off Port forwarding on port 5060 on ERL3
Turned off Keep port forward open on FB7390
Rebooted FB to make sure it had to register VOIP number

 

VOIP still happily works


27066 posts

Uber Geek
+1 received by user: 6509

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 2018842 19-May-2018 10:26
2 people support this post
Send private message

If you're going to forward ports for VoIP (in any setup) you need to be fully aware of the risks associated with this. Port forwards (particularly 5060) open your device up to the entire Internet meaning it will be attacked by SIP bots literally within hours.

 

If 5060 needs to be opened and you don't have something like a SBC as a layer of protection it should be at a bare minimum have IP whitelisting in place. In 99.9% of VoIP setups port forwards are not needed.

 

 

 

 


314 posts

Ultimate Geek
+1 received by user: 78


  Reply # 2019070 19-May-2018 16:57
Send private message

Taking above advise, and having a play

 

I now have FB7390 doing just VOIP on eth2 on ERL3
Setup a route so I can see it from LAN on eth1
I can see it, if I plug in via the FB LAN connection I can surf the web but I can't see eth0 or eth1
Port forwarding removed.
Only thing I had to do was change the DNS and gateway on FB to the eth2 IP address of router and set an IP on the FB so I can see it

 

@shadsnz you should theoretically be able to do the same with the NF4V behind the ERL3




26 posts

Geek


  Reply # 2020037 21-May-2018 19:49
Send private message

Yes, that's effectively where I got to.

 

 

 

The issue is it works fine if I have a switch between the ERL and the NF4V.  But if I remove the switch and have the NF4V directly connected to the ERL then VOIP doesn't work (which other functions continue to work - like web browsing, DNS, and ping traffic).

 

 


1256 posts

Uber Geek
+1 received by user: 288


  Reply # 2020045 21-May-2018 19:54
Send private message

You may need to manually specify the interface VoIP traffic is sent out.

 

 

Usually it is your WAN connection although depends on how you have things connected. Make sure a DNS server is also reachable by the router.

 

 




26 posts

Geek


  Reply # 2020052 21-May-2018 20:05
Send private message

Thanks for the suggestion.  I checked that setting.  It was on "Any_WAN".  I tried changing it to "eth4.1" but that didn't help. 

 

No VOIP when the NF4V is connected directly to the ERL.  But works fine if I put a switch in between them.

 

Will start down the road of capturing packets and try to look for differences.

 

 

 

 


 1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.