Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Forums2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus)Slingshot Fibre and Asterisk
fcollingwood

8 posts

Wannabe Geek


#175697 8-Jul-2015 23:46
Send private message

Hi All

I've ditched the Slingshot supplied UFB router in favour of my own Zyxel USG 50 firewall. I use an asterisk server on my internal network, and have no issues with my Aussie VOIP provider (long story) which demonstrates that the port forwarding is working correctly.

However, I'm having issues with the Slingshot VOIP service.

I'm using Astlinux, and I can see on the Astlinux web console that it's registering correctly for incoming and outgoing, dialing in is fine, however dialing out I get a warning message: 
[Jul  8 22:50:23] WARNING[2005][C-00000000]: chan_sip.c:23028 handle_response_invite: Received response: "Forbidden" from '<sip:MyNumber@AstlinuxIP>;tag=as70d04f4d'

The relevant sip.conf entries are:

[general]
register => MyNumber:MyPassword@119.224.142.182/MyNumber

[landline]
fromuser=MyNumber
defaultuser=MyNumber
type=peer
remotesecret=MySecret
qualify=yes
dtmfmode=rfc2833
insecure=port,invite
host=119.224.142.182
allow=all
canredirect=no
context=ValidContext
nat=never
trunkname=ValidTrunkname

If course, I haven't exposed my actual username, password, context name, trunk name, etc, here....

Does anyone have a valid config?

Create new topic
sbiddle
30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #1339626 9-Jul-2015 06:27
Send private message

No idea what your issue is based on such little information but you should never ever under any circumstances have port forwards enabled for VoIP unless you fully understand the security risks... And if you understand the risks you'd never ever contemplate this.



fcollingwood

8 posts

Wannabe Geek


  #1339806 9-Jul-2015 11:12
Send private message

Hmm

Then if port forwarding should not be done, can you please explain exactly how incoming SIP signaling on port 5060, and RTP media traffic (on a narrow subset of ports) traverses NAT to reach the Asterisk server on the inside? Because I already know that without port forwarding, my other VOIP provider trunk plain does not work.

I'm not after people asking "Why do you do this/that?". I'm after sip.conf snippet from someone who has got it working. 

sbiddle
30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #1339850 9-Jul-2015 11:31
Send private message

A SIP registration to your SIP Proxy creates a NAT pinhole that keeps a firewall open for a specific period of time. NAT pinholes are exactly why you don't need to create port forwards for web browsing to work. In some situations you may need to open 10000-20000 (but should really reduce this down to a smaller range anyway as you'll never have 5000 or 10000 simultaneous calls)

If you're going to port forward these should be locked down to the specific IP range(s) of your SIP proxy.

I can't help with the Slingshot setup, I'm just advising on the security risks of insecure Asterisk systems.



fcollingwood

8 posts

Wannabe Geek


  #1340032 9-Jul-2015 14:39
Send private message

And I am well aware of the NAT pinhole for 5060 created by the registration, and the requirement to forward a subset of ports between 10000 and 20000 for the RTP media traffic, and the safety factor there in locking down the forwarding to be only from the SIP proxy IPs.

But I wasn't asking about security.

I was asking about a specific working trunk config that any other user may have found to work with Slingshots fibre service. 

sbiddle
30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #1340144 9-Jul-2015 18:32
Send private message

Yip I realise it doesn't solve your issue but as somebody who's deployed huge numbers of Asterisk systems and seen the results of attacks so many times where somebody thinks they're a VoIP expert because they can make calls in 60 minutes I just like to ensure everybody is fully aware of the implications of insecure systems.

The minute I see anybody mention port forwards and VoIP it instantly rings alarm bells because most people have no idea they've just left their front door open to the whole internet by doing this, and it's not a matter of if their system will be hacked, but when.

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright