Slingshot Fibre and Asterisk

Forums › 2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus) › Slingshot Fibre and Asterisk

fcollingwood

8 posts

Wannabe Geek

#175697 8-Jul-2015 23:46

Hi All

I've ditched the Slingshot supplied UFB router in favour of my own Zyxel USG 50 firewall. I use an asterisk server on my internal network, and have no issues with my Aussie VOIP provider (long story) which demonstrates that the port forwarding is working correctly.

However, I'm having issues with the Slingshot VOIP service.

I'm using Astlinux, and I can see on the Astlinux web console that it's registering correctly for incoming and outgoing, dialing in is fine, however dialing out I get a warning message:
[Jul 8 22:50:23] WARNING[2005][C-00000000]: chan_sip.c:23028 handle_response_invite: Received response: "Forbidden" from '<sip:MyNumber@AstlinuxIP>;tag=as70d04f4d'

The relevant sip.conf entries are:

[general]
register => MyNumber:MyPassword@119.224.142.182/MyNumber

[landline]
fromuser=MyNumber
defaultuser=MyNumber
type=peer
remotesecret=MySecret
qualify=yes
dtmfmode=rfc2833
insecure=port,invite
host=119.224.142.182
allow=all
canredirect=no
context=ValidContext
nat=never
trunkname=ValidTrunkname

If course, I haven't exposed my actual username, password, context name, trunk name, etc, here....

Does anyone have a valid config?

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1339626 9-Jul-2015 06:27

No idea what your issue is based on such little information but you should never ever under any circumstances have port forwards enabled for VoIP unless you fully understand the security risks... And if you understand the risks you'd never ever contemplate this.

fcollingwood

8 posts

Wannabe Geek

#1339806 9-Jul-2015 11:12

Hmm

Then if port forwarding should not be done, can you please explain exactly how incoming SIP signaling on port 5060, and RTP media traffic (on a narrow subset of ports) traverses NAT to reach the Asterisk server on the inside? Because I already know that without port forwarding, my other VOIP provider trunk plain does not work.

I'm not after people asking "Why do you do this/that?". I'm after sip.conf snippet from someone who has got it working.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1339850 9-Jul-2015 11:31

A SIP registration to your SIP Proxy creates a NAT pinhole that keeps a firewall open for a specific period of time. NAT pinholes are exactly why you don't need to create port forwards for web browsing to work. In some situations you may need to open 10000-20000 (but should really reduce this down to a smaller range anyway as you'll never have 5000 or 10000 simultaneous calls)

If you're going to port forward these should be locked down to the specific IP range(s) of your SIP proxy.

I can't help with the Slingshot setup, I'm just advising on the security risks of insecure Asterisk systems.

fcollingwood

8 posts

Wannabe Geek

#1340032 9-Jul-2015 14:39

And I am well aware of the NAT pinhole for 5060 created by the registration, and the requirement to forward a subset of ports between 10000 and 20000 for the RTP media traffic, and the safety factor there in locking down the forwarding to be only from the SIP proxy IPs.

But I wasn't asking about security.

I was asking about a specific working trunk config that any other user may have found to work with Slingshots fibre service.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1340144 9-Jul-2015 18:32

Yip I realise it doesn't solve your issue but as somebody who's deployed huge numbers of Asterisk systems and seen the results of attacks so many times where somebody thinks they're a VoIP expert because they can make calls in 60 minutes I just like to ensure everybody is fully aware of the implications of insecure systems.

The minute I see anybody mention port forwards and VoIP it instantly rings alarm bells because most people have no idea they've just left their front door open to the whole internet by doing this, and it's not a matter of if their system will be hacked, but when.