Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




8 posts

Wannabe Geek


# 175697 8-Jul-2015 23:46
Send private message

Hi All

I've ditched the Slingshot supplied UFB router in favour of my own Zyxel USG 50 firewall. I use an asterisk server on my internal network, and have no issues with my Aussie VOIP provider (long story) which demonstrates that the port forwarding is working correctly.

However, I'm having issues with the Slingshot VOIP service.

I'm using Astlinux, and I can see on the Astlinux web console that it's registering correctly for incoming and outgoing, dialing in is fine, however dialing out I get a warning message: 
[Jul  8 22:50:23] WARNING[2005][C-00000000]: chan_sip.c:23028 handle_response_invite: Received response: "Forbidden" from '<sip:MyNumber@AstlinuxIP>;tag=as70d04f4d'

The relevant sip.conf entries are:

[general]
register => MyNumber:MyPassword@119.224.142.182/MyNumber

[landline]
fromuser=MyNumber
defaultuser=MyNumber
type=peer
remotesecret=MySecret
qualify=yes
dtmfmode=rfc2833
insecure=port,invite
host=119.224.142.182
allow=all
canredirect=no
context=ValidContext
nat=never
trunkname=ValidTrunkname

If course, I haven't exposed my actual username, password, context name, trunk name, etc, here....

Does anyone have a valid config?

Create new topic
27906 posts

Uber Geek
+1 received by user: 7390

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 1339626 9-Jul-2015 06:27
One person supports this post
Send private message

No idea what your issue is based on such little information but you should never ever under any circumstances have port forwards enabled for VoIP unless you fully understand the security risks... And if you understand the risks you'd never ever contemplate this.




8 posts

Wannabe Geek


  # 1339806 9-Jul-2015 11:12
Send private message

Hmm

Then if port forwarding should not be done, can you please explain exactly how incoming SIP signaling on port 5060, and RTP media traffic (on a narrow subset of ports) traverses NAT to reach the Asterisk server on the inside? Because I already know that without port forwarding, my other VOIP provider trunk plain does not work.

I'm not after people asking "Why do you do this/that?". I'm after sip.conf snippet from someone who has got it working. 

 
 
 
 


27906 posts

Uber Geek
+1 received by user: 7390

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 1339850 9-Jul-2015 11:31
Send private message

A SIP registration to your SIP Proxy creates a NAT pinhole that keeps a firewall open for a specific period of time. NAT pinholes are exactly why you don't need to create port forwards for web browsing to work. In some situations you may need to open 10000-20000 (but should really reduce this down to a smaller range anyway as you'll never have 5000 or 10000 simultaneous calls)

If you're going to port forward these should be locked down to the specific IP range(s) of your SIP proxy.

I can't help with the Slingshot setup, I'm just advising on the security risks of insecure Asterisk systems.



8 posts

Wannabe Geek


  # 1340032 9-Jul-2015 14:39
Send private message

And I am well aware of the NAT pinhole for 5060 created by the registration, and the requirement to forward a subset of ports between 10000 and 20000 for the RTP media traffic, and the safety factor there in locking down the forwarding to be only from the SIP proxy IPs.

But I wasn't asking about security.

I was asking about a specific working trunk config that any other user may have found to work with Slingshots fibre service. 

27906 posts

Uber Geek
+1 received by user: 7390

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 1340144 9-Jul-2015 18:32
Send private message

Yip I realise it doesn't solve your issue but as somebody who's deployed huge numbers of Asterisk systems and seen the results of attacks so many times where somebody thinks they're a VoIP expert because they can make calls in 60 minutes I just like to ensure everybody is fully aware of the implications of insecure systems.

The minute I see anybody mention port forwards and VoIP it instantly rings alarm bells because most people have no idea they've just left their front door open to the whole internet by doing this, and it's not a matter of if their system will be hacked, but when.




Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Xero announces new smarter tools, push into the North American market
Posted 19-Jun-2019 17:20


New report by Unisys shows New Zealanders want action by social platform companies and police to monitor social media sites
Posted 19-Jun-2019 17:09


ASB adds Google Pay option to contactless payments
Posted 19-Jun-2019 17:05


New Zealand PC Market declines on the back of high channel inventory, IDC reports
Posted 18-Jun-2019 17:35


Air New Zealand uses drones to inspect aircraft
Posted 17-Jun-2019 15:39


TCL Electronics launches its first-ever 8K TV
Posted 17-Jun-2019 15:18


E-scooter share scheme launches in Wellington
Posted 17-Jun-2019 12:34


Anyone can broadcast with Kordia Pop Up TV
Posted 13-Jun-2019 10:51


Volvo and Uber present production vehicle ready for self-driving
Posted 13-Jun-2019 10:47


100,000 customers connected to fibre broadband network through Enable
Posted 13-Jun-2019 10:35


5G uptake even faster than expected
Posted 12-Jun-2019 10:01


Xbox showcases 60 anticipated games
Posted 10-Jun-2019 20:24


Trend Micro Turns Public Hotspots into Secure Networks with WiFi Protection for Mobile Devices
Posted 5-Jun-2019 13:24


Bold UK spinoff for beauty software company Flossie
Posted 2-Jun-2019 14:10


Amazon Introduces Echo Show 5
Posted 1-Jun-2019 15:32



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.