[asterisk-users] Outgoing Calls Only -- Firewall Rules

Wed Jan 6 07:40:41 CST 2010

 Nicholas,

 Sorry I don't know, but are your calls working okay ?

 Depending on the verbosity level being set, I see warning
 msgs all the time, that I ignore.

 Frequently, an upgrade to the next release of the same
 major version also eliminates the warning msgs.

 If you are really concerned, I would find an unused machine,
 install Linux & Asterisk 1.6.x on it, try out your calls and
 see if the warnings still appear.

 If there are no warnings of this kind, it is an issue specific
 to a module in that 1.4.x release and likely to go away.

 Good luck !

--

  On Tue, Jan 5, 2010,   Nicholas Blasgen    wrote:

> Asterisk 1.4.29 or so.
>
> access-list _dmz_acl extended permit udp 10.129.42.0 255.255.255.0 any range
> 10000 20000
> access-list _dmz_acl extended permit udp 10.129.42.0 255.255.255.0 any eq
> 5060
>
> But yes, all your feedback worked.  I didn't need to port-forward any
> incoming ports, only 5060/10000-20000 for outgoing UDP.  The only issue I'm
> now having is:
>
> <--- SIP read from 66.227.100.20:5060 --->
> SIP/2.0 200 OK
> Via: SIP/2.0/UDP 209.34.93.68:5060;branch=z9hG4bK3eb38bde;rport=51566
> ....
> Warning: 392 66.227.100.20:5060 "Noisy feedback tells:  pid=9611
> req_src_ip=209.34.93.68 req_src_port=51566 in_uri=sip:sip.jnctn.net
> out_uri=sip:sip.jnctn.net via_cnt==1"
>
> 209.34.93.68 is my IP, 209.34.93.68 is Junction Networks (for this
> example).  I also get it from my backbone providers as well so it's likely
> something to do with that 51566 req_src_port thing.  Any idea what this is
> an how to configure it to a restricted range of IP addresses?
>
> Nicholas Blasgen
> Partner / Network Operations
> Refractive Dialer LLC
> (724) 252-7436
>
>
> On Sun, Jan 3, 2010 at 8:29 PM,  Max McGraw   wrote:
>>
>>  Nicholas,
>>
>>  you haven't specified which version, which does make
>>  a lot of difference.
>>
>>  1.6.x  can easily traverse NAT. If you are only making
>>  outbound calls, you shouldn't need to forward 5060.
>>
>>  Unless you have a special NAT that is blocking
>>  outbound connections, the  SIP.conf  settings below
>>  should work whether your provider uses SIP
>>  registrations or not. My codec related settings may
>>  not be applicable to your installation :
>>
>>  ; -------------------------------------
>>  [general]
>>  dtmfmode=rfc2833
>>  relaxdtmf=yess
>>  bandwidth=high
>>  disallow=all
>>  allow=ulaw
>>  ;
>>  ;   NAT stuff
>>  ;
>>  localnet=192.168.x.0/255.255.255.0
>>  externip=a.b.c.d:5060
>>  nat=yes
>>  ;
>>  ;   Media stuff
>>  ;
>>  canreinvite=no
>>  ;
>>  ;
>>  [your-voip-provider-para]
>>  ;
>>  context=default
>>  type=friend
>>  ;
>>  ;  your provider's outbound gateway
>>  ;
>>  host=w.x.y.z
>>  ;
>>  dtmfmode=rfc2833
>>  relaxdtmf=yess
>>  disallow=all
>>  allow=ulaw
>>  ;
>>  ; -------------------------------------
>>
>>
>>  On Sun, Jan 3, 2010,   Nicholas Blasgen    wrote:
>>
>> > I'm trying to move my Asterisk deployments under a Virtual IP address
>> > and
>> > now remember why I dislike this.  My primary Asterisk system is now
>> > behind a
>> > firewall in private address space.  My question is what ports are needed
>> > to
>> > be opened just for the purpose of placing outgoing calls.  I would have
>> > assumed none, but I can't even get replies on registration from any of
>> > my 3
>> > VoIP providers.  I tried defining the External IP and some other stuff,
>> > but
>> > I assume it's fully an issue with the firewall.  Do I really need 5060
>> > port
>> > forwarded just to register with remote hosts?
>> >
>> > Nicholas Blasgen
>> > Partner / Network Operations
>> > Refractive Dialer LLC
>> > (724) 252-7436
>> >
>> > __________________________________