[asterisk-users] problems with natted phones
Duncan Turnbull
duncan at e-simple.co.nz
Wed Sep 8 16:12:59 CDT 2021
> On 9/09/2021, at 8:46 AM, Marek Greško <mgresko8 at gmail.com> wrote:
>
> Sorry did convert, not did converted :)
>
> 2021-09-08 22:43 GMT+02:00, Marek Greško <mgresko8 at gmail.com>:
>> Hello,
>>
>> I did converted from iptables by automatical script and then rewritten
>> myself, because not everything was rewritten successfully.
>>
>> Relevant parts:
>>
>> table ip filter {
>> ct helper sip {
>> type "sip" protocol udp
>> l3proto ip
>> }
>>
Where are the rules for rtp? This is an rtp problem. What ports are allowed for them? And what other udp rules exist that could be interfering
On your asterisk what ports do you have assigned for rtp? What are the matching firewall rules?
>> chain PREROUTING {
>> type filter hook prerouting priority filter; policy accept;
>> udp port 5060 ct helper set "sip"
>> }
>>
>> chain INPUT {
>> ...
>> ct state invalid drop
>> ct state related accept
>> ct state established accept
>> ...
>> iifname "ppp0" jump i-inet
>> }
>>
>> chain OUTPUT {
>> type filter hook output priority filter; policy accept;
>> udp port 5060 ct helper set "sip"
>> ...
>> }
>>
>> chain i-inet {
>> ...
>> udp port 5060 jump r-sip
>> ...
>> }
>>
>> chain r-sip {
>> ip saddr 192.0.2.0/24 accept
>> }
>> }
>>
>> table ip mangle {
>> chain PREROUTING {
>> type filter hook prerouting priority mangle; policy accept;
>> ...
>> udp sport 5060 ip dscp set 0x04
>> }
>>
>> chain OUTPUT {
>> type route hook output priority mangle; policy accept;
>> ...
>> udp dport 5060 ip dscp set 0x04
>> ...
>> }
>> }
>>
>> table ip6 filter {
>> ct helper sip {
>> type "sip" protocol udp
>> l3proto ip6
>> }
>>
>> ... pretty the same, but I have no ipv6 internet connectivity, so
>> this should not match ...
>>
>> }
>>
>>
>> Is there something incorrect?
>>
>> Thanks
>>
>> Marek
>>
>>
>>
>> 2021-09-08 21:17 GMT+02:00, Duncan Turnbull <duncan at e-simple.co.nz>:
>>>
>>>
>>>>> On 9/09/2021, at 6:23 AM, Marek Greško <mgresko8 at gmail.com> wrote:
>>>>>
>>>>> Hello,
>>>>>
>>>>> I confirm temporarily allowing all the udp communication from the nat
>>>>> ip address solved the problem, so the problem lies in the nftables.
>>>>> This is probably not the right forum to continue. Or is it? Does
>>>>> anybody have wide experience with nftables and sip?
>>> If you publish your rule set then we could look. Did you write the rules?
>>> What have you checked so far?
>>>
>>>>
>>>> Thanks
>>>>
>>>> Marek
>>>>
>>>>
>>>> 2021-09-07 10:40 GMT+02:00, Antony Stone
>>>> <Antony.Stone at asterisk.open.source.it>:
>>>>> On Monday 06 September 2021 at 23:05:27, Duncan Turnbull wrote:
>>>>>
>>>>>>>> On 7/09/2021, at 8:30 AM, Marek Greško <mgresko8 at gmail.com> wrote:
>>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> it is only local nftables with nf_conntrack_sip on the asterisk
>>>>>>>> server. Probably a kernel bug? It did not trigger with previous
>>>>>>>> providers since they had working SIP ALG. Now I hear no audio in
>>>>>>>> both
>>>>>>>> directions because outgoing rtp stream from asterisk goes to private
>>>>>>>> address space and incoming stream is blocked. So the outgoing rtp
>>>>>>>> could not be learnt to send to nat addess.
>>>>>>
>>>>>> Maybe a bug but that’s less likely than a config error. Time to debug
>>>>>> your
>>>>>> nftables.
>>>>>
>>>>> Try temporarily simply turning the firewall off - allow all traffic
>>>>> through
>>>>> (although leave in place any NAT rules).
>>>>>
>>>>> If you then find that RTP works, you know where the problem lies.
>>>>>
>>>>>
>>>>> Antony.
>>>>>
>>>>> --
>>>>> Perfection in design is achieved not when there is nothing left to add,
>>>>> but
>>>>> rather when there is nothing left to take away.
>>>>>
>>>>> - Antoine de Saint-Exupery
>>>>>
>>>>> Please reply to the
>>>>> list;
>>>>> please *don't*
>>>>> CC
>>>>> me.
>>>>>
>>>>> --
>>>>> _____________________________________________________________________
>>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>>>
>>>>> Check out the new Asterisk community forum at:
>>>>> https://community.asterisk.org/
>>>>>
>>>>> New to Asterisk? Start here:
>>>>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>>>
>>>>> asterisk-users mailing list
>>>>> To UNSUBSCRIBE or update options visit:
>>>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>>
>>>> --
>>>> _____________________________________________________________________
>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>>
>>>> Check out the new Asterisk community forum at:
>>>> https://community.asterisk.org/
>>>>
>>>> New to Asterisk? Start here:
>>>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>>
>>>> asterisk-users mailing list
>>>> To UNSUBSCRIBE or update options visit:
>>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>>
>>> --
>>> _____________________________________________________________________
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>
>>> Check out the new Asterisk community forum at:
>>> https://community.asterisk.org/
>>>
>>> New to Asterisk? Start here:
>>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>
>>> asterisk-users mailing list
>>> To UNSUBSCRIBE or update options visit:
>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at: https://community.asterisk.org/
>
> New to Asterisk? Start here:
> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
More information about the asterisk-users
mailing list