<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";
        color:black;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-IE link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-US>Hi there,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>I am trying to setup a configuration that requires me to use SIP and asterisk behind a firewall and over a VPN to a remote office and with some local Phones also.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>I can’t use IAX to my provider because they don’t offer it and my handsets ( snom 300 ) also don’t support IAX so it’s all SIP.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>The configuration is a follows<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Asterisk PBX 10.202.17.217/24 ------>| 10/100-Switch |-----> Firewall1 pfsense X.Y.Z.250 -------->ITSP Sip Porvider public internet<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>LocalPhones 10.202.17.1-25/24 -_---->| 10/100-Switch |-----> Firewall2 Watchguard ----->ISP internet Connection <-----Firewall3 | remote office | ----Remote User Phone 192.168.97.74/24<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>There is a Lan2Lan VPN tunnel between the Firewall2 and the Remote Office Firewall3<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>I can Ping the remote office phone from the asterisk PBX at all times.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Now I have my Sip.conf setup with externip= X.Y.Z.250<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>[general]<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>port = 5060<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>bindaddr = 0.0.0.0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>context = default<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>allowoverlap=no<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>srvlookup = yes<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>: externip =<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>externip = x.y.z.250<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>localnet=10.202.17.0/255.255.255.0<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>qualify=yes<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>nat=yes<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>register = xxxxxxx:SipServer/xxxxxxxx<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>limitonpeers=yes<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>allowsubscribe=yes<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>notifyringing=yes<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>notifyhold=yes<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>useclientcode=yes<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>canreinvite=no<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>I have pfsense setup to forward ports 5060 and RTP ports over UDP back to the internal asterisk server. And a firewall rule to allow this traffic from only my ITSP SipServer.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>I can make a call from any phone on the local phones network to the outside world via the SIP proxy with asterisk in the media stream ( canreinvite=no) <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>I can make a call from the remote user phone to a local phone or to any other phone outside the network but I don’t get any audio .<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>If I remove the IP address X.Y.Z.250 from the externip setting then I can call remote phone to local phones fine and get audio perfect, but I can’t make any outbound calls from local to outside world via my ITSP.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Do I need to setup a STUN server to tell the remote Phones that Asterisk is not on the Public address but rather on the LAN address accessible via the VPN?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Or should I put a second Network Adapter in the Asterisk PBX and Setup Iptables on this removing the firewall from the equation ?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>I could send all users to the Public Address X.Y.Z.250 but I want to limit by IP address what is allowed in on this and the remote user has a dynamic IP address on their internet connection. So I want to leave this to the last resort.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Has anyone any suggestions?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Thanks<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Albert<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p></div></body></html>