Author Topic: Asterisk SIP server behind Zentyal firewall  (Read 3216 times)

gopher49

  • Zen Apprentice
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Asterisk SIP server behind Zentyal firewall
« on: November 14, 2013, 06:57:23 am »
I installed an Asterisk SIP server behind the Zentyal firewall.  I'm simply using the Zentyal server as a gateway/firewall.  I'm having problems forwarding traffic to my SIP server.  I'm getting various INVITE errors.  It almost seems Zentyal is trying to answer the SIP requests... I do not have the VoIP module installed.  What am I doing wrong?  All of my other port forwards work perfectly fine..  My SIP carrier says they are getting various INVITE errors.  Please help.

christian

  • Guest
Re: Asterisk SIP server behind Zentyal firewall
« Reply #1 on: November 14, 2013, 09:01:11 am »
Aside this problem description, can't you be a bit more explicit, like explaining what you did in term of port forwarding and also providing error message ?
Difficult to determine if you did something wrong if you don't explain what is done so far  ;)

I assume you are forwarding port 5060 (both UDP and TCP). Is it correct ?
Did you enable log and check for any error ?

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Asterisk SIP server behind Zentyal firewall
« Reply #2 on: November 14, 2013, 02:04:22 pm »
I have been running this way since initial install several years ago at home.

What does your Network--Services--VOIP look like?
Do you have a matching port-forward entry for each item listed in the service section? 
Is there an entry in Packet-Filter ---- External Networks to Zentyal   for VOIP accepting it?

Lastly do you have traffic shaping turned on?  I doubt this is your problem but I am asking for a complete picture.

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Asterisk SIP server behind Zentyal firewall
« Reply #3 on: November 14, 2013, 02:13:41 pm »
I would suspect that you didn't port forward a range of RTP ports for asterisk to use.  I use ports 10000 to 20000 which if I am not mistaken is the default range for RTP.

gopher49

  • Zen Apprentice
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Asterisk SIP server behind Zentyal firewall
« Reply #4 on: November 14, 2013, 02:25:31 pm »
I have all ports open..  TCP/UDP 5060 is open.  TCP/UDP 10000-20000 is open.  They are port forwarded to my SIP server.  Please keep in mind I'm not using Zentyal's SIP server.  I'm using my own.  I have no packet filtering nor do I have traffic shaping. I'm able to register from remote extensions and able to call the voicemail from remote extensions.  This being remote extensions via the internet.. But.  I'm also able to register to my SIP gateway..But..  Incoming and outdoing calls to two different carrier get INVITE issues.  I checked the firewall logs and they only show some DROPs that are not from my provider.  I don't see where I can see all LOGs.  I have LOG enabled for my firewall / port forward rules but I only see DROP entries in my log files.. This stands true for all traffic not just this IP.  So.. My logs aren't helping too much.  I double checked to make sure Zentyal's SIP server is not running and it's not..  That module is not installed.

In regards to 'Do you have a matching port-forward entry for each item listed in the service section? '  I left all this section in default.  I do see a TCP any any and a UDP any any.  That is in their by default.  I don't think there is anything for me to configure.  It's really strange I can register from remote extensions through the internet and even call voicemail.. But..  Inbound and outbound calls don't work. 

In regards to 'Is there an entry in Packet-Filter ---- External Networks to Zentyal   for VOIP accepting it?'.  Initially I left this at default.  But..  I just added packet filters for TCP/UDP 5060 and TCP/UDP 10000-20000 and allows from any source...  Still same symptoms. 

My provider even sent me a packet capture. 
« Last Edit: November 14, 2013, 02:39:22 pm by gopher49 »

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Asterisk SIP server behind Zentyal firewall
« Reply #5 on: November 14, 2013, 02:51:39 pm »
I have in my VOIP service entry :

UDP  5060
UDP 10000-20000
UDP 5036
UDP 4569

My firewall is setup to permit connections on these ports from my provider
Zentyal is setup to forward these ports to my asterisk server which is internal

What happens if you keep your asterisk system in the middle of the call legs ?


gopher49

  • Zen Apprentice
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Asterisk SIP server behind Zentyal firewall
« Reply #6 on: November 14, 2013, 04:27:07 pm »
I see NOTHING hit my asterisk server on inbound calls.  But..  At first people where able to register via remote extensions.  That I would see on the console.  That actually just quit..  It was working when I went to bed.  The only change I made was the packet filters.. odd.   Last night if a remote extension called voicemail I would see it..  But.. Inbound calls never hit my SIP server.  And now.. remote extensionsi are not registering.  I'm even using verbose mode 7 via the command 'asterisk -vvvvvvvr'.  I'm going to move the SIP server in front of the Zentyal...  This will rule out Zentyal.  My ports have to be correct for 5060, 10000-20000 have to be open for them to register and for them to be able to call voicemail.  That at least was working.  I'm registering the remote extensions via the internet.  I created a rule to hit HTTPS on the Elastix/Asterisk server and I can access it.  So, port forwarding is fine. I'm beginning to think maybe my new install of Elastix/Asterisk is having issues.

So.  Long story short.  Remote extensions where working last night and now they are not.. But.. My HTTPS port forward IS working?!  Do I need a packet filter for all traffic that I port forward?

One thing odd about my Zentyal public IP config is that no matter what I tried the correct network / CIDR would work.   I ended up using a subnet mask of 255.255.255.0 for my public IPs.   My other poet forwards work perfectly though.   Including the HTC forward I have in place pointing to the same server I'm having issues with.   

Are packet filters required for port forwards to work?

« Last Edit: November 14, 2013, 07:45:00 pm by gopher49 »

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Asterisk SIP server behind Zentyal firewall
« Reply #7 on: November 14, 2013, 06:34:46 pm »
I also run Elastix so the setup will be as apples to apples as it gets.  The only difference is that I am probably running a much older version of Elastix than you (2.0).  Did you enable the firewall on Zentyal or Elastix or both?

gopher49

  • Zen Apprentice
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Asterisk SIP server behind Zentyal firewall
« Reply #8 on: November 14, 2013, 11:34:45 pm »
I think I found the problem.. If you see my most recent thread I started it seems there is a connection or license limit on the community version of Zentyal?!  The last hosts I added are having issues accessing the internet.  If I shut a few host down a few new can then get on the internet.  Any suggestions?  Is there a license limit?

christian

  • Guest
Re: Asterisk SIP server behind Zentyal firewall
« Reply #9 on: November 14, 2013, 11:45:38 pm »
Is there a license limit?

No  ::) at least not known so far  ;)

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Asterisk SIP server behind Zentyal firewall
« Reply #10 on: November 15, 2013, 12:35:56 am »
This is indicative of a bigger problem in networking.  I am going looking for your other thread now to see if it would be more appropriate to continue the shoot there.