Recently I tried to configure fail2ban in my PBX but the problem is that asterisk sees every extension like it is coming from the same place (same address). Well… actually in one way it is but that address is gateway and every extension registered from external is in asterisk registered like it is on that address. This means that fail2ban won’t work. It will ban gateway address every time and nothing will connect after that.
This is how report looks like in asterisk:
Name/username Host Dyn Forcerport Comedia ACL Port Status Description
1XXXX/1XXXX (Unspecified) D Yes Yes 0 Unmonitored
xxx/xxx 10.3.0.100 D Yes Yes A 2580 OK (1259 ms)
xxx (Unspecified) D Yes Yes A 0 UNKNOWN
xxx/xxx 10.3.0.100 D Yes Yes A 39734 OK (185 ms)
xxx/xxx 10.3.0.100 D Yes Yes A 48678 OK (327 ms)
xxx/xxx 10.3.0.100 D Yes Yes A 25550 OK (854 ms)
xxx/xxx 10.3.0.100 D Yes Yes A 49745 OK (869 ms)
as You can see, every extension comes from the same IP which is not the case… that IP is the router gateway. Anybody knows how to solve this?
That’s a very low level message. Those connections are - really - coming from that IP Address. Specifically, that 10.3.0.100 device is doing NAT.
As it’s an internal address, you’ll find that you can probably disable NAT without any bad things happening, but check with your network administrator to figure out why that is set up that what.
Thanks for reply, friend.
Yes, 10.3.0.100 is doing NAT and I am the admin on that device. I have 2 NAT rules that may affect it and one is SRC NAT masquerade while the other is DST NAT forwarding port 5060 UDP to PBX local address. Since there is no other network administrator on this, it seems that I have not configured my router correctly for this. Can You give me some directions?
Without knowing how your network is set up, unless you REALLY NEED those devices to be NATted, you should be able to exclude them.
I’m randomly guessing at your network here. But let’s assume that that router is called ‘R’ which is connected to two networks, A and B, and the internet, I.
A is 10.3.0.0/24, and B is 10.4.0.0/24. Your VoIP Server is in B, and your phones are in A.
You need to tell your router to only NAT traffic that is going to I, -not- between A and B.
There is no NAT between A and B and phones are on the I. So in this case NAT is needed to forward the traffic to local addreses. I am trying to connect phones over the internet. Phones are functional and everything is fine but this thing about the addresses makes me trouble because I can’t filter VoIP attackers. It’s obviously all about NAT…
You don’t need nat on traffic coming IN from the internet, only on traffic going OUT to the internet.
Hmmm… Im not sure I understand… How can it work in that case? If I disable NAT (DST-NAT) then I won’t be able to connect to the PBX from outside.
I think you’re getting confused with port forwarding, and NAT. They’re totally different things.
I said that because you don’t seem to understand the fundamental concepts of NAT. This is the cause of your problem. Your NAT setup is incorrect. You should get someone in who can resolve this properly.
“You want to port forward incoming connections, and NAT external connections”.
Expanded, you want to SNAT outgoing connections and DNAT incoming connections.
I strongly - STRONGLY - urge you not to mess with this. You don’t understand what you’re doing, and you’re just going to get more and more confused. Perhaps the people who manufacturer the device you’re using for NAT offer support?
Or even better, just throw it away and get a cheap $20 router that will do this with a nice clicky user interface.
I’ll have a bash . . .
Port forwarding is necessary to get your SIP and resulting SDP connections properly redirected through your firewall to your server. Having your Firewall also translate the IP Address is not necessary but is what many “Helper”/ALG’s do (almost always badly) and means that any source address filtering based on SPI can only be done by the firewall, most do not have that ability, so disable any of that functionality on your router or fail2ban will be subverted.
Seeing a bunch of devices behind the same address (albeit with different ports) is normal if the address is a far end router, this is how routers work. Then fail2ban WILL work but one bad user/password extension or any other transgression that the fail2ban regexes catch originating behind that far end firewall will sooner or later cause them all to be banned, That is unfortunate but you need to be able to husband such cases, fail2ban will identify the bad authority or other exploit successfully and you will have to tell the client to just “not do that” or if you fully trust that far end network then add an ignoreip to fail2ban for that network.
Any SIP/IAX2 connections that apparently originate from your gateway’s address, I would normally assume are always illegitimate unless possibly it has it’s own FXO/FXS/TDM/SIP server embedded.
SNAT-ing outgoing connections and DNAT-ing incoming connections was done already… I am using MikroTik router and I can;t change it to any cheap thing because I have so many options with mikrotik. VPN between some points is one of them.
Mikrotik has a built in SIP “helper” are you using that? Are you using VPN for your remote extensions?
According to Asterisk, you’re using SNAT (source NAT) for incoming connections, not DNAT.
However, this is a problem with your Microtik device. You should be asking them for support. This is probably something someone there can fix in a matter of seconds, or, you could spend days here
No. VPN is used for something else. Extensions are connecting directly and I won’t connect them via VPN. I don’t use built in SIP helper.
Well… Asterisk is wrong. If I disable DNAT then extensions won’t connect. New moment is…
I have changed the settings in one of my extensions in asterisk from NAT=YES to NAT=NEVER. After this asterisk reported different address for that extension but again it was not the public one. It was the local address of the extension provided by a DHCP from the router where the phone was connected. STATUS=UNREACHABLE. I could make calls from it but not to receive… and, yes, it was one way audio.
Then as Rob suggests you need to reconfigure your Mikrotik, it is masking the “real” registrants and not correctly forwarding the SDP sessions.
Hi Spaxton, sorry to be opening up this thread after 4 years. This is first well articulated thread about a problem we are facing too, on just one of the many boxes we have deployed. Were you able to find the root cause of the problem?
Captured in this ongoing thread… Asterisk Info, Peer report of SIP Peers indicating Host as PBX server IP
Hi Dicko, as you have explained, my hunch was also on the Router (Aztech DSL8800GR), but the fact that Asterisk “sip show peer” does show the correct source IP in “Reg. Contact” field but morphs it to PBX server IP in “Addr->IP” field, causes me to think it may be some interpretation of Asterisk as well.
Appreciate your analysis of our case. Thanks.
Hello Rohit Gupta,
Don’t be sorry, I am glad if I can help You!
I did solve this problem. My problem was that FreePBX really could not see the real source address because all interfaces in my MikroTik router were SRC NAT-ed. This problem is not related to FreePBX but to the router. If You tell me which router You have, I may be able to help You resolve this. I am able to asist You via teamviewer too.
@Spaxton, Thanks. I suspect this router may be doing SNAT or DNAT too - but since ssh access is closed, I’m unable to confirm and alter it. A general purpose router should generally masquerade.
The router is a Aztech DSL8800GR(S) (ftp://ftp.aztech.com/support/singapore/ADSL/DSL8800GRV(S)%20-%20User%20Manual%20v1.0.pdf).