IP Phone over WAN to Asterisk

The router is a DrayTek Vigor2600 annex A.

Perhaps I’m using sip set debug 5 wrongly because nothing came up, can you expain how to use it for a linux/asterisk newbie please? Thanks.

Sure, go to the asterisk cli by typing

asterisk -r

then type:

sip set debug

I agree with bubba on this, it is a network/router issue. If the phone works internal then the userID and password parts are right, the extension is configured correctly. But when the the phone is external it does not work then it is a firewall/router issue. The sip_nat.conf looks with assuming the IP EDITED is the external IP of the firewall that has the ports being forwarded. That’s the problem with editing config files you are removing a important part of the info.

Basically if the firewall is setup properly then packets would be forwarded to the asterisk box and you WOULD have output, since you have none the firewall is not forwarding properly.

So are you SURE you forwarded UDP ports and NOT TCP ports? as sip is a UDP based forwarding TCP ports will get you nowhere which is basically what you have now.

I don’t know the firewall you are using it might not properly forward udp?

Nobody has asked if there is a firewall on the remote side? Sometimes port 5060 needs to be forwarded on that to the phone (older non-sip aware firewalls for example).

I had to put what should go in sip_nat.conf in sip_general_custom.conf to get it to work, so you might try that.

Also, if your phone is behind a NAT, you may have to specify a STUN server. (My remote phones aren’t, so that isn’t an issue for me. Maybe someone else can chime in on this)

ok i’ve tried copying sip_nat to sip_general_custom but that didn’t do anything.

I have now tried enabling sip debug and I tried connecting from home then searching /var/log/asterisk/full for my ip address but it’s not there. I know I forwarded the ports correctly because I’ve worked with this router before. Is there anything else it can be?

Can it be anything in my extention set up?

If I have to specify a STUN server, what is that and how do I do that?

Edit: By the way, I just tried X-lite again from inside the network but by specifying the public IP of the PBX (X-lite works fine for me if I specify the internal IP of the PBX, but with the public IP it says 403 Bad Auth), here is the sip debug log for that attempt:

In etc/asterisk double check your rtp.conf file. There should be a rtpstart = 10001 and rtpend= 20000 . If the end is set higher than 20000 you will have to widen your port range in the firewall or change the rtpend number to 20000.

Checked rtp.conf, it looks fine

Are you sure you have the correct ip for external ip set in sip_nat.conf.

Go to www.whatismyip.com and see if it comes up with what you have. This is really sounding like a nat or firewall problem.

I have x-lite on my laptop and no matter where I am in the world I can register and make calls. So if you cannot do it with x-lite outside your lan it has to be a network issue.

Who is your ISP (at home and work). Do they also provide VoIP service? They COULD be blocking you.

i was using whatismyip anyway.

xlite doesn’t even work when i’m INSIDE the lan (but addressing the pbx by the public IP), the firewal is configured correctly if all the ports i listed are the correct ones and they are forwarded to the pbx on TCP and UDP.

The ISP is Demon, I don’t see why it matters though, I though net neutrality prevented ISPs from blocking specific packets such as VoIP, BitTorrent, etc.

baldbrad. It should not make a difference which file it is placed in currently unless somebody or something has played with your sip.conf file. Double check your sip.conf to see that it is loading sip_nat.conf. It should be the include right after the sip_general_custom.conf so placing it in one or the other will not make a difference.

Lee Christie,

When you are behind a firewall you can’t use the external IP as it would have to go out the firewall and loop back on the same interface. Most firewalls do not do/allow this (cisco pix and asa’s are the exception to that if the loopback option is enabled).

sip debug will show ANY traffic that hit’s the sip port (5060). So if you are not getting anything then you are NOT getting stuff forwarded.

So when you hit it from the outside you are not seeing sip being info being displayed then it is NOT making it to the machine. Like I stated earlier that becomes a network/firewall/router issue. If the traffic can’t get to the server then nothing you do at the server will fix that.

So please double check the firewall, make sure that the ports being forwarded are UDP, opening tcp ports are useless and potentially a security risk. Next check all the other equipment that might be in between like a router. It might not be allowing something also.

Once you start getting info displayed via the sip debug you know your network is set right and then if it still does not connect properly it can be a server config issue.

The ONLY acception to that would be if you have any IPtables rules running on the box. If so disable them until you get things working…

First think, check on the SIP sever Asterisk when use x-lite register to sip server. If the sip server receiver the registrar invite message so that mean the e-lite was send to Asterisk invite message over port 5060. if x-lite can’t register to sip server that mean the sip server configure something wrong.

If sip server no have invite message register from e-lite => firewall have problem. normally, we need NAT port from 5060 to 5069 for SIP and RTP from 10000 to 20000.

hope you can fix that.

Trung Do

It’s a long time since I set mine up, and (like any good IT specialist) I didn’t thoroughly document it at the time. Of course, the configs ARE fairly self-documenting though… :slight_smile:

With my own configuration, I’ve got all my extensions (at least, the ones that can) set to use the DNS name of the server.

That way, if they’re inside the LAN, they work, if they’re out on the net, they work. No programming changes required. This assumes of course that you have control of the DNS (and know how to configure a split DNS).

It seems a silly question, but are you able to ping the PABX using DNS name (ie ping pabx.somedomain.dom)? From inside the LAN, and from the Internet?

If so, I suggest using that name, not the IP.

Also, in addition to setting that name as the SIP server, set it as the Outbound Proxy as well.

Oh, Trung: If the extension is configured to hit the public IP whilst inside the LAN, the usual result is that the router will silently drop the packet (anti-spoofing). The configs could all be perfect…

Useful information: http://www.freepbx.org/support/documentation/howtos/howto-setup-a-remote-sip-extension

OK if you are not getting anything form the server how about the soft phone log???

Did you use the stun server setup in the softphone??

And do not take this wrong, but you do know what a public ip is right??? Just asking…

I have seen folks fighting remote access and they are double natted they have a non - routed IP on a second router behind the device from the ISP. just forwarding thru the two devices is not going to cut it.

So you need to lay out your network from the pipe in (your ISP) to the PBX.
If you are worried about your IP addy change the LAST set of numbers but give us something to chew on.

ngrep -d any -Wbyline -t port 5060

will show the port on the box in real time

RebelOz69: Like I said, I’m addressing it by private IP internally and by public IP externally not by DNS name, the PBX does not have a DNS name.

bubba: I’ll get logs to you asap, but I’m having trouble wiht my MacBook right now. Also, I don’t know what a stun server is, so no I didn’t use the stun server setup in X-lite. Yes I know what a public IP is.

Okay, still not working. But what I’ve done is change the settings in the phone so that it is now on the correct domain and it is now connecting to the PBX. Asterisk reports it as connected however, on the FOP it is greyed out and if I try to call it I get “The person is 501 is unavailable…”. But I CAN make calls FROM that extention remotely now.

Where do I look to find out what it thinks it’s doing now?

P.S. ngrep doesn’t seem to be installed on my CentOS box and running the command bubba suggested with just grep doens’t seem to work.

at the asterisk CLI
sip show peers
sip show registry

501-504 are the extentions assigned to the remote phone.

[code]pbx*CLI> sip show peers
Name/username Host Dyn Nat ACL Port Status

504 (Unspecified) D N 0 UNKNOWN

503/503 (Unspecified) D N 0 UNKNOWN

502/502 (Unspecified) D N 0 UNKNOWN

501/501 (Unspecified) D N 0 UNKNOWN

210/210 D N 5060 OK (9 ms)

209/209 D N 5060 OK (10 ms)

208/208 D N 5060 OK (9 ms)

207/207 D N 5060 OK (10 ms)

206/206 D N 5060 OK (10 ms)

205/205 D N 5060 OK (11 ms)

204/204 D N 5060 OK (10 ms)

203/203 D N 5060 OK (10 ms)

202/202 D N 5060 OK (10 ms)

201/201 D N 5060 OK (10 ms)

14 sip peers [Monitored: 10 online, 4 offline Unmonitored: 0 online, 0 offline][/code]

pbx*CLI> sip show registry Host Username Refresh State Reg. Time

Since the last post, I got the person using the phone to try calling into the office from it, now ententions 501-502 have changed from UNKNOWN to UNRECHABLE. (Extention 504 has not changed, I may have configured it wrongly in the phone but that shouldn’t affect other 3)