First, want to apologize if this topic was covered before.
I have a server, running FreePBX 11 w/Asterisk 11.25.1 with two nic: external eth0 (208.x.x.203) and internal eth1 10.0.0.234. There is no NAT/Masquerading between them. Internal clients are registering through eth1, external through eth0, no problems at all.
Clients from internal network are accessing internet through other NAT router, with different provider and IP (142.x.x.149)
I’ve tried to open ports 6666, 22, 80, 443 on that router and forward them to eth1 of my server (using 6666 for SIP). No problems accessing other services, but SIP registration times out. Tried to run tcpdump on server and it appears while asterisk receives registration request on eth1 (10.0.0.234), it replies back through eth0 (208.x.x.203), see attached.
Most likely it is not a routing problem, since other services (SSH, HTTP(S)) are working just fine.
Is there anything in FreePBX/Asterisk configuration that I am missing?
I wouldn’t assume that, since your trace shows that you clearly have a routing problem.
More precisely, it looks like you have a NAT problem. Your internal phones are supposed to connect to eth1 and your external phone are supposed to connect to eth0. I don’t understand what phones you have that are trying to connect through the NAT, since you’ve set everything up to avoid the use of NAT.
The reply is going to 91.x.x.78, which is connected to eth0, but you said that you aren’t using NAT, so there’s no way that’s going to work.
401 unauthorized describes the error you are getting. That might help you with some more information about the failure.
I wanted to try new (NAT) configuration since we are going to loose this public IP (and eth0) in couple of weeks.
I assumed it is not a routing issue, since ssh and http are working just fine (eth0, eth1 and NAT).
Also there is no concern about “unauthorized” response, since there is no response at all on client side (registration timeout).
So it is just not possible to have both NAT and public IP for external clients? Thank you for replying
The problem is that SSH and other protocols don’t embed the address of the device in the message. So, with NAT turned on, the “non-routable” address for the device gets encoded in the SIP header and the traffic is sent to the “routable” address. With your setup, the route in goes through NAT, but because the outbound DOESN’T, you end up with the phone at the remote end not having any idea what your SIP packets are talking about.
Testing your NAT configuration is simple enough by disabling the eth0 interface and reconfiguring eth1 to use NAT. After that, you should be able to test away.
