NAT - That Age Old Issue

configuration
Tags: #<Tag:0x00007fafc3c3d708>

(Peter Warrick) #1

So I’m having a problem with NAT which I’m sure doesn’t surprise anyone considering the amount of information that is available out there. I’ve been able to resolve NAT issues in the past quite easily however I am a bit stuck with my latest setup.

I have FreePBX installed on a server that is NATed behind a firewall (all required ports are forwarded and open). My test phones are also being NATed behind a DIFFERENT firewall. So there is NAT going on both ends.

I am able to get my two test phones to call each other and they do connect so the SIP signalling is working just fine. However the RTP is where the problem is. I get no audio.

I did a packet trace on one of my phones and noticed that it was sending it’s RTP data to the private IP of FreePBX. Which of course won’t go anywhere as they’ are two different and separate private networks. It should be sending this data to the public IP of the FreePBX’s firewall for which it is behind.

All my reading up on this states that I need to set the “External Address” and “Local Networks” in the Sip Settings on FreePBX. Which I have done and have confirmed they are correct (Clicking the “Detect Network Settings” did it nicely.) The local network on the freepbx side is in the 172.31.x.x range. Whereas my phones are in the 10.x.x.x range. So there should be no confusion there. However FreePBX is sending it’s private IP in the contact headers when it should be sending it’s external address.

Any suggestions on what to look at? Here are the settings from the CLI…

p_jsip show transport 0.0.0.0-udp_

Transport: <TransportId…> <BindAddress…>

Transport: 0.0.0.0-udp udp 0 0 0.0.0.0:5060

ParameterName : ParameterValue

allow_reload : true
async_operations : 1
bind : 0.0.0.0:5060
ca_list_file :
ca_list_path :
cert_file :
cipher :
cos : 0
domain :
external_media_address : [FREEPBX’s PUBLIC IP]
external_signaling_address : [FREEPBX’s PUBLIC IP]
external_signaling_port : 0
local_net : 172.31.32.0/255.255.240.0
method : unspecified
password :
priv_key_file :
protocol : udp
require_client_cert : No
symmetric_transport : false
tos : 0
verify_client : No
verify_server : No
websocket_write_timeout : 100

And here is my endpoint config.

pjsip show endpoint 105

Endpoint: <Endpoint/CID…> <State…> <Channels.>
I/OAuth: <AuthId/UserName…>
Aor: <Aor…>
Contact: <Aor/ContactUri…> <Hash…> <RTT(ms)…>
Transport: <TransportId…> <BindAddress…>
Identify: <Identify/Endpoint…>
Match: <criteria…>
Channel: <ChannelId…> <State…> <Time…>
Exten: <DialedExten…> CLCID: <ConnectedLineCID…>

Endpoint: 105/105 Not in use 0 of inf
InAuth: 105-auth/105
Aor: 105 1
Contact: 105/sip:105@[MY PHONE’S PUBLIC IP]:35408;ob 932322892e Avail 47.560
Identify: 105-identify/105

ParameterName : ParameterValue

100rel : yes
accountcode :
acl :
aggregate_mwi : true
allow : (ulaw|alaw|gsm|g726)
allow_overlap : true
allow_subscribe : true
allow_transfer : true
aors : 105
asymmetric_rtp_codec : false
auth : 105-auth
bind_rtp_to_media_address : false
call_group :
callerid : “device” <105>
callerid_privacy : allowed_not_screened
callerid_tag :
connected_line_method : invite
contact_acl :
context : from-internal
cos_audio : 0
cos_video : 0
device_state_busy_at : 0
direct_media : true
direct_media_glare_mitigation : none
direct_media_method : invite
disable_direct_media_on_nat : false
dtls_ca_file :
dtls_ca_path :
dtls_cert_file :
dtls_cipher :
dtls_fingerprint : SHA-256
dtls_private_key :
dtls_rekey : 0
dtls_setup : active
dtls_verify : No
dtmf_mode : rfc4733
fax_detect : false
fax_detect_timeout : 0
force_avp : false
force_rport : true
from_domain :
from_user :
g726_non_standard : false
ice_support : false
identify_by : username
inband_progress : false
language : en
mailboxes :
media_address :
media_encryption : no
media_encryption_optimistic : false
media_use_received_transport : false
message_context :
moh_suggest : default
mwi_from_user :
mwi_subscribe_replaces_unsolicited : false
named_call_group :
named_pickup_group :
one_touch_recording : false
outbound_auth :
outbound_proxy :
pickup_group :
record_off_feature : automixmon
record_on_feature : automixmon
rewrite_contact : true
rpid_immediate : false
rtcp_mux : false
rtp_engine : asterisk
rtp_ipv6 : false
rtp_keepalive : 0
rtp_symmetric : true
rtp_timeout : 0
rtp_timeout_hold : 0
sdp_owner : -
sdp_session : Asterisk
send_diversion : true
send_pai : true
send_rpid : false
set_var :
srtp_tag_32 : false
sub_min_expiry : 0
subscribe_context :
t38_udptl : false
t38_udptl_ec : none
t38_udptl_ipv6 : false
t38_udptl_maxdatagram : 0
t38_udptl_nat : false
timers : yes
timers_min_se : 90
timers_sess_expires : 1800
tone_zone :
tos_audio : 0
tos_video : 0
transport :
trust_id_inbound : true
trust_id_outbound : false
use_avpf : false
use_ptime : false
user_eq_phone : false
voicemail_extension :

All those settings have been setup by FreePBX using the UI.

Also in the Advanced Settings I have SIP nat set to YES.

So I’m a bit confused as to what I could be missing. Welcome any comments here.


No Audio - NAT Issue
No Audio - NAT Issue
(Peter Warrick) #2

It appears this MIGHT be a bug in PJSIP? See this related post…

Any updates on the fix?


(Andrew Nagy) #3

No idea.


(Peter Warrick) #4

Ok so I managed to make some progress but still not completely working yet.

In the “Asterisk SIP Settings” I removed the “Local Networks” setting so there is nothing in it. I left the External Address there.

So now in my packet trace I can see the RTP data going to the correct IP of the FreePBX server. I can also confirm that the packet trace on the FreePBX server can see both RTP streams coming into the server.

However, I still do not have any audio on the call.

I do see the occasional packet going back out from the FreePBX server out the the correct public IP of my phones and the correct ports. But not very often. I would assume to see just as many packets going out as coming in. So I’m guessing this is now the problem. But no idea why?


(Peter Warrick) #5

Ok I can put this one to bed finally. Got it working.

My solution above did indeed fix the problem (removing the local networks). But I rebooted my server for good measure and it had reset my firewall and was blocking ports 10000-20000 again. Forgot to add these in the firewall permanently before.

So for anyone else having this issue, my solution above worked.


(Andres) #6

Hi,
i’m having the same exact problem, but i think i solved it in a different way, by adding media_address=external ip address (the same as in the sip configuration) to pjsip.extension.conf, as indicated in the astersik wiki (ht*tps://wiki.asterisk.org/wiki/display/AST/Configuring+res_pjsip+to+work+through+NAT).
Theres no chance to add this parameter via GUI (if there’s i haven’t found), so it has to be edited from console, with the parameter being blanked at every config change.
I restarted asterisk after the edit.
Is your solution working with the extension connected on the local network ?


(Peter Warrick) #7

So far my solution is still working. However I haven’t fully confirmed that TLS/SRTP is fully working but I’m working on that in a development project of mine. I’ll have to check out this option in pjsip.extension.conf though. It’s not related at all to the external ip in Freepbx? Interesting. So you have both the External IP and Local networks filled AND this extra field in pjsip.extension.conf?

Thanks for the link, I’ll check it out.

By the “local” network. Do you mean if I have a device on the same network as Asterisk? That I have not tried as I have the Asterisk server in another physical location.


(Andres) #8

My freepbx installation reside in a sort of dmz, which is reachable from two other networks that i consider local.
So in the asterisk sip settings i have three networks configured as local, plus the external ip address.
One of the extension is a sip client on a smartphone, connected locally while in office, and through the internet while outside.
The local scenario is working fine, both signaling and audio, but outside office i was not able to have any kind of audio.
I had audio by manually adding the media_address=x.x.x.x on pjsip.extension.conf, the rest of configuration is left untouched.
I’ll do some more testing once back in office, but i smell a bug on how freepbx is handling pjsip, because using chan_sip (not an option, i need Max Contacts) thre’s no problem at all.
And now that i mentioned that, i’m also courious to see how freepbx+pjsip behave, when an extension connect both from inside and outside office.


(Peter Warrick) #9

Andres,

Apologies for the slow reply. I was attending a conference this past week.

That WIKI definitely seems to point to what may be my issue. I have things working. However I have discovered an issue. I feel like it’s in my mobile app code instead of FreePBX/Asterisk but I can’t seem to sort it out. Perhaps the setting will help me.

You mentioned that you added it to pjsip.extension.conf? I don’t have that file. I have pjsip.endpoint.conf (along with _custom and _custom_post). However this seems to be for individual extension configurations. Do I need to add this field for each extension?I also have pjsip.conf, should it be in there under the “[global]” heading (or perhaps pjsip_custom_post.conf so it doesn’t get overwritten by freepbx?)


(Andres) #10

Hi,
i’m a newbie on freepbx, i didn’t know about the pjsip.endpoint_custom_post.conf.
So now i’ve added the media_address parameter inside pjsip.endpoint_custom_post.conf, using this syntax:

[yyyy](+)
media_address=x.x.x.x

With this addition the extension on the internet send/receive audio correctly, and the setting persists through reloads.
The global SIP configuration remain untouched.

pjsip.transports.conf:

[0.0.0.0-udp]
type=transport
protocol=udp
bind=0.0.0.0:5060
external_media_address=x.x.x.x
external_signaling_address=x.x.x.x
allow_reload=yes
local_net=y.y.y.y/28
local_net=w.w.w.w/24
local_net=z.z.z.z/24

pjsip.endpoint.conf:

[4119]
type=endpoint
aors=4119
auth=4119-auth
allow=alaw,ulaw
context=from-internal
callerid=device <4119>
dtmf_mode=rfc4733
aggregate_mwi=yes
use_avpf=no
rtcp_mux=no
ice_support=no
media_use_received_transport=no
trust_id_inbound=yes
media_encryption=no
timers=yes
media_encryption_optimistic=no
send_pai=yes
rtp_symmetric=yes
rewrite_contact=yes
force_rport=yes
language=en

pjsip.endpoint_custom_post.conf:

[4119](+)
media_address=x.x.x.x

(Peter Warrick) #11

Andres,

Perfect, I’m glad to have helped you here as well. Your config looks good and thank you for the syntax for pjsip.custom_post.conf file. I was missing the (+).

I agree, that this should be handled by the FreePBX UI. Curious why this field isn’t available in the UI? FreePBX Devs?

For me, leaving the local networks blank has been my solution so I don’t need to edit this custom file as I don’t have any endpoints on asterisk’s local network. Your solution, Andres, is the proper and full solution that should work for every scenario for anyone else who has this issue.

Thanks again!

Peter


(Dave Burgess) #12

Because no one’s submitted a ticket on it? Just guessing - I haven’t actually looked. I know that the devs don’t work on anything that doesn’t have a ticket, so that might be part of it.


(Andrew Nagy) #13

In the edge release of core we set this now. It’s not configurable but takes the external address you set in SIP settings


(Ivan Anastasov) #14

Hello, we use pjsip stack to have multiple devices with the same extension. Some of the devices are in the same subnet as asterisk server some others not. With the above solution how do you handle that?
Thanks


(Dave Burgess) #15

You’ll have to set the options so that they work with each of the networks you are setting up.

If you have a specific example, we might be able to help, but this broad stroke isn’t going to get a lot of traction.


#16

Had the same issue and this fixed my problem today. Thanks!