Noob question on Yaelink behind NAT and Asterisk on public IP with pjsip

Hi all-

I have what I hope is a pretty simple question here, and I’ll try to provide answers ahead of time to questions people may have:

I’m trying to configure a Yaelink T42G (firmware against a FreePBX server (FreePBX, Asterisk 16.7.0

I’m getting no attempted registrations that I can detect.

Topology is:
Asterisk server has a public IP, no NAT, directly on eth0
(this is carefully firewalled).

Phones are at my house behind NAT, with a single dynamic public IP
(Firewall at home is PFSense, with a public hostname known by dynamic DNS)
I’m a security/network engineer, and so I’m about 90% sure that I’ve got tcp/udp 5060/5061 and UDP 10000-20000 allowed in/out on both the public server IP and home network.
Only certain networks are allowed in to the server. I’m relatively sure that my home network by hostname AND current IP is allowed ,as is my workplace static IP range.

I’ve built the extension(s) with 4-digit extensions and PJSIP.

pjsip appears to be runnig on the server:
[[email protected] ~]# lsof -i :5061
asterisk 26388 asterisk 20u IPv4 10831715 0t0 UDP *:sip-tls

What do I need to put into the Yaelink though?
I see lots of notes on regular SIP (chan_sip I guess) on 5060

But how do I configure that Yealink to be correct for PJSIP?
Do I need a STUN server configured, or does the public Asterisk server just figure it out?
How does NAT need to be configured on the phone and/or the Asterisk extension?

Thanks Tim

I have pfsense and I have not opened or forwarded any port it should work out of the box.

At minimum you need these in your Yaelink Phone.

FreePBX Yaelink Phone
Extension number User Name
Secret Password
Port Port
FreePBX IP Server Host

Can you ping the freepbx server from your pfsense?

I’m very puzzled. SIP can use UDP, TCP or TLS. I recommend starting with UDP, which is simpler; TLS requires setting up certificates before you can connect.

By default, FreePBX pjsip listens on UDP port 5060 and chan_sip listens on UDP port 5160. However, lsof clearly shows that your box is listening on UDP port 5061. Can you please explain (you changed some settings, built it in an unusual way, etc.)?

Moussa, yes -

I should clarify -
I’m using PFSense at home, and the only reason I’ve opened ports here is because I have another Asterisk server here, which I hope to do SIP trunking with.
Otherwise,yes, no ports would be needed to be opened here.

On the public server, it’s Shorewall firewall, which is configured for my home IP/work IP to have access to 5060/5061.
Yes - everything pings back and forth between the house/work/public server, and nmap shows ports open.

Stewart – Thanks for that -
The Asterisk/FreePBX server is a manual load on Centos 7,
and while I don’t know that I’d changed anything, I did just find that I had to put pjsip on 5060, and chan_sip on 5061. Somehow it was on 5160, probably a typo.

Now I get this, which matches what my home Asterisk server (with extensions working) is doing
[[email protected] ~]#
[[email protected] ~]# lsof -i :5060
asterisk 22058 asterisk 21u IPv4 15588076 0t0 UDP *:sip
[[email protected] ~]# lsof -i :5061
asterisk 22058 asterisk 32u IPv4 15589147 0t0 UDP *:sip-tls
[[email protected] ~]#

I’ll now retry registering the Yaelink and see what happens.

Thanks Tim

Starting from a factory reset Yealink, please configure the account:
Line Active: Enabled
Label: (as desired)
Display Name: (as desired but avoid special characters)
Register Name: (your extension number)
User Name: (your extension number)
Password: (secret for your extension)
NAT: Disabled
SIP Server 1, Server Host: (PBX IPv4 address)
SIP Server 1, Port: 5060
SIP Server 1, Server Expires: 60

I know nothing about Shorewall. If nothing gets logged in Asterisk when your extension attempts to register, the FreePBX firewall might be blocking it. Run tcpdump on the PBX and look for any incoming packets with UDP port 5060 (tcpdump captures ahead of the software firewall).

If something gets logged but you still can’t register, at the Asterisk command prompt, type
pjsip set logger on
make the phone attempt to register, then post the Asterisk log.

If tcpdump on the PBX captures nothing, try running it on the SonicWALL WAN interface. If nothing there, either, try the Span to PC Yealink feature to see the phone’s traffic on your PC.

That Yealink firmware is ancient. Upgrade it.

The T42G cannot talk to FreePBX 14 (have not tested 15 yet in this issue) over TLS if you are using the FreePBX generated Let’s Encrypt certificate. You will have to manually load the cert into the aura link phone before it can talk. So as already stated, don’t use TLS.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.