FreePBX | Register | Issues | Wiki | Portal | Support

Pbx server acces from different networks / NAT settings

configuration
Tags: #<Tag:0x00007fb90407b588>

(Thomas T ) #1

Hello guys,

i am performing my first steps with FreePbx, I really like it, but there is one thing I did not came around yet (also after reading the docs).

I have the following possible situation (clients are not online always but they could be):

Which settings do I have to setup in Freepbx to allow all devices to successfully accept inbound connections and also allow outbound connections over a trunk behind NAT ?

Do i need to use a STUN server ?

With my current settings I get retransimission timeouts. I already played around a bit and did not get them, but then there was just silence on the line.

What confuses me is that some specific settings are available in multiple areas of Freepbx, so I don`t know exactly what to set where and how they have an effect to each other (for a detailed list please see last paragraph).

On the network where the Server is, Firewall is turned off and ports 5060 and 10000-20000 are forwarded to the internal pbx server ip.

At the moment I am using a dynamic DNS (will get to a public IP next month) for the pbx server.

I am specially interested in what i need up to setup for the following:

  • DTMF signalling (in extension settings, advanced settings)
  • canreinvite (in extension settings, advanced settings, sip/chan_sip settings)
  • nat mode (in extension settings, advanced settings, sip/chan_sip settings)
  • and network configuration settings (dynamic ip --> hostname) ?

I have not really an idea on how to use them.

Using FreePBX 13.0.190.11.

Please help !

Thank you


(Dave Burgess) #2

Just to get this out of the way - Asterisk (and by extension, FreePBX) doesn’t play well in a multi-tenant environment, which it sounds like you are trying to set up.

OK - what you really need to do is read up on NAT. Most of the FreePBX settings you’re concerned about won’t actually have much impact on your proper networking.

The Ingress from the Internet to the local network on the server LAN needs to be a firewalled system that only allows some very specific ports. Specifically, UDP 5060 and UDP Range 10000 to 20000. All of these should be “redirected” to the Internal Address of the server in the LAN. You can set the server up with a public address if you want, you’ll still need to make sure the Internal network can connect to the local port on the server (requires 2 Ethernet cards).

In FreePBX, turn on the Adaptive Firewall (along with the Integrated Firewall) - this opens the server to the world on port 5060. I would, for now, eschew the PJ-SIP channel driver. It’s “new and improved” <sarcasm/> but it’s still popping up new problems every day. Chan-SIP is old, and proven, and just works.

Your Client A devices will be able to connect to the server without issue. They should be set up with NAT turned off. Set the firewall up so that the local network is “trusted”.

Your Client B devices will connect through the external firewall They need to have NAT turned on and need to be able to identify the external address of the firewall or have a STUN server (out in the wild) that can report the “apparent” address of the phone. This allows Asterisk to send your traffic to the right place. If you know the address range and it’s static, you can assign the network to one of the Trusted Zones so that the phones don’t end uo getting locked out in the case of a bad connection or password.

Your Client C devices need to be set up just like the Client B devices. The difference here is that, since the IP address of the client will change from time to time, so you won’t be able to “whitelist” these addresses. That fact that they’re coming over 3G is a complete red herring - it’s all IP networking. Once again, you are likely to require either the ‘external’ address of the device or a STUN server in the wild (if it doesn’t have a routable address). If it has a routable address, you don’t need to set NAT since the traffic will be able find its way back to the device through the IP address of the phone.

You set it once for the system default in Advanced Settings and then in the individual extensions if they have problems.

May I direct you to this discussion: http://forums.asterisk.org/viewtopic.php?f=1&t=1334

NAT mode is set per “direction” so if the point you are trying to set up is behind a NAT device and connecting to something outside its local network, NAT needs to be “YES”.

Basically, anytime you have a device that’s communicating with something “outside” the LAN, you need it. It’s possible that the devices at both, one, of none of the ends will need NAT based on networking requirements.

An important note that you might have missed (your questions lead me to believe you haven’t realized this yet) is that Asterisk is what ALL phones connect to. In POTS terms, phones connect to other phones through the switch. In FreePBX, the switch connects to phones and allows them to communicate, so there’s no “end to end” path. Everything goes through the FreePBX server.

Since your server is on a dynamic address, you will need to refer everyone to your DynDNS hostname. Once you’ve got a static address, you can reconfigure the system so that your address is set up in DNS and just works. Having said that, though, it’s important to remember that you are running behind a firewall and that address is the one you’ll be using for all of your external connections. In the local net - use the local network interface IP address and skip the DNS headache.


(Thomas T ) #3

Hi Dave,

thank you very much for your very detailed explanation. Things now really get a bit clearer to me.

Here are some further questions on your explanation:

In FreePBX, turn on the Adaptive Firewall (along with the Integrated Firewall)

I can not see that option in settings. I guess it may be bcs i am using the RaspPbx distro where it is not included ?
Is it mandatory?

You can set the server up with a public address if you want, you’ll still need to make sure the Internal network can connect to the local port on the server (requires 2 Ethernet cards).

I am not clear to that. In the Freepbx settings I specify that the IP is a dynamic IP and specify the ddns hostname.
So every client who is connection from outside is in fact connectiong to the ddns hostname (myhost.ddns.net p.e.) which is then resolved to the current public IP of the network. So isn`t this already a sort of public IP ?
As stated above, device is a Raspi so I only have one ethernet port on that per default. Can it work anyway?

Your Client B devices will connect through the external firewall They need to have NAT turned on and need to be able to identify the external address of the firewall or have a STUN server (out in the wild) that can report the “apparent” address of the phone.`

Where do I have to specify the stun server? On the Client B devices and on the Pbx server also or only on the clients behind another NAT ?

If it has a routable address, you don’t need to set NAT since the traffic will be able find its way back to the device through the IP address of the phone.`

I guess all of my networks are not routeable in any way due to their IPs changing dynamically ?

canreinvite (in extension settings, advanced settings, sip/chan_sip settings)

Ok, regarding to the article, setting it to “no” should be the most compatible way (as traffic always routes over the server) ?

NAT yes

Is the setting “yes” or “yes - auto force rport,comedia” better?
Do I need to enable any other setting for rtp ?

Thank you so much Dave!


(Dave Burgess) #4

I have lots of Raspberrys at home and at the office, and I wouldn’t ever use one of them for this. The SD-Card “drive” isn’t designed to hold up to the read/write cycle a PBX server requires. In a commercial environment, you’ll hit the 1,000,000 write limit in a few months.

If you can find an old computer at Goodwill or the Salvation Army (or a Boot Sale, or along the side of a road in your neighborhood, or the local dump) you’ll be better off in the long run. The more capable the system becomes, the less RasPBX will be able to keep up.

On to your questions:[quote=“Thomas233, post:3, topic:41307”]
In the Freepbx settings I specify that the IP is a dynamic IP and specify the ddns hostname. So every client who is connection from outside is in fact connectiong to the ddns hostname (myhost.ddns.net p.e.) which is then resolved to the current public IP of the network. So isn`t this already a sort of public IP ?
[/quote]
Yes, the firewall provides your NAT conversion of the routable addresses to non-routable addresses. You cannot put this machine on the Internet since it doesn’t have the integrated firewall, so you are opening your machine up to hackers if you expose it to the Internet. Your non-routable network address is the one you will be using. The firewall will provide the NAT conversion. Note that this means that any time you have a connection to the outside world, that connection will need to have NAT turned on.

You will know the external address - it’s your DynDNS address, so set it up as dynamic in the server and go to town.

The only time you need a STUN server is if you can’t find out what the networks routable address is. If the network changes (the router gets a different address every time) but the phone behind the router can’t be configured with a static address (the router’s address changes). The STUN server will give you the external (routable) address.

So - it depends on what you have for network assets.

No. Routable addresses are addresses that are Unique on the Internet. Non-routable addresses are 10.x.x.x /8 172.16.x.x/16 and 192.168.x.x/24. Your local networks will all be non-routable and the firewalls in front of them will convert these addresses to routable addresses so you can communicate on the Internet.

This is really basic networking stuff - I shouldn’t need to be explaining this to you if you are in business to provide these services.

It depends on what your various client machines need and are expecting. Try both and see which works for you.

Make sure the firewall is open to port 10000-20000 and that they are redirected to the same range on your VOIP server. That should get your RTP to work. If you get one-way audio, you’ll need to do more research.


(Thomas T ) #5

Hi Dave,

I have lots of Raspberrys at home and at the office, and I wouldn’t ever use one of them for this. The SD-Card “drive” isn’t designed to hold up to the read/write cycle a PBX server requires. In a commercial environment, you’ll hit the 1,000,000 write limit in a few months.

Ok I understand. I will finally (when I get the public IP) move my pbx to a dedicated machine of course. For now its just a thing of testing and playing around - even if its already in use.
But I agree to you in concern to the r/w cycles also dont like to shoot the SD that way :slight_smile:

No. Routable addresses are addresses that are Unique on the Internet. Non-routable addresses are 10.x.x.x /8 172.16.x.x/16 and 192.168.x.x/24. Your local networks will all be non-routable and the firewalls in front of them will convert these addresses to routable addresses so you can communicate on the Internet.
This is really basic networking stuff - I shouldn’t need to be explaining this to you if you are in business to provide these services.

Sorry, I was just a bit confused about the term “routeable” itself first :slight_smile:

It depends on what your various client machines need and are expecting. Try both and see which works for you.

Yep, will try.

Make sure the firewall is open to port 10000-20000 and that they are redirected to the same range on your VOIP server. That should get your RTP to work. If you get one-way audio, you’ll need to do more research.

Ok, thank you very much once again !


(Dave Burgess) #6

I missed an important word in that sentence. It should say “… open to UDP ports 10000-20000 and that they are redirected to the same UDP range …”

You don’t need to open any TCP ports for this to work. For other things, Yes, but for phones, No.


(Thomas T ) #7

Hello Dave,

ok thank you, I understand.

I`ve now tested it for the network where the server is and for the network where client C is.

Outgoing calls and calls between extensions (A<–>C) work perfectly (with NAT).

I have only one problem for incoming calls.

I have tried to call my pbx from two different regular mobile phone networks.

From network A I got the call forwarded to my extension, as configured, I hear it ringing and can then take up the call.

From network B - very strange - the call does not get forwarded to the extension at the right time.
I can hear the ring tones on my phone but at the extension (client C) it`s not ringing - as like the call was never made.
BUT after the call is canceled on the mobile phone, client C suddently shows the call incoming, until I cancel it also there. If I confirm it, I have no signal and client on C crashes.

The only difference between both situations is that the call is coming from two different regular mobile phone networks (not sip!).
They then come over the same SIP trunk to my pbx and the routing for them then is the same, get both forwared to same extension.

What I can see in the log is, that there is the “retransmission” coming up and that the extension reports busy for the problematic situation with network B - but why can regular phone networks influence that thats what is so strange to me now ??


(Dave Burgess) #8

Just so we’re clear on this. All of these various pieces and parts on just SIP calls, right. You’re not talking about the cell phone dialing a number and getting connected that way.

To start, it might help to remember that calls don’t go from extension to extension. They go from the phone to the server and the server connects to the other extension. It’s a subtle but incredibly important distinction because it helps to explain why some things are working and some are not.

The problem, as you describe it, is that the phone at extension B, which is a Zoiper client somewhere, is unable to receive your calls from the server. This is likely a problem either with a “SIP-ALG” or some other router “SIP Helper” screwing up your packets, or your phone simply isn’t getting registered.

Double check the router config and make sure it’s doing NAT correctly. Also, amek sure all of the addresses in the phone are correct (External Address/STUN server) and that NAT is actually set up correctly.

If you can call out from the “B” extension but not receive calls, the problem could also be that the phone’s registration is not correct or stable. The “Reports” “Asterisk Info” report can help you a lot with the status of your lines.

My money is on the router. Either your connection is not good enough to maintain the connection or the router is getting in the way.


(Thomas T ) #9

Hello Dave,

ok I think I was a bit unclear, sorry, here more detailed (thank you for your patience!!):

In network A (those where the server is) I have a client registered on extension 10.
In network C (the 3g network with zoiper client) I have a client registered on extension 11.

Calling directly from extensions 10 <–> 11 or vice versa works as perfectly (so I guess I have solved the NAT problem at this point).

Now in situation A coming from a regular mobile phone network over a (in pbx configured) trunk to extension 10 or 11 also does work.
In situation B, exactly the same setup, the only difference is that the provider of the (callers) phone network is not the same, then I have those strange problem.

I mean, since all incoming calls from a regular mobile phone network(!) first get passed to the trunk and then to the pbx server and finally to the extension, could the type of phone provider really have an impact on the final NAT/SIP of the pbx/extension (since both analogue calls in both situations first get passed over the same trunk - doesnt the trunk first convert them to similar digital voice packets) ??

Here are the concrete call examples with example numbers:
10 --> to 11 over SIP --> works
11 --> to 10 over SIP --> works
004369912341234 --> over trunk --> to pbx --> to 10 or 11 --> works
004367612341234 --> over trunk --> to pbx --> to 10 --> works
004367612341234 --> over trunk --> to pbx --> to 11 --> does not work (sip client ringing AFTER the call was terminated on mobile phone of caller)

Thank you !


(Dave Burgess) #10

If the call is coming from a regular cell phone, it doesn’t pay to think of it with that level of specificity. It’s the same call path that a regular ISDN or POTS call would come in. The fact that the caller is on a cell phone is an unnecessary piece of information that keeps messing with your head.

You are getting one-way audio. There are only two possible classes of problem source:

  1. SIP-ALG or some other “helper” in your router messing up the packets.
  2. Misconfiguration of your router and not getting the NAT settings for the trunk correct.

You are not doing yourself any favors going back to the “cell phone” mindset. If someone dials your number and you get one-way audio, you have a router problem.


(Thomas T ) #11

Hi dave,

ok thank you very much for your detailed help and patience :slight_smile:

Things are now much more clear to me, thank you !