Yet another Behind the NAT issue

Asterisk: 1.8.15 on CentOS 5.8

I think I’ve figured out what I need to do but I’m asking if I can get my plans reviewed here for obvious problems that I didn’t think of.

The PBX server is located at Location A (actually about 18 inches of to my right). It has been running successfully for weeks now, with several Grandstream GXP1400 extension phones installed here in the building on the LAN (i.e. no routers or firewalls in the way). The PBX is on the main router’s DMZ so it is visible to the Internet on the main router’s static IP. The PBX has its own firewall (Linux iptables) with the following ports opened:

2727 / tcp (this one is MGCP… do I need it?)
5004-5082 / tcp & udp (do I really need this many opened & both tcp and udp?)
10000-20000 / tcp & udp (thought I needed utp only but one of the Digium forums says open both)

This installation is SIP only, no IAX or anything else.

The Asterisk sip_general_additional.conf file includes:

One can certainly understand the case where phones work on the PBX’s LAN but not outside. However there are several people with X-Lite softphones installed in their homes behind NAT routers that also connect just fine… they downloaded X-Lite and configured it like I told them to and it Just Worked.

Location B (a non profit public service organization for which I’m doing all this pro bono) is a facility several towns away from here that is only accessible during business hours. I installed a half dozen Grandstream GXP1400 phones there and connected them back to the PBX here and discovered an interesting problem… I can call out from those phones, and carry on a conversation with people in their homes running X-Lite, and it all works fine. However, no one can call in, and one extension in the building can not call another extension in the building.

I have read much about how to make Asterisk and its clients play nice behind NAT firewalls. I have a pretty good idea what to do to fix this, but as I said Facility B is accessible to me only with difficulty, and so if you guys don’t mind I’d like to run my plan by you and ask you to highlight things that are wrong or missing, so that I have a chance of getting all this working the first time, next time I visit Facility B.

All of my extensions configurations in FreePBX (including for the outside X-Lite installations on other people’s homes that Just Work) are configured like this:

nat=no (<<= makes me wonder why the outside X-Lites work)
port=5060 (same for everybody which is apparently wrong)
transport=UDP only

Here’s what I believe I’m going to have to do the next time I visit Facility B (please tell me if I’m wrong or missing anything):

  1. Each extension in FreePBX will need its own Local SIP port, offset by 2, i.e. 5060, then 5062, 5064, etc.

  2. Each physical extension phone in Facility B will have to have its Accounts->Account[1…2]->SIP Settings->Basic Settings->Local SIP port set to match the “port=” setting in its associated FreePBX Extensions entry (BUT… question on that below).

  3. The DHCP server in the router that connects all these phones will have to be set to serve each phone the same private IP address every time, e.g. phone #1 always gets, phone #2 always gets, etc.

  4. The router that connects all these phones will have to be set to forward the correct ports to each phone, recalling that these are two-line phones and so need a port pair for each line or two port pairs per phone (e.g. ports 5060-5063 get forwarded to, ports 5064-5067 get forwarded to, etc.).

Does all that sound about right? Will I need to do anything else?

A couple more questions…

  1. Each GXP1400 phone has its Settings->General Settings->Local RTP Port (RTP port not SIP port) set to 5004. Does that port need to be different for different phones or can they all stay set to 5004?

  2. Per item (2) above… Each phone is two lines, and each line has its own Local SIP Port (5060 for line 1, 5062 for line 2). Each phone has only one IP address to service both lines. In FreePBX, each line’s extension is set to port=5060. Yet, within the LAN here in Facility A, both lines work correctly even though the second line’s Local SIP Port does not match its FreePBX Extensions->port. I also have a 4-line GXP2100 phone with the four lines set to local SIP ports of 5060, 5062, 5064, and 5066 even though their FreePBX Extensions->port settings are all 5060, yet all four lines work fine. How is that possible?

Thanks for your review of all of this and suggestions… hopefully this will do it.

5004-5082 / tcp & udp (do I really need
this many opened & both tcp and udp?)

Actually if I start the Local SIP Port assignment at 5060, 5082 isn’t going to be enough… I’ll need to go at least up to around 5120.

Is there a lower or upper number range beyond which we’re not recommended to go?