Asterisk replies using wrong source ip address

Omarico · March 11, 2023, 12:25am

hey there ! so i have a question. i am trying to connect to asterisk over zerotier. it's working just fine with softphones but not cisco since it needs the same ip address configured.

so my home openwrt router with everything is 192.168.1.222

endpoint address is 172.24.0.222 on the same router on interface ZTxxxxxx. whenever i try to connect to asterisk i get a reply FROM 172.24.0.222 even though i connected to 192.168.1.222. Asterisk is the only thing that does that. TFTP and SSH works just fine i get replies from 192.168.1.222

is there any solution to that on Asterisk ITSELF ? because SNAT can fix it by force rewriting anything 172.24.0.222 >> 192.168.1.222 but that's like a Band-Aid it doesn't fix the actual problem


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option flow_offloading '1'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wan'
	list network 'wwan'

config include
	option path '/etc/firewall.user'

config rule
	option dest_port '1723'
	option name 'pptp'
	option target 'ACCEPT'
	option proto 'all'
	option src 'lan'

config rule
	option target 'ACCEPT'
	option name 'gre'
	option src 'lan'
	option proto 'gre'
	option enabled '0'

config rule
	option name 'Allow-OpenVPN-Inbound'
	option target 'ACCEPT'
	option proto 'tcp'
	option src '*'
	option dest_port '443'

config rule
	option name 'Allow-OpenVPN-UDP'
	option target 'ACCEPT'
	option proto 'udp'
	option src '*'
	option dest_port '444'

config zone
	option name 'lanMASQ'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'lan'

config zone
	option name 'vpn0'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option subnet '10.20.100.0/24'
	option mtu_fix '1'
	list network 'vpn0'
	list network 'ipsec0'

config forwarding
	option dest 'vpn0'
	option src 'lan'

config forwarding
	option dest 'lan'
	option src 'vpn0'

config zone
	option name 'Cloud2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'Cloud2'
	option forward 'ACCEPT'
	option auto_helper '0'

config zone
	option name 'vpn1'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option masq_dest '0.0.0.0/0'
	option masq_src '10.20.200.0/24'
	list network 'vpn1'

config forwarding
	option dest 'vpn1'
	option src 'lan'

config forwarding
	option dest 'lan'
	option src 'vpn1'

config rule
	option name 'Allow-speedtest'
	option target 'ACCEPT'
	option proto 'tcp'
	option src '*'
	option dest_port '9821'

config zone
	option name 'cloud'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'cloud'
	list device 'tun0'
	option masq '1'

config forwarding
	option src 'Cloud2'
	option dest 'cloud'

config forwarding
	option src 'Cloud2'
	option dest 'lan'

config forwarding
	option src 'Cloud2'
	option dest 'vpn0'

config forwarding
	option src 'Cloud2'
	option dest 'vpn1'

config forwarding
	option src 'cloud'
	option dest 'Cloud2'

config forwarding
	option src 'lan'
	option dest 'Cloud2'

config forwarding
	option src 'vpn0'
	option dest 'Cloud2'

config forwarding
	option src 'vpn1'
	option dest 'Cloud2'

config forwarding
	option src 'lanMASQ'
	option dest 'Cloud2'

config forwarding
	option src 'lanMASQ'
	option dest 'cloud'

config forwarding
	option src 'lanMASQ'
	option dest 'lan'

config forwarding
	option src 'lanMASQ'
	option dest 'vpn0'

config forwarding
	option src 'lanMASQ'
	option dest 'vpn1'

config forwarding
	option src 'Cloud2'
	option dest 'lanMASQ'

config forwarding
	option src 'cloud'
	option dest 'lanMASQ'

config forwarding
	option src 'lan'
	option dest 'lanMASQ'

config forwarding
	option src 'vpn0'
	option dest 'lanMASQ'

config forwarding
	option src 'vpn1'
	option dest 'lanMASQ'

asterisk

10.10.10.0 is the other zerotier cloud router LAN SUBNET.

see ? TFTP works. that's weird i get a reply from a different asterisk interface i don't even want this interface.


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config device
	option name 'br-lan'
	option type 'bridge'
	option multicast '0'
	list ports 'eth1.1'
	list ports 'tap_0'
	option ipv6 '0'

config device
	option name 'br-wan'
	option type 'bridge'
	option multicast '0'
	list ports 'eth0.2'
	list ports 'tap_1'
	option ipv6 '0'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.1'
	option ipv6 '0'
	option delegate '0'
	option device 'br-lan'

config interface 'wan'
	option proto 'static'
	option ipaddr '192.168.1.222'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	option broadcast '255.255.255.255'
	option ipv6 '0'
	option delegate '0'
	option device 'br-wan'
	list dns '208.67.222.222'
	list dns '8.8.4.4'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option defaultroute '1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'

config interface 'wwan'
	option proto 'dhcp'
	option peerdns '0'
	option delegate '0'
	list dns '8.8.8.8'
	list dns '208.67.222.222'
	list dns '1.0.0.1'
	option ipv6 '0'
	option device 'wlan1'

config device
	option name 'wlan1'
	option ipv6 '0'
	option multicast '0'

config interface 'vpn0'
	option proto 'none'
	option auto '1'
	option device 'tun0'

config interface 'vpn1'
	option proto 'none'
	option auto '1'
	option device 'tun1'

config interface 'ipsec0'
	option proto 'none'
	option device 'ipsec0'

config route
	option target '10.80.0.0'
	option netmask '255.255.255.0'
	option interface 'wan'
	option gateway '192.168.1.9'

config route
	option target '10.20.200.0'
	option netmask '255.255.255.0'
	option interface 'wan'
	option gateway '192.168.1.9'

config route
	option interface 'wan'
	option target '10.90.0.0'
	option netmask '255.255.255.0'
	option gateway '192.168.1.10'

config device
	option name 'tun0'

config interface 'cloud'
	option proto 'none'
	option device 'tun0'
	option defaultroute '0'

config device
	option name 'zt0000000'
	option ipv6 '0'
	option acceptlocal '1'
	option sendredirects '0'
	option multicast '0'

config interface 'Cloud2'
	option device 'zt000000'
	option proto 'none'
	option defaultroute '0'
	option delegate '0'

config route
	option interface 'Cloud2'
	option target '10.10.10.0'
	option netmask '255.255.255.0'
	option gateway '172.24.24.24'

Lucky1 · March 11, 2023, 3:21am

I'm confused as to the setup
are your phone on the local network ? are they cisco ?
are the smartphone for lan or wan or both
you normally have to allocate phones on local "lan" or external "wan"
I'm going to gess your trunk is external & setup over NAT

hecatae · March 11, 2023, 7:31am

So TCP protocols reply correctly, only the UDP protocol SIP doesn't?

What do the softphones report to the asterisk end, as if those work then this is a Cisco issue, and Cisco proprietary stuff is an absolute pain to make play correctly with other things.

Omarico · March 11, 2023, 12:43pm

It's not about Cisco. The phone works just fine over the main tunnel. It's only zerotier and Asterisk where things start to get messy

Basically it's like that

R1 ( main ) >>>> Zerotier cloud <<<<<< R2 <<< phone on LAN subnet. (10.0.0.x)

R1 : Lan ip address which i use for everything and have static routes to is ( 192.168.1.222). The zerotier address is 172.24.0.222

So when i try to access 192.168.1.222 from any device at 10.10.10.X everything is fine ( No masquerading it's all static routes and ip forwarding since i don't want to deal with port forwarding )

When i try to access ASTERISK onlyyy from 10.10.10.X ( using the same 192.168.1.222 )

That reply ^ comes from 172.24.0.222 NOT 192.168.1.222 which confuses everything and mostly nothing works except softphones ( they are more tolerant to source ip )

So it is an asterisk issue. I wanna know why does asterisk do that. How can i stop it from replying directly by the tunnel address and use 192.168.1.222 ?

Also if i have static routes, how does that work internally inside the router ? The packet should be routed to LAN from the zerotier interface ? How to check where is the packet hitting the interfaces?

Omarico · March 11, 2023, 4:05pm

there's exactly what's happening. The firewall configuration and everything is correct hence TFTP working and i get a correct reply from the LAN side since i am calling that IP. but on Asterisk i get a reply from the TUNNEL endpoint ip address..

that's how it works over softether and a TAP device to the LAN ( 192.168.1.222 network a.k.a 192.168.1.0 subnet )

maybe it works fine here because it goes directly to the LAN ? so the reply is from 192.168.1.222 rather than the tunnel interface ( since it's a tap ) ??

can we do TAP on the zerotier tunnel ? or exhibit the same behavior without a TAP ? maybe a bridge interface ?

Omarico · March 11, 2023, 10:49pm

so basically to fix that, we have to figure a way to make the ZeroTier TUN adapter part of BR-WAN ( which is the 192.168.1.222 interface ) that way it would hit the device thru .222 not thru the ZT interface directly.

BUT when i try to do that and setup routes it doesn't work nor i can ping the other devices on the VPN cloud. so what's the correct way to do it ? i think i am not setting it up correctly that's why the bridge thingy with ZeroTier isn't working correctly

and all of that is because Asterisk is buggy and crafts the packets' SOURCE IP to the subnet behind the other VPN endpoints using the TUNNEL interface ip address (172.24.0.222) i have no idea why. instead of the DESTINATION ip address on the packets it's getting which is 192.168.1.222 as shown in the screenshots above.

TFTP works fine and replies to the same DEST. ip address it has on the packets received

Omarico · March 13, 2023, 12:24am

Okay i have no idea how did that work. Basically what I did is I added the zerotier interface (on the bridge router/ the home router) to the bridge interface for the 192.168.1.222 subnet. Then after TCPDUMPing the ZT interface on both routers i saw the ARP packets making it to the other side. which led me thinking that i could just maybe assign it an IP address on the 192.168.1.0 subnet and talk to it since arp is working just fine ? and that's what i did on the other router. What makes it even better is that DHCP worked too! since broadcasts work fine.

So yes zerotier interface got an IP address on the 192.168.1.0 subnet and basically i setup static routes on the bridge router at home to direct the local LAN behind to 192.168.1.X ( where it's the other router's ZT interface ip address ).

i'm just confused because i wanted it to work using a different subnet ( the default zerotier subnet 172.24.x.x ) by adding the interface to the bridge and using

# ip route 172.24.0.0/16 dev "br-wan" ( i was confused should i use the bridge or the ZT interface even though it's part of the bridge)  src 192.168.1.222
# ip route 10.10.10.0/24 via 172.24.24.24 ( the second router ZT ip address ) dev br-wan ONLINK

and 172.24.24.24 was replying to ARP packets just fine.
BUT it didn't work.. any ideas ?