SIP Phone problem to FritzBox over OpenWrt 18.06

excelsi · August 18, 2018, 9:07am

My FritzBox (with VOIP) is in front of an OpenWRT 18.06 box and if I connect a VOIP Phone over the Openwrt Box it blocks the the VOIP Channel back to the Phone (I can start a call but doesn't get back anything).

In the System Log I get this: "nf_conntrack default automatic helper assignment has been turned off for security reasons and CT based firewall rule..."

So I found two things:

I installed this package mentioned in this thread but it doesn't help.

So maybe I have to do something on the firewall side:
https://bbs.archlinux.org/viewtopic.php?id=224647

Can somebody transfer this actions to the OpenWrt Firewall Config?
Thanks!

jow · August 18, 2018, 11:40am

Please also see if kmod-ipt-raw is installed, this should activate various cthelper iptables rules that bind specific ports and protocols to conntrack helpers.

excelsi · August 18, 2018, 3:08pm

Thanks, now internally it's working now as expected
But over my OpenVPN Connection it's still the same: I can start the call but do not get the voice back to my phone, there i still get the same log line in the system log. Other traffic is no problem so still maybe something in the firewall config ? Or how can I investigate this?

Additional Info:
That's maybe a special situation here because my ISP only provide IPv6 Addresses here over DS-Lite Stack and I connect over a IPv4-IPv6 Conversion Provider or sometimes IPV6 only (if I have a IPv6 capable Network). I installed both kmod-ipt-raw packages and tried both connection scenarios.

excelsi · August 21, 2018, 6:25pm

I tested also another constellation (with public IPv4) and the problem is the same.

dlakelan · August 22, 2018, 1:14am

Do you have ipv6 enabled sip client and server? SIP benefits a lot from ipv6 end to end communication without NAT

excelsi · August 23, 2018, 11:25am

Yeah that's a good hint maybe.
Maybe the Fritz Phone App on Android is not really IPv6 ready...

Before 18.06 all was working as expected but with this NF Contrack Firewall Security thing that came with 18.06 it changed...

jow · August 24, 2018, 4:15pm

Can you please share your current /etc/config/firewall and iptables-save output? Is your OpenVPN connection in a dedicated zone? If so, try setting list helper sip on the corresponding zone.

excelsi · August 24, 2018, 4:15pm

Thanks, the "Helper SIP" Entry in the Firewall worked!

system · September 3, 2018, 4:15pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.