Hi all!

I've spent some hours in last days on Google and forum Search, but no success till now.
Any help on this is greatly appreciated!  Bellow you can find all details.

Problem: can not register SIP softphone/device from web (WAN). I only get timeout. Same softphone/device works 100% ok when within LAN.

Environment:
Fonera is main router and also the Asterisk server:
- Kamikaze v8.09.2 (in fact Gargoyle v1.1.7)
- embedded Asterisk v1.4.23.1 (asterisk14-mini package installed via opkg)
Fonera is pluged to a cable modem (WebSTAR DPC2100R2)
Dynamic IP
Fonera DDNS is pointing to xxxx.no-ip.org
PC/ATA/smartphone on LAN via WiFi to Fonera/Asterisk
Asterisk registered ok to some SIP providers.

Fonera Firewall:
UDP 4569    forwarded to 192.168.1.1
UDP 5036    forwarded to 192.168.1.1
UDP 3478    forwarded to 192.168.1.1
UDP    8000~8050 forwarded to 192.168.1.1 (all SIP clients are set to use 8000~8050 RTP)
UDP/TCP 5060~5065 forwarded to 192.168.1.1 (all SIP clients are set to use 5060~5065 SIP)
(also tried DMZ to 192.168.1.1 but did not help)

asterisk.conf
[options]
languageprefix = yes
systemname = xxxx.no-ip.org

rtp.conf
[general]
rtpstart=8000
rtpend=8050

sip.conf
[general]
context=XXXX
externhost=xxxx.no-ip.org
externrefresh=60
localnet=192.168.1.0/255.255.255.0
port=5060
bindaddr=0.0.0.0 
useragent=xxxx.no-ip.org
realm=xxxx.no-ip.org
srvlookup=yes   
defaultexpiry=1800
nat=yes
canreinvite=no
qualify=yes
insecure=port,invite
disallow=all
allow=ulaw
allow=gsm
dtmfmode=auto
rtptimeout=120
rtpholdtimeout=300

[500]
type=friend
context=YYYY
username=500
secret=xxxxx
callerid=("Wilson Cel" <500>)
host=dynamic

SIP clients on LAN:
eyeBeam, ATA and Nokia smartphone can register to Asterisk with no problem.
All are configured to register to xxxx.no-ip.org (not to LAN IP 192.168.1.1)
Can call and receive calls ok.  Even no audio problems.

SIP clients from Web:
eyeBeam and Nokia smartphone can not even register to Asterisk.  Only gets timeout.
All them are configured to register to xxxx.no-ip.org
Have tried with and without STUN server configured on them.

In Fonera, if I don't forward ports and/or don't DMZ 192.168.1.1 registration is refused almost instantly.  So when forwarding and/or DMZing seems some communication is started between clients/Fonera because it takes almost a minute to get timeout.

Just as additional info: all SIP clients can register and works fine with other hosted SIP PBXs (SipSorcery, Voxalot, PBXes), so it is not restrictions on clients' LAN/WAN.  Problem for sure is in my OpenWrt+Asterisk

Any tips?
Can you register your SIP clients to your embedded Asterik?  If so, how are your Asterisk conf files?  How is your OpenWrt firewall config?

Thanks in advance!

(Last edited by wilsonhlacerda on 8 Mar 2010, 22:45)

Solved!  But.....I think I found a bug in Gargoyle/OpenWrt!
Is REDIRECT broken????

As written above I forward all ports using Gargoyle GUI.
If I go to \etc\config\firewall I can see REDIRECTs like this one:

config 'redirect' 'redirect_enabled_number_1'
    option 'name' 'SIP'
    option 'src' 'wan'
    option 'dest' 'lan'
    option 'proto' 'udp'
    option 'src_dport' '5060-5065'
    option 'dest_port' '5060-5065'
    option 'dest_ip' '192.168.1.1'

This is expected to:
1- WAN accept inbound on ports 5060~5065
2- forward everything to LAN 192.168.1.1 ports 5060~5065

But sure this is not happening, otherwise Asterisk could register the SIP clients.

So I just added to \etc\config\firewall RULEs like this:

config 'rule'
    option 'src' 'wan'
    option 'proto' 'udp'
    option 'dest_port' '5060-5065'
    option 'target' 'ACCEPT'

And bingo!  Everything works just perfect!

So....seems that Gargoyle/OpenWrt REDIRECT itself is not enabling WAN inbound.  We do have to explicit ACCEPT inbound on desired port ranges.  In my point of view this is clearly a bug in the firewall.

And for my specific case, as I endup having to add the RULES, I then just deleted the port forwards.  'Cause with the RULEs now Asterisk can interface to the outside directly through WAN side.

Hope this can help other people running Asterisk or other kind of server in the router.

And also help developers in fixing this REDIRECT bug.

Is your FON device that hosts your Asterisk PBX system assigned with a public IP Address? If so, then you don't need ports forwarding nor nat=yes.

Yes!

And I agree with you.  That what I was expecting.  But tests showed me that's not the case.

So I tried to forward WAN traffic on SIP ports to Fonera itself in LAN (192.168.1.1).  Even this way haven't worked (see above).
And again I expected it'd work also this way.  The only explanation for not is a bug in the REDIRECT in firewall.

Then I just added new RULEs on firewall to ACCEPT inbound WAN traffic on SIP ports.  And everything run fine.  (And this way forward is even unnecessary.)

So....even with FON assigned with a public IP we do have to explicit configure it to accept WAN SIP traffic.  It is mandatory.  Otherwise Asterisk is not reachable from outside.

About "NAT=yes" that's ok.  I can change it now.  It was "yes" just in case, during hard times in non working tests.

(Last edited by wilsonhlacerda on 10 Mar 2010, 05:20)

If your FON has a public IP Address, I reckon you should use localnet=<the public IP Address>. If the public IP Address is on a subnet A, B, or C, then use localnet=<the public IP Address>/8, localnet=<the public IP Address>/16, or localnet=<the public IP Address>/24, respectively. The configurations for your extension phones should use nat=yes if they are behind your FON device with a private IP Address. On this architecture, you can configure your asterisk with a canreinvite=yes, too. This way, your FON device won't waste its CPU resources for asterisk o control the RTP traffics.

(Last edited by mazilo on 10 Mar 2010, 13:57)

Thanks for the tip!

But as Asterisk is running in Fon that has a (dynamic) public IP, I end up moving a little bit further: I completely removed the externhost/externrefresh/localnet parameters!  And I can set (in general) the extensions/providers with nat=no and canreinvite=yes. 

No SIP client register/audio problems this way.  Even from my smartphone (Nokia) runing SIP over 3G/EDGE.
Only when client is behind NAT I have to set nat=yes for that specific client.

I'm on tests yet, but till now everything looks perfect.  Fon + OpenWrt + Asterisk 1.4 is showing itself as a very nice residential/personal internet+telephony solution.

Right now I'm only missing iLBC codec (I installed asterisk14-mini).  It's the best for Nokia over EDGE/3G.  I do need to try to add it to Fon now.  Any help is greatly appreciated!

AFAIK, so long as no transcoding is involved, Asterisk could care less what CoDec is used by the clients. For instance, my Asterisk PBX system doesn't have a G729 CoDec, yet I have configured my Asterisk PBX system + all ATA devices to use G729 as their primary CoDec and they all work just fine.

Could you help with some help for extensions and trunks to allow sip devices to connect from outside the LAN and allow reinvite?

Thanks

I don't know exactly what did you mean. If you want asterisk to allow reinvite, I believe it must be assigned with a public IP Address and use canreinvite=yes under [general] section of your sip.conf file.

Thanks mazilo

And which settings to allow connection from the WAN?