FreeBSD, Asterisk 16, pf, and pjsip, nat
David Mehler
I'm running Asterisk 16 via ports on a FreeBSD 11 system. I'm running
pf and believe I have things correct, I'm allowing ports UDP 5060 and
5061, as well as for rtp UDP 10000 to 20000 through. I'm running this
on a vps with an public IP, it is not natted. My local connection to
the internet is behind a natted cable modem. I can connect via soft
phone to the asterisk sip server, says account ready. Everything works
except audio. I believe I'm having a nat issue as the connecting
client is behind a nat and I'm using chan_pjsip so the pjsip.conf
file. Currently here is my account-is-ready though no audio
configuration:
; PJSIP Configuration
[transport-udp]
type=transport
protocol=udp
bind=0.0.0.0
;Templates for the necessary configuration sections
[endpoint_internal](!)
type=endpoint
context=from-internal
disallow=all
allow=gsm
;allow=g729
;allow=ulaw
[auth_userpass](!)
type=auth
auth_type=userpass
[aor_dynamic](!)
type=aor
max_contacts=1
;Definitions for our phones, using the templates above
[demo-test](endpoint_internal)
auth=demo-test
aors=demo-test
[demo-test](auth_userpass)
password=unsecuredpassword ; put a strong, unique password here instead
username=demo-test
;direct_media=no
;rtp_symmetric=yes
;force_rport=yes
;rewrite_contact=yes
[demo-test](aor_dynamic)
if in the phone definition I add/uncomment these lines I get a
registration failed.
; PJSIP Configuration
[transport-udp]
type=transport
protocol=udp
bind=0.0.0.0
;Templates for the necessary configuration sections
[endpoint_internal](!)
type=endpoint
context=from-internal
disallow=all
allow=gsm
;allow=g729
;allow=ulaw
[auth_userpass](!)
type=auth
auth_type=userpass
[aor_dynamic](!)
type=aor
max_contacts=1
;Definitions for our phones, using the templates above
[demo-test](endpoint_internal)
auth=demo-test
aors=demo-test
[demo-test](auth_userpass)
password=unsecuredpassword ; put a strong, unique password here instead
username=demo-test
direct_media=no
rtp_symmetric=yes
force_rport=yes
rewrite_contact=yes
[demo-test](aor_dynamic)
Suggestions welcome.
Thanks.
Dave.
_______________________________________________
freebsd-...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questi...@freebsd.org"
Harry Schmalzbauer
> Hello,
>
> I'm running Asterisk 16 via ports on a FreeBSD 11 system. I'm running
> pf and believe I have things correct, I'm allowing ports UDP 5060 and
> 5061, as well as for rtp UDP 10000 to 20000 through. I'm running this
> on a vps with an public IP, it is not natted. My local connection to
> the internet is behind a natted cable modem. I can connect via soft
> phone to the asterisk sip server, says account ready. Everything works
> except audio. I believe I'm having a nat issue as the connecting
:
:
> Suggestions welcome.
I had a similar issue today.
Mine was suspicious to NAT too, but turned out to be a source selection
problem of the RTP socket.
Solution came from:
https://community.asterisk.org/t/pjsip-no-audo-port-unreachable/79482
(haven't read the whole thread/problem descrition, but these are the
originally well formatted finalizing lines:
So I tried adding to the endpoint config:
media_address=10.0.0.202
bind_rtp_to_media_address=yes
)
Last time I checked with asterisk's SIP configuration was a decade ago
for chan_sip.
Today, there are many copy'n'paste templates out there - more or less
correct and more or less outdated - but all of them almost completely
lack any documentation/description/defaults.
I'd like to share what I collected so far for the pjsip module to setup
an outbound registration and RTP peering with asterisk 18, with details
for SIP-trunk of Deutsche Telekom.
Hopefully the one or the other comment helps fellows finding out the
right thing to do.
Might look confusing at a first sight, but I think there's no single
superflous word and hopefully nothing missing aswell... Your welcome to
add blank lines yourself for better reading, but order/blocks should
reflect dependencies/relations.
; pjsip-registrations.conf
;
; To be included by pjsip.conf.
; This separate config file is used to define REGISTER relevant sections
; describing 3rd party telco peers (DeutschlandLAN SIP-Trunk by Telekom).
; For easier maintenance, we also define the corresponding endpoint(s) here!
;
; Created based on Asterisk 18 available documentation and 1TR118,
published by
; Telekom Deutschland GmbH
(https://www.telekom.de/hilfe/downloads/1tr118.pdf.
; Any non-self-explaning parameters are documented, hence it doesn't look
; too user friendly, but it is if you want/need to adjust!
;
; see xten/globalvars.conf for the following variables:
;internationalPrefix=+
;localCountryCode=49
;nationalPrefix=0
;localAreaCode=89
;telcolink1=SIP/telekom_trunk10SITE1
;PSTNpnTrunk1=181 (pilot number only)
;and $idpfxTelco1 to match 'contact_user'.
;------ TRANSPORTS for PSTN/remote peers ------
[NATv4plain_tcp]
type=transport
protocol=tcp ;udp,tcp,tls,ws,wss,flow
bind=192.0.2.140 ;${nativeIPv4address}
local_net=192.0.2.0/24
local_net=127.0.0.1/32
external_media_address=198.51.100.5 ;${publicIPv4address}
external_signaling_address=198.51.100.5 ;${publicIPv4address}
;
; REGISTER
;
[telcolink1]
type=registration
transport=NATv4plain_tcp ;match your arbitrary (but suitable)
definition
server_uri=sip:sip-trunk.telekom.de ;(sip:sip-trunk.telekom.de:5060)
outbound_auth=telcolink1_181trunk10 ;match your arbitrary definition
auth_rejection_permanent=no ;non-critical (default=yes)
max_retries=5 ;non-critical (default=10)
retry_interval=45 ;non-critical (default=60)
forbidden_retry_interval=90 ;non-critical (default=0)
expiration=120 ;(480=t-online, 120=telekom, default=3600)
outbound_proxy=sip:reg.sip-trunk.telekom.de ; provider dependent
_URI_!
;_client_uri_:
; Both header fields "From:" and "To:" of the REGISTER message are
composed
; from the 'client_uri' variable.
; According to 1TR118, for the (NGN) SIP-trunk, one of the routable and
; customer specific provisioned E.164 prefix numbers (number blocks,
; pilot number) must be used
(${internationalPrefix}${localAreaCode}${PSTNpn})
client_uri=sip:+492...@sip-trunk.telekom.de ;not appending port (:5060)
;_contact_user_:
; The "Contact:" header field of REGISTER messages is composed of
it's value.
; RFC 3261 specifies that a FQTN@ part is to be used, while RFC 6140
requires
; a IP socket to be defined (Contact:sip:164.168.138.1:5060;bnc e.g.).
; pjsip appends @IPboundto:5060,;transport=${TRANSPORT->protocol} to
; 'contact_user'. There is currently no possibility to define the
complete
; "Contact:" header fiels, so RFC 6140 is not supported as of
asterisk 18.
; IMPORTANT: Telekom (SIP-Trunk) respects the "Contact:" header sent
within
; our registration message. What we define with 'contact_user'
will be
; used for all provider initiated messages, like INVITE messages.
contact_user=+49228181 ;To be set according to idpfxTelcoN definition
;(in xten/globalvars.conf)!!!
line=yes ; Telekom supports line parameter in the Contact: header
field
endpoint=telekom_trunk10SITE1 ;This defines the endpoint to use
for messages
;containing the negotiated line parameter for
;our registration
;
; authentication object(s)
;
[telcolink1_181trunk10]
type=auth
auth_type=userpass ;md5 unavailable
(handle_client_registration(void *)):
; Failed to set initial authentication credentials
;Take care of file permissions!
username=550123456789
password=hgfedcba
realm=sip-trunk.telekom.de
;
; endpoint (B2BUA to telco provider - receiving calls)
;
[telekom_trunk10SITE1] ; 0228-181 0-9 Telekom DeutschlandLAN SIP-Trunk
type=endpoint
aors=telekom_trunk10SITE1 ;where to look whom to send outgoing calls to
context=pstn_incoming ;where to look for incoming calls
identify_by=header,ip ;this is fallback order for identify
sections only,
;we define line/endpoint during registration!
allow_unauthenticated_options=yes ;RFC 3261 requires OPTIONS to be
handled
;like INVITE (default=no)
allow_subscribe=yes
allow=!all,g722,g726,alaw ;NGN SIP-Trunk consistently uses g722 as
of 2021
dtmf_mode=auto ;(default=rfc4733) SIP INFO is unsupported with NGN
SIP-Trunk,
;auto uses INBAND if rfc4733 fails (auto_info was valid too)
outbound_auth=telcolink1_181trunk10 ;match your arbitrary definition
outbound_proxy=sip:reg.sip-trunk.telekom.de ;provider dependent _URI_!
timers=no ;Session timers for SIP packets (default=yes)
;force_rport=yes ;Force use of return port (default=yes)
;ice_support=no ;no NAT traversal help needed, see 1TR118 (default=no)
; --- NAT specific endpoint settings (NGN/SIP-Trunk)
-------------------------
rewrite_contact=yes ;(default=no) sdp contact fields become
(transport)
; external_media_address, header contact field becomes
; external_signaling_address (as defined in transport).
disable_direct_media_on_nat=yes ;no direct_mediasession refreshes
(default=no)
;
----------------------------------------------------------------------------
;direct_media=no ;default=yes, we do disable direct_media_on_nat, keep
; allowed for non-NAT (IPv6).
;rtp_symmetric=yes ;ignore c= and m= of sdp, send media back to
source IP.
;Recommended for dynamic IPv4 and NAT environments.
;Not necessary if external_media_address matches static
;IPv4 and rewrite_contact=yes
rtp_keepalive=15 ;seconds between RTP comfort noise keepalive packets
rtp_timeout=30 ;terminate call if no RTP (while off hold) is exceeded
rtp_timeout_hold=7200 ;allowed time for calls on hold before
terminating
; all RTP timeout values above are '0' by default (no timeout)
ignore_183_without_sdp=yes ;cosmetic (default=no)
sdp_session=OmniPBX (pjsip-ast18)
;.------ Special tuning, needed only for FreeBSD jails without vimage
-------.
; If peer receives no media and 'rtp set debug on' reveals negative
length for
; correct IP in "Sent RTP packet to", you want these two lines:
media_address=192.0.2.140 ;specify the (source) IP of the
interface to be
bind_rtp_to_media_address=yes ;used for RTP (pre-NAT) and tie
socket to it.
; '----- (rtp media transmitted on wrong interface)
-------------------------'
asymmetric_rtp_codec=yes ;TO BE OBSERVED: Differing codecs for
receiving
;and sending media shouldn't cause any problems.
;send_pai=no ;default=no, we add PPI using dialplan function
PJSIP_HEADER()
from_user=+492281810 ;always append 0 to pilot number
from_domain=site1.example.org ;will be replaced by NGN (@telekom.de)
contact_user=+49228181 ;To be set according to idpfxTelcoN definition
;(in xten/globalvars.conf)!!!
language=de ;which IVR subdirectories to use e.g.
;
; Address of Records, the location information(s) for endpoints to use
outbound
;
[telekom_trunk1SITE1]
type=aor
outbound_proxy=sip:reg.sip-trunk.telekom.de ;used for sending OPTIONS
request
;_contact_:
; Permanent contacts assigned to AoR (endpoints use this location(s)
URI(s) to
; send calls to).
contact=sip:+492...@sip-trunk.telekom.de ;consistent with contact_user
default_expiration=600 ;default=3600
qualify_frequency=180 ;default=0
;
; Identify (endpoints selection criterias for inbound requests)
;
[telekom_trunk10SITE1]
type=identify
;srv_lookups=no ;lookup _sip._udp, _sip._tcp, and _sips._tcp
(defaults to yes)
;match=reg.sip-trunk.telekom.de ;IP or hostname
(exapmple:'[2001:db8:0::1]:5060')
match_header=To: /181.*@sip-trunk.telekom.de/ ;/.../ means regex
endpoint=telekom_trunk10SITE1 ;match your arbitrary definition