Can not register to embedded Asterisk from Web (from LAN ok)

General discussion about Gargoyle, OpenWrt or anything else even remotely related to the project

Moderator: Moderators

Post Reply
wilsonhlacerda
Posts: 20
Joined: Mon Mar 08, 2010 5:47 pm

Can not register to embedded Asterisk from Web (from LAN ok)

Post by wilsonhlacerda »

Hi all!

First of all thanks to all Gargoyle developers! Ten days using it and just fantastic! (previous using DD-WRT for 2 years)

But unfortunately sometimes we have problems....

I've spent some hours in last days on Google and OpenWrt/Gargoyle forums Search, but no success till now.
Any help on this is greatly appreciated! Bellow you can find all details.

Problem: can not register SIP softphone/device from web (WAN). I only get timeout. Same softphone/device works 100% ok when within LAN.

Environment:
Fonera is main router and also the Asterisk server:
- Gargoyle v1.1.7
- embedded Asterisk v1.4.23.1 (asterisk14-mini package installed via opkg)
Fonera is pluged to a cable modem (WebSTAR DPC2100R2)
Dynamic IP
Fonera DDNS is pointing to xxxx.no-ip.org
PC/ATA/smartphone on LAN via WiFi to Fonera/Asterisk
Asterisk registered ok to some SIP providers.

Fonera Firewall:
UDP 4569 forwarded to 192.168.1.1
UDP 5036 forwarded to 192.168.1.1
UDP 3478 forwarded to 192.168.1.1
UDP 8000~8050 forwarded to 192.168.1.1 (all SIP clients are set to use 8000~8050 RTP)
UDP/TCP 5060~5065 forwarded to 192.168.1.1 (all SIP clients are set to use 5060~5065 SIP)
(also tried DMZ to 192.168.1.1 but did not help)

asterisk.conf
[options]
languageprefix = yes
systemname = xxxx.no-ip.org

rtp.conf
[general]
rtpstart=8000
rtpend=8050

sip.conf
[general]
context=XXXX
externhost=xxxx.no-ip.org
externrefresh=60
localnet=192.168.1.0/255.255.255.0
port=5060
bindaddr=0.0.0.0
useragent=xxxx.no-ip.org
realm=xxxx.no-ip.org
srvlookup=yes
defaultexpiry=1800
nat=yes
canreinvite=no
qualify=yes
insecure=port,invite
disallow=all
allow=ulaw
allow=gsm
dtmfmode=auto
rtptimeout=120
rtpholdtimeout=300

[500]
type=friend
context=YYYY
username=500
secret=xxxxx
callerid=("Wilson Cel" <500>)
host=dynamic

SIP clients on LAN:
eyeBeam, ATA and Nokia smartphone can register to Asterisk with no problem.
All are configured to register to xxxx.no-ip.org (not to LAN IP 192.168.1.1)
Can call and receive calls ok. Even no audio problems.

SIP clients from Web:
eyeBeam and Nokia smartphone can not even register to Asterisk. Only gets timeout.
All them are configured to register to xxxx.no-ip.org
Have tried with and without STUN server configured on them.

In Fonera, if I don't forward ports and/or don't DMZ 192.168.1.1 registration is refused almost instantly. So when forwarding and/or DMZing seems some communication is started between clients/Fonera because it takes almost a minute to get timeout.

Just as additional info: all SIP clients can register and works fine with other hosted SIP PBXs (SipSorcery, Voxalot, PBXes), so it is not restrictions on clients' LAN/WAN. Problem for sure is in my Gargoyle+Asterisk


Any tips?
Can you register your SIP clients to your embedded Asterisk? If so, how are your Asterisk conf files? How is your Gargoyle firewall config?

Thanks in advance!

wilsonhlacerda
Posts: 20
Joined: Mon Mar 08, 2010 5:47 pm

Re: Can not register to embedded Asterisk from Web (from LAN ok)

Post by wilsonhlacerda »

Solved! But.....I think I found a bug in Gargoyle/OpenWrt!
Is REDIRECT broken????


As written above I forward all ports using Gargoyle GUI.
If I go to \etc\config\firewall I can see REDIRECTs like this one:

config 'redirect' 'redirect_enabled_number_1'
option 'name' 'SIP'
option 'src' 'wan'
option 'dest' 'lan'
option 'proto' 'udp'
option 'src_dport' '5060-5065'
option 'dest_port' '5060-5065'
option 'dest_ip' '192.168.1.1'


This is expected to:
1- WAN accept inbound on ports 5060~5065
2- forward everything to LAN 192.168.1.1 ports 5060~5065

But sure this is not happening, otherwise Asterisk could register the SIP clients.

So I just added to \etc\config\firewall RULEs like this:

config 'rule'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '5060-5065'
option 'target' 'ACCEPT'

And bingo! Everything works just perfect!

So....seems that Gargoyle/OpenWrt REDIRECT itself is not enabling WAN inbound. We do have to explicit ACCEPT inbound on desired port ranges. In my point of view this is clearly a bug in the firewall.

And for my specific case, as I endup having to add the RULES, I then just deleted the port forwards. 'Cause with the RULEs now Asterisk can interface to the outside directly through WAN side.

Hope this can help other people running Asterisk or other kind of server in the router.

And also help developers in fixing this REDIRECT bug.

Eric
Site Admin
Posts: 1443
Joined: Sat Jun 14, 2008 1:14 pm

Re: Can not register to embedded Asterisk from Web (from LAN ok)

Post by Eric »

I just tested port range forwarding and it seems to work fine. Are you sure your problem isn't with the rest of your setup?

wilsonhlacerda
Posts: 20
Joined: Mon Mar 08, 2010 5:47 pm

Re: Can not register to embedded Asterisk from Web (from LAN ok)

Post by wilsonhlacerda »

Completely sure. 100%.

If I add the rule to accept inbound wan traffic (see solution above) everything works fine. (and thus can even delete forwards from wan to 192.168.1.1)

If I only delete the RULE (that is...firewall only configured like I wrote in first post) Asterisk is not reachable from outside.

So my conclusion is: just like we have to explicit configure to accept WAN http, https and ssh, we do have to explicit accept WAN SIP (and others) when a server is running in the router. If we just forward ports to LAN 192.168.1.1 it does not work. (Seems forward is ok for other LAN IPs, but not for the gateway itself.)

wilsonhlacerda
Posts: 20
Joined: Mon Mar 08, 2010 5:47 pm

Re: Can not register to embedded Asterisk from Web (from LAN ok)

Post by wilsonhlacerda »

Hi Eric, please check post #4 #5 #6 of this thread:
https://forum.openwrt.org/viewtopic.php?id=23860

Maybe it is a good idea to add r19761 to Gargoyle default images. That way Gargoyle itself will be fixed (despite standard OpenWrt 8.09.2 not).

Eric
Site Admin
Posts: 1443
Joined: Sat Jun 14, 2008 1:14 pm

Re: Can not register to embedded Asterisk from Web (from LAN ok)

Post by Eric »

That changeset has nothing to do with your problem.

Your problem is that you're trying to use Gargoyle's port forwarding capabilities to forward to a port on the router itself. Gargoyle was not designed to allow this. Your best bet is to just continue using your custom rule which you list above.

Post Reply