Extension behind NAT

Status
Not open for further replies.

Jeroen Hermans

New Member
Oct 11, 2017
22
1
3
43
Hi all,

I know i am missing something trivial here. I have read a lot about NAT and i do not seem to get this right.
I have a system running:
phone--->NAT router--->internet--->fusionPBX (without NAT)--->trunk provider (no NAT)

Now, when i make a call with my phone, i see in the following SIP packets (heavily redacted):
INVITE sip:0031xxxxxx@tenant.voip.domain.nl:5080 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.50:5064;branch=z9hG4bK1173805850;rport
From: <sip:202@tenant.voip.domain.nl:5080>;tag=712368681
To: <sip:0031xxxxxxxxxxx@tenant.voip.domain.nl:5080>
Contact: <sip:202@192.168.1.50:5064>
User-Agent: Grandstream GXP2130 1.0.8.47

Obviously the Via and Contact contain the NAT address of my phone (and not the public address of the NAT router). The result is that the RTP stream is send to the address 192.168.1.50 which, of course, ends up nowhere...

The weird thing is: SOMEtimes the calls DO get through and the public ip of the NAT router of the extension is used.

What am i doing wrong here? Please mind: FusionPBX is NOT behind nat... the (remote) phone is.
Thank you very much in advance.
Regards,

Jeroen
 

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,383
364
83
Don't have any knowledge of Grandstream, but if those phone are similar in configuration to Yealink there should be some settings around NAT Traversal. I tend to use a STUN server, there are a few publicly available ones on the internet. With STUN enabed the Yealink phones correctly set the contact headers and the In IP4 in the SDP body.

In the Internal SIP profile there are also some NAT settings to allow FreeSwitch to "Fix" some NAT problems, I believe they are normally defaulted true.
 

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,038
556
113
The first thing to check is that there is no SIP ALG enabled on the router, Freeswitch. What does the SDP of the INVITE look like?
 

Jeroen Hermans

New Member
Oct 11, 2017
22
1
3
43
Ok, time to post a bit more information:
Trunk provider: 1.1.1.1
My PBX's IP: 2.2.2.2
My phone's public IP: 3.3.3.3
My phone's private IP: 10.1.2.58

I hope using this information and the attacked trace someone can help me with this problem.
Regards!
 

Attachments

  • packettrace.txt
    11.5 KB · Views: 20

Jeroen Hermans

New Member
Oct 11, 2017
22
1
3
43
After a new inspection i found that the two calls were not THAT identical. A diff identified this:
< m=audio 16390 RTP/AVP 8 101
---
> m=audio 26878 RTP/AVP 8 101

And my firewall (from Asterisk era) is allowing UDP for ports 10000-20000. Thanks for letting me explain it to you so i understood it myself :)
 

Matthew Main

Member
Jan 24, 2017
92
5
8
39
The first thing to check is that there is no SIP ALG enabled on the router, Freeswitch. What does the SDP of the INVITE look like?
#
Interesting you say this DigiDaz, I can only get most handsets to work correctly with ALG enabled, if ALG is off i need to hole punch and ports assign and i still get NAT registration, with ALG on i have very little in the way of issues,

I know A******* is an ALG aware service so having two sip helpers trying to do the same job is a nightmare, but i was under the impression that freeswitch does not have a NAT helper in it.

Can you shed some more light please if i have this wrong :)
 

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,038
556
113
Freeswitch is excellent at breaking through NAT, I can assure you that 99% of times ALG will cause a problem.

The key is usually never port forward/punch holes through anything.

Simply enabling rport on the phones in most cases will fix it as long as ALG is disabled.
 

Matthew Main

Member
Jan 24, 2017
92
5
8
39
brill will test that. But i only enable rport on cisco devices, all the snom and gigaset gear i work with work well with alg on and basic config ( not punching holes)
 

swaypc

New Member
Apr 12, 2018
2
0
1
42
Miami, FL
www.swaypc.com
We had a lot of issues with NAT and Cisco phones, the only way we were able to make work was assigning a different VoIP control port for each of the Cisco phones behind NAT, for example, 5061, 5062 and so on. I hope this help you. Definitely SIP ALG disabled will cause fewer issues. Microtik routers are very good for VoIP and QoS and inexpensive but hard to configure sometime.
 

smn

Member
Jul 18, 2017
201
20
18
SIP ALG seems to be getting better with newer firmware/hardware. I have a couple brands of routers that seem to work ok with SIP ALG enabled with recent firmware. Generally you still want to avoid it.

Using a port other than 5060 is one way to get around SIP ALG without having to disable and wait for the router to reload or whatever. I think most routers only trigger SIP ALG on outbound port 5060/5061
 
Last edited:

Scubadave112

Member
Jan 24, 2020
122
19
18
36
@smn I had a nat issue recently and phone would not register. So I manually configured phones to use 5080 and now everything seems to work except BLF, any advice? I make a call from the phone put that call on park and no BLF light but I can still pickup the parked call as can everyone else, but no one has any lights
 

robvandenbulk

Member
Mar 28, 2020
82
10
8
60
1593117931706.png
INBOUND Route FusionPBX, SET BLF, SET CallerID, CHANGE pbx000.combivoip.lan in YOUR DOMAIN FUSION PBX

I Hope it works for you

Greetings
 

Scubadave112

Member
Jan 24, 2020
122
19
18
36
View attachment 1592
INBOUND Route FusionPBX, SET BLF, SET CallerID, CHANGE pbx000.combivoip.lan in YOUR DOMAIN FUSION PBX

I Hope it works for you

Greetings

Hey Rob,

I apologize but I am still confused

INBOUND Route FusionPBX > are you saying to create a new inbound route in fusionpbx and if so what would my destination number be?
SET BLF > In your screenshot/example I do not see that you set BLF

Set CallerID and presence ID I get but do I basically add everything you have in your screenshot?

There is already a default dialplan in Fusion for "Valet_Park" can I just add the "Set presence ID" in there somewhere, and if so where should I add this?

Sorry for the confusion I am still new to fusion and learning
 

Scubadave112

Member
Jan 24, 2020
122
19
18
36
If you REG on 5080 its a TRUNK (external) sofia
Try INCOMMING route

I appreciate the response but that, unfortunately, doesn't clarify things.

I get that I registered on 5080 so it is external however you said to create an INCOMING route and emphasized the word incoming, but all I see are inbound routes and I am confident that is what you meant, however, it doesn't make sense where I would add such things there.

I see ur previous logic of creating a dial plan to match the conditions of when a user places someone one park I am uncertain of how to execute it and confused on how it would work completely, for example, the Set BLF action or what happens when someone picks the parked call up, do I need to set up another dial plan for set the BLF again for that.

I feel like a much easier resolution would be to find a way to use an additional port for internal IPV4. Fusion pbx says to forward ports 5060-5090. I see where 5060-61 and 5080-81 are used but lets say i want to use 5070 can i tell fusion to listen on that port for an internal profile?
 
Status
Not open for further replies.