VoIP Mailing List Archives :: View topic - [asterisk-users] Dead Air on PF firewall

Sponsor: VoiceMeUp - Corporate & Wholesale VoIP Services

VoIP Mailing List Archives
Mailing list archives for the VoIP community

[asterisk-users] Dead Air on PF firewall

VoIP Mailing List Archives Forum Index -> Asterisk Users

View previous topic :: View next topic

Author

Message

nocph at aol.com
Guest

Posted: Sun Mar 09, 2008 6:00 pm Post subject: [asterisk-users] Dead Air on PF firewall

Hi All, I have an asterisk box on my DMZ, and I'm using a PF for my firewall, I can make a call but some reasons I have a dead air. Any Ideas? below are my rules... ext_if = "bce0" int_if = "bce1" altitude = "172.16.1.0/24" #### machines #### vbox = "172.16.1.1" uci = "172.16.1.4" voices = "203.172.x.1" ipc = "203.172.x.2" #### default deny #### set block-policy return set loginterface $ext_if set skip on lo scrub in #### nat #### nat on $ext_if from !($ext_if) -> ($ext_if:0) nat on $ext_if inet proto { udp tcp } from $vbox to any port 5060 -> $ext_if port 5060 nat on $ext_if inet proto tcp from $uci to any port 1500 -> $ext_if port 1500 rdr on $ext_if proto { udp tcp } from any to $ext_if port 5060 -> $vbox port 5060 rdr on $ext_if proto udp from any to $ext_if port 5100 -> $vbox port 5100 #### filtering section #### pass out on { $int_if, ext_if } inet proto { udp tcp } from $altitude to any pass in on $ext_if inet proto { tcp udp } from $ipc to any port 5060 pass in on $ext_if inet proto tcp from $ipc to any port 1500 flags S/SA keep state pass in on bce0 proto tcp from $ipc to any port ssh flags S/SA keep state pass in inet proto icmp all icmp-type echoreq keep state pass in quick on bce1

g.stewart at horwits.c...
Guest

Posted: Mon Mar 10, 2008 6:59 am Post subject: [asterisk-users] Dead Air on PF firewall

On Mon, 10 Mar 2008 07:00:17 +0800, NOC ph <nocph at aol.com> wrote:

Quote:

I have an asterisk box on my DMZ, and I'm using a PF for my firewall, I
can make a call but some reasons I have a dead air.

Judging by the fact that you're portforwarding port 5060, I'm guessing that
you're using SIP with the outside. This also means that you need to allow
the RTP stream though your NAT FW. Port 5060 only carries the signalling,
the audio is carried by the RTP stream, which is why you're getting no
audio.

Google will probably let you know which UDP ports your appliances are using
for the RTP stream. General help that you'll be able to refine WRT the
specifics of your setup is available here:

http://www.google.com/search?q=asterisk+%22no+audio%22

--
Godwin Stewart - Horwich IT services

michiel at vanbaak.info
Guest

Posted: Mon Mar 10, 2008 7:20 am Post subject: [asterisk-users] Dead Air on PF firewall

On 07:00, Mon 10 Mar 08, NOC ph wrote:

Quote:

Hi All,

I have an asterisk box on my DMZ, and I'm using a PF for my firewall, I
can make a call but some reasons I have a dead air.

Any Ideas? below are my rules...

ext_if = "bce0"
int_if = "bce1"
altitude = "172.16.1.0/24"

#### machines ####
vbox = "172.16.1.1"
uci = "172.16.1.4"
voices = "203.172.x.1"
ipc = "203.172.x.2"

#### default deny ####
set block-policy return
set loginterface $ext_if
set skip on lo
scrub in

#### nat ####
nat on $ext_if from !($ext_if) -> ($ext_if:0)

Quote:

nat on $ext_if inet proto { udp tcp } from $vbox to any port 5060 ->
$ext_if port 5060
nat on $ext_if inet proto tcp from $uci to any port 1500 -> $ext_if port
1500

Why those two rules ? The first nat rule already takes care
of that

Quote:

rdr on $ext_if proto { udp tcp } from any to $ext_if port 5060 -> $vbox
port 5060
rdr on $ext_if proto udp from any to $ext_if port 5100 -> $vbox port 5100

you have to forward the rtp ports as well
rdr on $ext_if proto udp from any to $ext_if port
10000:20000 -> $vbox

Quote:

#### filtering section ####
pass out on { $int_if, ext_if } inet proto { udp tcp } from $altitude to any
pass in on $ext_if inet proto { tcp udp } from $ipc to any port 5060
pass in on $ext_if inet proto tcp from $ipc to any port 1500 flags S/SA
keep state

And you should allow the rtp ports as well
pass in on $ext_if inet proto udp from any to any port
10000:20000 keep state

Quote:

pass in on bce0 proto tcp from $ipc to any port ssh flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick on bce1

For reference, here are my pf rules for my internal pbx:

##########
# Macros #
##########
ext_if = "rl0"
ext_ip = "82.95.XXX.XXX"
int_if = "wb0"
int_net = "192.168.2.0/24"
voip_server = "192.168.2.4"
voip_ports = "{ 4569, 5060, 10000:20000 }"

####################################
# NAT rules: "rdr", "nat", "binat" #
####################################
nat on $ext_if from $int_if:network to any -> $ext_ip
# asterisk server
rdr on $ext_if proto udp from any to any port $voip_ports ->
$voip_server

#############
# Filtering #
#############
# voip always goes in the priority class
pass out quick on $ext_if inet proto udp from any to any
port $voip_ports keep state queue q_pri
pass in quick on $ext_if inet proto udp from any to any port
$voip_ports keep state queue q_pri

Also, make sure in asterisk sip.conf you have the externip
and localnet config parameters set.

--

Michiel van Baak
michiel at vanbaak.eu
http://michiel.vanbaak.eu
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD

"Why is it drug addicts and computer aficionados are both called users?"

nocph at aol.com
Guest

Posted: Tue Mar 11, 2008 4:31 am Post subject: [asterisk-users] Dead Air on PF firewall

Hi Mich,

I added the following line for the RTP its still the same, I can hear
ring but no voice when answer from the other side. Any more ideas?

ext_if = "bce0"
int_if = "bce1"
altitude = "172.16.1.0/24"

#### machines ####
vbox = "172.16.1.1"
vbox1 = "172.16.1.2"
uci = "172.16.1.4"
voices = "203.172.x.x"
ipc = "203.172.x.x"

#### default deny ####
set block-policy return
set loginterface $ext_if
set skip on lo
scrub in

#### nat ####
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr on $ext_if proto { udp tcp } from any to $ext_if port 5060 -> $vbox1
rdr on $ext_if proto { udp tcp } from any to $ext_if port 10000:20000 ->
$vbox1
rdr on $ext_if proto tcp from any to $ext_if port 5100 -> $uci
rdr on $ext_if proto tcp from any to $ext_if port 443 -> $vbox

#### filtering section ####
pass out on { $int_if, ext_if } inet proto { udp tcp } from any to any
port 10000:20000
pass out on { $int_if, ext_if } inet proto { udp tcp } from any to any
port 5060
pass in on $ext_if inet proto { tcp udp } from $ipc to any port 5060
pass in on $ext_if inet proto tcp from $ipc to any port 1500 keep state
pass in on $ext_if inet proto udp from any to any port 10000:20000 keep
state
pass in on bce0 proto tcp from $ipc to any port ssh flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick on bce1
Michiel van Baak wrote:

Quote:

On 07:00, Mon 10 Mar 08, NOC ph wrote:

Quote:

nat on $ext_if inet proto { udp tcp } from $vbox to any port 5060 ->
$ext_if port 5060
nat on $ext_if inet proto tcp from $uci to any port 1500 -> $ext_if port
1500

Why those two rules ? The first nat rule already takes care
of that

Quote:

rdr on $ext_if proto { udp tcp } from any to $ext_if port 5060 -> $vbox
port 5060
rdr on $ext_if proto udp from any to $ext_if port 5100 -> $vbox port 5100

you have to forward the rtp ports as well
rdr on $ext_if proto udp from any to $ext_if port
10000:20000 -> $vbox

Quote:

And you should allow the rtp ports as well
pass in on $ext_if inet proto udp from any to any port
10000:20000 keep state

Quote:

pass in on bce0 proto tcp from $ipc to any port ssh flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick on bce1

michiel at vanbaak.info
Guest

Posted: Tue Mar 11, 2008 4:55 am Post subject: [asterisk-users] Dead Air on PF firewall

On 17:31, Tue 11 Mar 08, NOC ph wrote:

Quote:

Hi Mich,

I added the following line for the RTP its still the same, I can hear
ring but no voice when answer from the other side. Any more ideas?

Firewall rules look ok now.

Like I said, did you set externip and localnet settings in
asterisk sip.conf ?

--

Michiel van Baak
michiel at vanbaak.eu
http://michiel.vanbaak.eu
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD

"Why is it drug addicts and computer aficionados are both called users?"

nocph at aol.com
Guest

Posted: Tue Mar 11, 2008 6:56 am Post subject: [asterisk-users] Dead Air on PF firewall

Yes, here's my sip.conf

[general]
register = 1000:vbox at 203.172.25.11/1000
callevents = yes
port = 5060
nat = yes
canreinvite = no
#bindaddr = 172.16.1.1 - if I en able this call cannot go out...
localnet = 172.16.1.0/24
externip = 203.172.25.11

Thanks...
Michiel van Baak wrote:

Quote:

On 17:31, Tue 11 Mar 08, NOC ph wrote:

Quote:

Hi Mich,

I added the following line for the RTP its still the same, I can hear
ring but no voice when answer from the other side. Any more ideas?

Firewall rules look ok now.

Like I said, did you set externip and localnet settings in
asterisk sip.conf ?

michiel at vanbaak.info
Guest

Posted: Tue Mar 11, 2008 7:18 am Post subject: [asterisk-users] Dead Air on PF firewall

On 19:56, Tue 11 Mar 08, NOC ph wrote:

Quote:

Ok, try to enable all logging in pf and 'set loginterface'
etc.
After that, run:
tcpdump -n -e -x -i pflog0

There you will see the blocked traffic. Maybe that will give
you an idea.

Quote:

Michiel van Baak wrote:

Quote:

On 17:31, Tue 11 Mar 08, NOC ph wrote:

Quote:

Hi Mich,

I added the following line for the RTP its still the same, I can hear
ring but no voice when answer from the other side. Any more ideas?

Firewall rules look ok now.

Like I said, did you set externip and localnet settings in
asterisk sip.conf ?

_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

--

Michiel van Baak
michiel at vanbaak.eu
http://michiel.vanbaak.eu
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD

"Why is it drug addicts and computer aficionados are both called users?"

Display posts from previous:

	VoIP Mailing List Archives Forum Index -> Asterisk Users	All times are GMT - 5 Hours
Page 1 of 1

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum