Sponsor: VoiceMeUp - Corporate & Wholesale VoIP Services

VoIP Mailing List Archives
Mailing list archives for the VoIP community
 SearchSearch 

[asterisk-users] Update peer IP address


 
Post new topic   Reply to topic    VoIP Mailing List Archives Forum Index -> Asterisk Users
View previous topic :: View next topic  
Author Message
sebastian_ml at gmx.net
Guest





PostPosted: Mon Sep 14, 2015 1:58 pm    Post subject: [asterisk-users] Update peer IP address Reply with quote

On Tue, Apr 14, 2015 at 08:26:07AM +0200, Sebastian Kemper wrote:
Quote:
On Thu, Apr 02, 2015 at 11:33:38PM +0200, Daniel Heckl wrote:
Quote:
I do not want set allowguest=yes. The problem is, there is no official
list with ip addresses of Telekom Germany. But I think all ip
addresses comes from the ip range 217.0.0.0/13.

Hello Daniel,

Judging by the lists I found I think it's more like this subnet:
217.0.16.0/255.255.248.0


Hi again,

I had poked a hole in my firewall for packets from above subnet to my
port 5060. I had done the same for the RTP ports.

A while back I realized that for RTP this was nonsense, as the RTP
packets came from servers not even part of the subnet. Although there
were no ports opened for those it just worked, because Telekom is doing
symmetric RTP (and so is Asterisk by default).

So I got rid of the firewall rule that opened the RTP ports. And then it
dawned on me that I don't even need to open the 5060 port. The REGISTER
requests established a UDP connection that the kernel's conntrack module
was tracking anyway. The only issue was that the REGISTERs occurred only
every 480s and the UDP connections were removed after 180s already.

So at first I raised net.netfilter.nf_conntrack_udp_timeout_stream to
500. That worked. But I didn't really want to raise the default. So
instead I added "qualify=yes" to the dtag_inbound peer. Now asterisk is
sending an OPTIONS request to Telekom every 120s (I raised the frequency
from 60 to 120 by setting "qualifyfreq=120" under [general]), which
keeps the connection open.

Just wanted to add that.

Kind regards,
Sebastian

Quote:
Quote:
I have now the following addition to sip.conf. I think it is the only
safe option. Or what would you say?

[telekom](!)

<snip>

Quote:
[DTAG-IP_IN18_016](telekom)
host=217.0.18.16

[DTAG-IP_IN18_036](telekom)
host=217.0.18.36

etc.

This configuration is now running here:

[general]
context=unauthenticated
allowguest=no
srvlookup=no
udpbindaddr=0.0.0.0
tcpenable=no
localnet=172.16.28.0/24
alwaysauthreject=yes
directmedia=no
sdpsession=MyNewSessionString
useragent=MyNewUserAgent
language=de
tonezone=de
defaultexpiry=480

register => 0NUMBER2:PASS:USER@t-online.de@tel.t-online.de/NUMBER2
register => 0NUMBER3:PASS:USER@t-online.de@tel.t-online.de/NUMBER3
register => 0NUMBER4:PASS:USER@t-online.de@tel.t-online.de/NUMBER4

[my-codecs](!)
allow=!all,alaw

[home-phone](!,my-codecs)
acl=voice_vlan
type=friend
host=dynamic
context=LocalSets

[XXXXXXXXXXX](home-phone)
secret=XXXXXXXXXXXXX

[dtag_inbound](my-codecs)
acl=acl_dtag_inbound
type=peer
context=from_dtag
host=tel.t-online.de

[dtag_outbound](my-codecs)
acl=acl_dtag_outbound
type=peer
defaultuser=USER@t-online.de
remotesecret=PASS
host=tel.t-online.de
fromdomain=tel.t-online.de

The thing is, the provider's SIP server hasn't changed the IP yet. This
morning it's still the same as yesterday. And yesterday it was the same
the whole day.

Don't know why I didn't run into the "load balancer" issue (yet). I'm
starting to think it's because I'm "hiding" that I'm using Asterisk
(sdpsession, useragent, also custom systemname in asterisk.conf). But
probably that's not the reason. Anyway, I'm just going to wait until it
doesn't work and then worry about it.

Regards,
Sebastian

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Back to top
marie at vtl.ee
Guest





PostPosted: Mon Sep 14, 2015 2:54 pm    Post subject: [asterisk-users] Update peer IP address Reply with quote

On 14.09.2015, at 21:58, Sebastian Kemper <sebastian_ml@gmx.net> wrote:

Quote:
So I got rid of the firewall rule that opened the RTP ports. And then it
dawned on me that I don't even need to open the 5060 port. The REGISTER
requests established a UDP connection that the kernel's conntrack module
was tracking anyway. The only issue was that the REGISTERs occurred only
every 480s and the UDP connections were removed after 180s already.

So at first I raised net.netfilter.nf_conntrack_udp_timeout_stream to
500. That worked. But I didn't really want to raise the default. So
instead I added "qualify=yes" to the dtag_inbound peer. Now asterisk is
sending an OPTIONS request to Telekom every 120s (I raised the frequency
from 60 to 120 by setting "qualifyfreq=120" under [general]), which
keeps the connection open.

As far as I understand, raising the UDP session timeout (or lowering the REGISTER timeout, if possible) is actually the better solution. Most Telcos I know don't answer the OPTIONS request anyway and some might object to the traffic overhead.

--
marie
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Back to top
daniel.heckl at gmail.com
Guest





PostPosted: Wed Sep 16, 2015 11:48 am    Post subject: [asterisk-users] Update peer IP address Reply with quote

Sebastian,

If I have understood you correctly, the SIP communication is now via NAT instead forwarded ports. For safety, it is much better.

I think it is not because of a UDP timeout, but rather because of a NAT timeout. For this is "qualify" exactly the right thing to let the NAT port opened.

Daniel

Quote:
Am 14.09.2015 um 21:51 schrieb Marie Fischer <marie@vtl.ee>:


On 14.09.2015, at 21:58, Sebastian Kemper <sebastian_ml@gmx.net> wrote:

Quote:
So I got rid of the firewall rule that opened the RTP ports. And then it
dawned on me that I don't even need to open the 5060 port. The REGISTER
requests established a UDP connection that the kernel's conntrack module
was tracking anyway. The only issue was that the REGISTERs occurred only
every 480s and the UDP connections were removed after 180s already.

So at first I raised net.netfilter.nf_conntrack_udp_timeout_stream to
500. That worked. But I didn't really want to raise the default. So
instead I added "qualify=yes" to the dtag_inbound peer. Now asterisk is
sending an OPTIONS request to Telekom every 120s (I raised the frequency
from 60 to 120 by setting "qualifyfreq=120" under [general]), which
keeps the connection open.

As far as I understand, raising the UDP session timeout (or lowering the REGISTER timeout, if possible) is actually the better solution. Most Telcos I know don't answer the OPTIONS request anyway and some might object to the traffic overhead.

--
marie
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Back to top
sebastian_ml at gmx.net
Guest





PostPosted: Thu Sep 17, 2015 4:53 am    Post subject: [asterisk-users] Update peer IP address Reply with quote

Am 16. September 2015 18:48:16 MESZ, schrieb Daniel Heckl <daniel.heckl@gmail.com>:
Quote:
Sebastian,

If I have understood you correctly, the SIP communication is now via
NAT instead forwarded ports. For safety, it is much better.

I think it is not because of a UDP timeout, but rather because of a NAT
timeout. For this is "qualify" exactly the right thing to let the NAT
port opened.

Daniel
Hi Daniel,

Not quite. Asterisk is running on an Openwrt router. So Asterisk is listening on a public IP. No NAT involved, no port forwarding.

Openwrt tracks the UDP connection for 180s (default). "qualify" keeps the connection alive (every 120s).

Without "qualify" inbound calls wouldn't work starting 180s after the registration, until after another 300s, when Asterisk registers again (provider requires a registration expiry >480s).

Regards,
Sebastian

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Back to top
Display posts from previous:   
Post new topic   Reply to topic    VoIP Mailing List Archives Forum Index -> Asterisk Users All times are GMT - 5 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

VoiceMeUp - Corporate & Wholesale VoIP Services