I have a box with two NIC cards where I''ve installed Asterisk and
Shorewall
(the attached diagram can be best viewed when fonts is set to Courier New).
The issue is that no phone is able to register with ASTERISK.
When I enable SIP debugging in ASTERISK (SIP SET DEBUG IP <phone-IP>) no
packets are displayed, whereas monitoring the NIC card with WireShark shows
that
the VoIP phone is sending REGISTER requests to Asterisk that ASTERISK
doesn''t answer.
It looks to me as if ASTERISK doesn''t listen at all on the LAN
addresses,
while it answers all those requests coming from the corporate LAN that
are allowed by the SHOREWALL rules to go through.
There is no difference in ASTERISK behaviour whether the LOCALNET and
EXTERNIP
lines are present or not in its SIP configuration file.
Has anybody in this community had experience with such configuration who can
provide me with hints on how to fix it?
Thanks.
---------------------
+-----------+
| A |
ph1 ph4 | S S W |
tele- | | eth0 | T H A | eth1 | | corporate
phones --+-+-+-+-------+ E O L +------+---+-+--+-+--
LAN | | | R R L | | | | LAN
ph2 phX | I E |
| X |
+-----------+
Networking
----------
telephones LAN = 192.168.153.0/24 eth0 = 192.168.153.1
corporate LAN = 10.0.23.0/24 eth1 = 10.0.23.29 gateway = 10.0.23.1
Shorewall: 3.4.6-1
Telephony
---------
Asterisk: asterisk-1.4.36-0
file: /etc/asterisk/sip_general_custom.conf
localnet=192.168.153.0/255.255.255.0
externip=10.0.23.29
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
Please check the two interface example from http://shorewall.net/two-interface.htm And open the ports that you need for asterisk viz. 3178 for STUN UDP 4569 for IAX2 TCP 5060-5090 for SIP TCP 10000-20000 for RTP UDP Hope this helps. On 2/28/12, Costantino <watchshor@yahoo.co.uk> wrote:> I have a box with two NIC cards where I''ve installed Asterisk and Shorewall > > (the attached diagram can be best viewed when fonts is set to Courier New). > > > > The issue is that no phone is able to register with ASTERISK. > > When I enable SIP debugging in ASTERISK (SIP SET DEBUG IP <phone-IP>) no > > packets are displayed, whereas monitoring the NIC card with WireShark shows > that > > the VoIP phone is sending REGISTER requests to Asterisk that ASTERISK > doesn''t answer. > > > > It looks to me as if ASTERISK doesn''t listen at all on the LAN addresses, > > while it answers all those requests coming from the corporate LAN that > > are allowed by the SHOREWALL rules to go through. > > > > There is no difference in ASTERISK behaviour whether the LOCALNET and > EXTERNIP > > lines are present or not in its SIP configuration file. > > > > Has anybody in this community had experience with such configuration who can > provide me with hints on how to fix it? > > > > Thanks. > > --------------------- > > > > > > +-----------+ > > | A | > > ph1 ph4 | S S W | > > tele- | | eth0 | T H A | eth1 | | corporate > > phones --+-+-+-+-------+ E O L +------+---+-+--+-+-- > > LAN | | | R R L | | | | LAN > > ph2 phX | I E | > > | X | > > +-----------+ > > > > Networking > > ---------- > > telephones LAN = 192.168.153.0/24 eth0 = 192.168.153.1 > > > > corporate LAN = 10.0.23.0/24 eth1 = 10.0.23.29 gateway = 10.0.23.1 > > > > Shorewall: 3.4.6-1 > > > > Telephony > > --------- > > Asterisk: asterisk-1.4.36-0 > > > > file: /etc/asterisk/sip_general_custom.conf > > localnet=192.168.153.0/255.255.255.0 > > externip=10.0.23.29 > > > > > > > > > > > > > >------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
Zenny wrote:>And open the ports that you need for asterisk viz. > >3178 for STUN UDP >4569 for IAX2 TCP >5060-5090 for SIP TCP >10000-20000 for RTP UDPSTUN also uses 3179 by default (it needs two ports, and two IP addresses) - but that assumes you are running a STUN service on the machine. In this case I doubt that STUN is needed since I assume there''s no NAT involved. SIP only requires the one port (5060) on the Asterisk server - unless you are running a non-standard setup. It doesn''t matter what clients are using, only what inbound destination ports are open. RTP ports used by Asterisk are configured in rtp.conf. I believe the default may now start at 10001 to avoid conflicts with Webmin which uses 10000. I usually cut down the size of the port range. I just find it "unnerving" installing a firewall and then opening up 1/6 of the port range - I know it''s illogical since the attack vector is there for the same service whether it''s got 100, or 10,000 ports open, but it''s just the way I learned firewalls ! Don''t forget there may be other ports needed. At work I also have 8080 open and TFTP (don''t recall the number) so that clients can download firmware and config files. And port 80 (with restricted client addresses) for management. And so on. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
Thanks Zenny and Simon,
I''m running quite few Asterisk setups where the machine has got only
Asterisk and it''s part of an environment where another machine runs
Shorewall, and I do not have any problem, whether with the VoIP telephones
on the local LAN or TSP coming from the outside world.
I believe with the configuration I''ve described the issue has got more
to do
with what Asterisk does in term of binding when Shorewall is active and the
changes Shorewall has induced on the network on activation.
In fact even with the both NIC cards present, the issue disappears as soon
as Shorewall is disabled.
From: Costantino [mailto:watchshor@yahoo.co.uk]
Sent: 28 February 2012 08:31
To: Shorewall Users (Mailing List for Shorewall Users)
Subject: [Shorewall-users] shorewall + asterisk
I have a box with two NIC cards where I''ve installed Asterisk and
Shorewall
(the attached diagram can be best viewed when fonts is set to Courier New).
The issue is that no phone is able to register with ASTERISK.
When I enable SIP debugging in ASTERISK (SIP SET DEBUG IP <phone-IP>) no
packets are displayed, whereas monitoring the NIC card with WireShark shows
that
the VoIP phone is sending REGISTER requests to Asterisk that ASTERISK
doesn''t answer.
It looks to me as if ASTERISK doesn''t listen at all on the LAN
addresses,
while it answers all those requests coming from the corporate LAN that
are allowed by the SHOREWALL rules to go through.
There is no difference in ASTERISK behaviour whether the LOCALNET and
EXTERNIP
lines are present or not in its SIP configuration file.
Has anybody in this community had experience with such configuration who can
provide me with hints on how to fix it?
Thanks.
---------------------
+-----------+
| A |
ph1 ph4 | S S W |
tele- | | eth0 | T H A | eth1 | | corporate
phones --+-+-+-+-------+ E O L +------+---+-+--+-+--
LAN | | | R R L | | | | LAN
ph2 phX | I E |
| X |
+-----------+
Networking
----------
telephones LAN = 192.168.153.0/24 eth0 = 192.168.153.1
corporate LAN = 10.0.23.0/24 eth1 = 10.0.23.29 gateway = 10.0.23.1
Shorewall: 3.4.6-1
Telephony
---------
Asterisk: asterisk-1.4.36-0
file: /etc/asterisk/sip_general_custom.conf
localnet=192.168.153.0/255.255.255.0
externip=10.0.23.29
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
Costantino wrote:>I''m running quite few Asterisk setups where the machine has got only >Asterisk and it''s part of an environment where another machine runs >Shorewall, and I do not have any problem, whether with the VoIP >telephones on the local LAN or TSP coming from the outside world. > >I believe with the configuration I''ve described the issue has got >more to do with what Asterisk does in term of binding when Shorewall >is active and the changes Shorewall has induced on the network on >activation. > >In fact even with the both NIC cards present, the issue disappears >as soon as Shorewall is disabled.No, Shorewall will **NOT** affect what Asterisk binds to. Shorewall does **NOT** affect the interfaces available to a process, nor the IP addresses the process will be able to detect on those interfaces. If doing "shorewall clear" allows things to start working, then your policies/rules are wrong - because "shorewall clear" only clears the iptables rules etc, it cannot magically make a process bind to interfaces it wasn''t bound to before. The fact that you could see the packets entering an interface with wireshark, but Asterisk didn''t report anything, does suggest that your policies/rules caused the packets to be dropped. Try "netstat -anp", that will show you what interfaces/ports are being bound to. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
Simon is right. Shorewall maintains its own space without affecting anything except iptables because it is a wrapper to iptables. Shorewall.net has the most comprehensive set of documents compared to that of FreeBSD. Any confusion gets settled by visiting the shorewall documentation, it is that good!! On 2/28/12, Simon Hobson <linux@thehobsons.co.uk> wrote:> Costantino wrote: > >>I''m running quite few Asterisk setups where the machine has got only >>Asterisk and it''s part of an environment where another machine runs >>Shorewall, and I do not have any problem, whether with the VoIP >>telephones on the local LAN or TSP coming from the outside world. >> >>I believe with the configuration I''ve described the issue has got >>more to do with what Asterisk does in term of binding when Shorewall >>is active and the changes Shorewall has induced on the network on >>activation. >> >>In fact even with the both NIC cards present, the issue disappears >>as soon as Shorewall is disabled. > > No, Shorewall will **NOT** affect what Asterisk binds to. Shorewall > does **NOT** affect the interfaces available to a process, nor the IP > addresses the process will be able to detect on those interfaces. If > doing "shorewall clear" allows things to start working, then your > policies/rules are wrong - because "shorewall clear" only clears the > iptables rules etc, it cannot magically make a process bind to > interfaces it wasn''t bound to before. > > The fact that you could see the packets entering an interface with > wireshark, but Asterisk didn''t report anything, does suggest that > your policies/rules caused the packets to be dropped. > > Try "netstat -anp", that will show you what interfaces/ports are > being bound to. > > -- > Simon Hobson > > Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed > author Gladys Hobson. Novels - poetry - short stories - ideal as > Christmas stocking fillers. Some available as e-books. > > ------------------------------------------------------------------------------ > Keep Your Developer Skills Current with LearnDevNow! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
I think now I see where was my mistake. In this setup Asterisk is in the FW zone, not in the LOC one, hence it requires specific rules in order for the packets to flow btw the two of them. -----Original Message----- From: Simon Hobson [mailto:linux@thehobsons.co.uk] Sent: 28 February 2012 11:33 To: Shorewall Users Subject: Re: [Shorewall-users] shorewall + asterisk Costantino wrote:>I''m running quite few Asterisk setups where the machine has got only >Asterisk and it''s part of an environment where another machine runs >Shorewall, and I do not have any problem, whether with the VoIP >telephones on the local LAN or TSP coming from the outside world. > >I believe with the configuration I''ve described the issue has got more >to do with what Asterisk does in term of binding when Shorewall is >active and the changes Shorewall has induced on the network on >activation. > >In fact even with the both NIC cards present, the issue disappears as >soon as Shorewall is disabled.No, Shorewall will **NOT** affect what Asterisk binds to. Shorewall does **NOT** affect the interfaces available to a process, nor the IP addresses the process will be able to detect on those interfaces. If doing "shorewall clear" allows things to start working, then your policies/rules are wrong - because "shorewall clear" only clears the iptables rules etc, it cannot magically make a process bind to interfaces it wasn''t bound to before. The fact that you could see the packets entering an interface with wireshark, but Asterisk didn''t report anything, does suggest that your policies/rules caused the packets to be dropped. Try "netstat -anp", that will show you what interfaces/ports are being bound to. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ---------------------------------------------------------------------------- -- Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/