On 2/22/19 7:56 PM, Joshua C. Colp wrote:> On Fri, Feb 22, 2019, at 2:48 PM, hw wrote: >> >> Hi, >> >> when trying to use SRTP, I can see UDP traffic from phones to the >> asterisk server being dropped be the firewall on arbitrary ports. > > There is no separate port range used for SRTP, and Asterisk does not control the port that the phone uses for sending to Asterisk. That's up to the endpoint.Thanks! The phones do not have any settings with which I could limit the ports used for SRTP.>> Where do I configure the SRTP port range (like the rtp port range)? >> >> Why aren't the clients talking to each other directly but apparenty try >> to send the SRTP traffic to the server? > > DIrect media with SRTP is not supported. All media when SRTP goes through Asterisk.Well, how are we supposed to handle this in firewalls? I do not want to open all ports for UDP traffic directed to the server.
On Sat, Feb 23, 2019, at 8:06 AM, hw wrote:> On 2/22/19 7:56 PM, Joshua C. Colp wrote: > > On Fri, Feb 22, 2019, at 2:48 PM, hw wrote: > >> > >> Hi, > >> > >> when trying to use SRTP, I can see UDP traffic from phones to the > >> asterisk server being dropped be the firewall on arbitrary ports. > > > > There is no separate port range used for SRTP, and Asterisk does not control the port that the phone uses for sending to Asterisk. That's up to the endpoint. > > Thanks! > > The phones do not have any settings with which I could limit the ports > used for SRTP. > > >> Where do I configure the SRTP port range (like the rtp port range)? > >> > >> Why aren't the clients talking to each other directly but apparenty try > >> to send the SRTP traffic to the server? > > > > DIrect media with SRTP is not supported. All media when SRTP goes through Asterisk. > > Well, how are we supposed to handle this in firewalls? I do not want to > open all ports for UDP traffic directed to the server.It's expected that traffic to the RTP port range that Asterisk is configured to use is let through to Asterisk to ensure audio flow. -- Joshua C. Colp Digium - A Sangoma Company | Senior Software Developer 445 Jan Davis Drive NW - Huntsville, AL 35806 - US Check us out at: www.digium.com & www.asterisk.org
On 2/23/19 1:15 PM, Joshua C. Colp wrote:> On Sat, Feb 23, 2019, at 8:06 AM, hw wrote: >> On 2/22/19 7:56 PM, Joshua C. Colp wrote: >>> On Fri, Feb 22, 2019, at 2:48 PM, hw wrote: >>>> >>>> Hi, >>>> >>>> when trying to use SRTP, I can see UDP traffic from phones to the >>>> asterisk server being dropped be the firewall on arbitrary ports. >>> >>> There is no separate port range used for SRTP, and Asterisk does not control the port that the phone uses for sending to Asterisk. That's up to the endpoint. >> >> Thanks! >> >> The phones do not have any settings with which I could limit the ports >> used for SRTP. >> >>>> Where do I configure the SRTP port range (like the rtp port range)? >>>> >>>> Why aren't the clients talking to each other directly but apparenty try >>>> to send the SRTP traffic to the server? >>> >>> DIrect media with SRTP is not supported. All media when SRTP goes through Asterisk. >> >> Well, how are we supposed to handle this in firewalls? I do not want to >> open all ports for UDP traffic directed to the server. > > It's expected that traffic to the RTP port range that Asterisk is configured to use is let through to Asterisk to ensure audio flow. >The phones don't seem to be using the RTP port range specified in rtp.conf when they are using SRTP. When they are using RTP, they do not send the RTP traffic via asterisk, though they can do that without the ports for this opened in the firewall (perhaps the router uses a conntrack helper for RTP; I'd have to find out). When the phones use SRTP, the ports they're using are all over the place. I'd either have to open all UDP ports for their traffic to go via the server or stick to unencrypted phone calls. There must be some solution for this. That phone calls are encrypted schould be the default, especially since they are all going over the internet nowadays.