On 2/23/19 2:39 PM, Social Boh wrote:> *DIrect media with SRTP is not supported. All media when SRTP goes > through Asterisk.* > > So you have to open ports on your firewall and disable directmedia=yes > on your configuration.directmedia is not explicitly enabled; I guess it's the default. Joshua basically says there is no way to control which ports are being used for SRTP because that it is "up the endpoint". Such endpoints, in this case, are mobile phones with software like csipsimple or gs-wave (or perhaps zoiper), and I see no way in these programs to define which ports to use for SRTP. Since I have no way to define which ports endpoints use for SRTP, I would have to open all UDP ports in the firewall, and I don't want to do that. Nat is currently not involved yet. I want to get this to work first and then look into nat issues.> Only open a range of ports that you really use: for example is you have > maximum 10 simultaneous calls, open only 40 ports (4 ports for each > call, two for RTP and two for RTCP). Then change rtp.conf configuration > reflect the range of ports you using.So how would I control which ports are being used for SRTP? Some ports being open on the firewall doesn't mean the phones will automagically use them, does it?> Other option is using another PBX/SWITCH that support SRTP flow direct > between endpoints.Which one does that? And does that work through foreign firewalls I have no control over and when NAT becomes involved?
On Sat, Feb 23, 2019, at 11:04 AM, hw wrote: <snip>> > directmedia is not explicitly enabled; I guess it's the default. > > Joshua basically says there is no way to control which ports are being > used for SRTP because that it is "up the endpoint". Such endpoints, in > this case, are mobile phones with software like csipsimple or gs-wave > (or perhaps zoiper), and I see no way in these programs to define which > ports to use for SRTP. > > Since I have no way to define which ports endpoints use for SRTP, I > would have to open all UDP ports in the firewall, and I don't want to do > that. > > Nat is currently not involved yet. I want to get this to work first and > then look into nat issues. > > > Only open a range of ports that you really use: for example is you have > > maximum 10 simultaneous calls, open only 40 ports (4 ports for each > > call, two for RTP and two for RTCP). Then change rtp.conf configuration > > reflect the range of ports you using. > > So how would I control which ports are being used for SRTP? Some ports > being open on the firewall doesn't mean the phones will automagically > use them, does it?I think there's confusion over ports. In calls there's two ports and IP addresses in play. There is the IP address and port that Asterisk listens on and sends media from. There is also the IP address and port that the endpoint listens on and sends media from. You can control the Asterisk one as mentioned using rtp.conf. Therefore the firewall rule for where Asterisk is running would be: Any source to UDP ports X to Y (10000 to 20000 by default) allow. What you can't do is limit the rule based on the source of media, except for circumstances where you know for sure the source. Note that RTP ports in Asterisk aren't open all the time and only listen when a call is using it, and they also learn the source of media - blocking out other sources. -- Joshua C. Colp Digium - A Sangoma Company | Senior Software Developer 445 Jan Davis Drive NW - Huntsville, AL 35806 - US Check us out at: www.digium.com & www.asterisk.org
On 2/23/19 4:19 PM, Joshua C. Colp wrote:> On Sat, Feb 23, 2019, at 11:04 AM, hw wrote: > > <snip> > >> >> directmedia is not explicitly enabled; I guess it's the default. >> >> Joshua basically says there is no way to control which ports are being >> used for SRTP because that it is "up the endpoint". Such endpoints, in >> this case, are mobile phones with software like csipsimple or gs-wave >> (or perhaps zoiper), and I see no way in these programs to define which >> ports to use for SRTP. >> >> Since I have no way to define which ports endpoints use for SRTP, I >> would have to open all UDP ports in the firewall, and I don't want to do >> that. >> >> Nat is currently not involved yet. I want to get this to work first and >> then look into nat issues. >> >>> Only open a range of ports that you really use: for example is you have >>> maximum 10 simultaneous calls, open only 40 ports (4 ports for each >>> call, two for RTP and two for RTCP). Then change rtp.conf configuration >>> reflect the range of ports you using. >> >> So how would I control which ports are being used for SRTP? Some ports >> being open on the firewall doesn't mean the phones will automagically >> use them, does it? > > I think there's confusion over ports. In calls there's two ports and IP addresses in play. There is the IP address and port that Asterisk listens on and sends media from. There is also the IP address and port that the endpoint listens on and sends media from. You can control the Asterisk one as mentioned using rtp.conf. Therefore the firewall rule for where Asterisk is running would be:The confusion probably comes from the canreinvite option which I had been reading decides whether two clients communicate directly with each other or have to go via the asterisk server. Today I found that this is not true --- so that documentation must have been wrong. It has created confusion because both 'canreinvite=NO' and 'canreinvite=yes' had been working. Today I found that 'directmedia=no' did not work regardless whether RTP or SRTP was used. That was to be expected because the firewall didn't have the RTP ports open, either. I had already been wondering about this because I thought there would have to be ports open for 'canreinvite=NO' to work.> Any source to UDP ports X to Y (10000 to 20000 by default) allow.Are you saying that the ports specified in rtp.conf ('rtpstart' and 'rtpend') specify with ports asterisk uses regardless whether RTP or SRTP is being used? Is that why you speak of "media" (ports)? (That would have been and would answer my original question: Where to specify the SRTP ports?)> What you can't do is limit the rule based on the source of media, except for circumstances where you know for sure the source. > > Note that RTP ports in Asterisk aren't open all the time and only listen when a call is using it, and they also learn the source of media - blocking out other sources. >ok After opening the ports specified in rtp.conf, both RTP and SRTP were working in the test calls I made. But: How do clients know which media ports to use? Is asterisk telling them that? I. e., can I (basically) rely on the clients to use the media ports in rtp.conf, or did I just get lucky that by chance the clients happened to use these ports when I made the test calls?