All, I have a simple question and a complicated reason for asking: Is it possible to change asterisk's source port for outbound IAX2 connections? I've tried using "sourceaddress" to no avail. I can set it to: proper.ip.of.box:4569 or 0.0.0.0:4569 and it works as expected. But if I try to set it to: proper.ip.of.box:5000 or 0.0.0.0:5000 it fails around line 8536 in channels/chan_iax2.c, function peer_set_srcaddr, specifically: if (ast_netsock_find(netsock, &sin)) { always returns false unless the port is set to 4569. Thus tripping the error message: chan_iax2.c:8940 peer_set_srcaddr: Non-local or unbound address specified (0.0.0.0:5000) in sourceaddress for 'test-trunk', reverting to default Is there any way to get asterisk to listen for inbound connections on 4569, but to use a non-4569 source port? (Ephemeral ports would be great) Below is the reason for my asking, for the curious: Currently, asterisk uses port 4569 as both the source and destination port for all its outbound connections. This is generally fine, but I find myself in a very frustrating NAT issue as a result of iaxclient also defaulting to using 4569 for both source and destination ports. We run several sites around the world, all using ENUM to place calls between sites. Thus, none of the sites register with each other. Thus, until a call is made, there is no connection between site A and site B, and thus no NAT entries in the router at site B for site A. Normally, this is fine. A call is placed from A to B and the packets come into the router at B and get NATed properly: A.ext:4569 - B.ext:4569 -> A.ext:4569 - B.int.asterisk:4569 The trouble though, comes when someone who normally works at site A vists site B, but has their IAX softphone (zoiper) set to register back to site A. By default, this softphone, like asterisk, uses 4569 for both the source and destination port. Thus, if there is no call between site A and site B and a softphone registers back to site A, a NAT mapping gets created that looks like: A.ext:4569 - B.ext:4569 -> A.ext:4569 - B.int.softphone:4569 Now, for the life of this NAT entry, if someone at site A dials site B, their call will be routed to the "lucky" softphone that got this entry, and not to the asterisk server at site B. Of course, calls out from site B to site A still work properly, since the NAT device just changes the port number on the fly since 4569 already has a mapping: B.int.asterisk:4569 - A.ext:4569 -> B.ext:65535 - A.ext:4569 There are three options I see that would fix this: 1. Prevent the linux router at site B from giving the 4569/4569 conntrack entry to a softphone. Would be great, but as far as I can tell, there's no way to do this using a standard distribution kernel. (Hopefully I'm wrong, but my research hasn't turned up anything at all useful in this regard) 2. Reconfigure all softphones to use a port other than 4569 as their source port. In theory this is possible, but a huge pain to find/change every existing softphone, as well as to ensure that people don't accidentally end up with the default config in the future causing the same problem. 3. Reconfigure asterisk to use a port other than 4569 for its source port on outbound connections. The number of asterisk servers relative to softphones is small, and the asterisk servers are configured/controlled by admins, not end users. Thus we could have some guarantee that this solution couldn't be circumvented. Am I overlooking something? Is there an obvious solution here that's escaped me? (Ugh, why couldn't iaxclient/zoiper/asterisk all just follow the RFCs and use ephemeral source ports to begin with?) Thanks, Chris
Michiel van Baak
2007-Dec-18 22:15 UTC
[asterisk-users] Asterisk/iaxclient IAX2 source port
On 13:52, Tue 18 Dec 07, Chris Tracy wrote:> All, > Below is the reason for my asking, for the curious: > > Currently, asterisk uses port 4569 as both the source and > destination port for all its outbound connections. This is generally > fine, but I find myself in a very frustrating NAT issue as a result of > iaxclient also defaulting to using 4569 for both source and destination > ports. We run several sites around the world, all using ENUM to place > calls between sites. Thus, none of the sites register with each other. > Thus, until a call is made, there is no connection between site A and site > B, and thus no NAT entries in the router at site B for site A. > > Normally, this is fine. A call is placed from A to B and the > packets come into the router at B and get NATed properly: > > A.ext:4569 - B.ext:4569 -> A.ext:4569 - B.int.asterisk:4569 > > The trouble though, comes when someone who normally works at site > A vists site B, but has their IAX softphone (zoiper) set to register back > to site A. By default, this softphone, like asterisk, uses 4569 for both > the source and destination port. Thus, if there is no call between site A > and site B and a softphone registers back to site A, a NAT mapping gets > created that looks like: > > A.ext:4569 - B.ext:4569 -> A.ext:4569 - B.int.softphone:4569 > > Now, for the life of this NAT entry, if someone at site A dials > site B, their call will be routed to the "lucky" softphone that got this > entry, and not to the asterisk server at site B. Of course, calls out > from site B to site A still work properly, since the NAT device just > changes the port number on the fly since 4569 already has a mapping: > > B.int.asterisk:4569 - A.ext:4569 -> B.ext:65535 - A.ext:4569 > > There are three options I see that would fix this: > > 1. Prevent the linux router at site B from giving the 4569/4569 conntrack > entry to a softphone. Would be great, but as far as I can tell, there's > no way to do this using a standard distribution kernel. (Hopefully I'm > wrong, but my research hasn't turned up anything at all useful in this > regard) > > 2. Reconfigure all softphones to use a port other than 4569 as their > source port. In theory this is possible, but a huge pain to find/change > every existing softphone, as well as to ensure that people don't > accidentally end up with the default config in the future causing the > same problem. > > 3. Reconfigure asterisk to use a port other than 4569 for its source port > on outbound connections. The number of asterisk servers relative to > softphones is small, and the asterisk servers are configured/controlled by > admins, not end users. Thus we could have some guarantee that this > solution couldn't be circumvented.Why not let the softphones register to the closest asterisk box and use dundi to route the calls to the box where the softphone is registered ? We use this in a couple of setups with great success. Not with softphones, but with philips dect phones. -- Michiel van Baak michiel at vanbaak.eu http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD "Why is it drug addicts and computer afficionados are both called users?"
> Why not let the softphones register to the closest asterisk > box and use dundi to route the calls to the box where the > softphone is registered ?Not exactly sure how dundi would solve this issue. How does a softphone configured to connect to sitea.asterisk.server connect to siteb.asterisk.server automagically when it's at siteb? We can't just configure the softphones to connect to "asterisk" because they also need to work when the softphone is simply out in the world not at any site. In the end, the system we have works quite well and we're not really interested in the complexity of moving to dundi unless there's no other way or a very compelling reason to do so. (Glad it works well for you though) The NAT issue is a serious one for us that really does seem to be an oversight in the design/implementation of IAX2. Surely there's a way to tell asterisk to use an ephemeral source port for its outbound IAX2 connections... Chris