asterisk users - Dec 2007 - Asterisk/iaxclient IAX2 source port

All,

 	I have a simple question and a complicated reason for asking:

Is it possible to change asterisk's source port for outbound IAX2 
connections?

I've tried using "sourceaddress" to no avail.  I can set it to:

proper.ip.of.box:4569

or

0.0.0.0:4569

and it works as expected.  But if I try to set it to:

proper.ip.of.box:5000

or

0.0.0.0:5000

it fails around line 8536 in channels/chan_iax2.c, function 
peer_set_srcaddr, specifically:

if (ast_netsock_find(netsock, &sin)) {

always returns false unless the port is set to 4569.  Thus tripping the 
error message:

chan_iax2.c:8940 peer_set_srcaddr: Non-local or unbound address specified 
(0.0.0.0:5000) in sourceaddress for 'test-trunk', reverting to default

Is there any way to get asterisk to listen for inbound connections on 
4569, but to use a non-4569 source port?  (Ephemeral ports would be great)

 	Below is the reason for my asking, for the curious:

 	Currently, asterisk uses port 4569 as both the source and 
destination port for all its outbound connections.  This is generally 
fine, but I find myself in a very frustrating NAT issue as a result of 
iaxclient also defaulting to using 4569 for both source and destination 
ports.  We run several sites around the world, all using ENUM to place 
calls between sites.  Thus, none of the sites register with each other. 
Thus, until a call is made, there is no connection between site A and site 
B, and thus no NAT entries in the router at site B for site A.

 	Normally, this is fine.  A call is placed from A to B and the 
packets come into the router at B and get NATed properly:

A.ext:4569 - B.ext:4569 -> A.ext:4569 - B.int.asterisk:4569

 	The trouble though, comes when someone who normally works at site 
A vists site B, but has their IAX softphone (zoiper) set to register back 
to site A.  By default, this softphone, like asterisk, uses 4569 for both 
the source and destination port.  Thus, if there is no call between site A 
and site B and a softphone registers back to site A, a NAT mapping gets 
created that looks like:

A.ext:4569 - B.ext:4569 -> A.ext:4569 - B.int.softphone:4569

 	Now, for the life of this NAT entry, if someone at site A dials 
site B, their call will be routed to the "lucky" softphone that got
this
entry, and not to the asterisk server at site B.  Of course, calls out 
from site B to site A still work properly, since the NAT device just 
changes the port number on the fly since 4569 already has a mapping:

B.int.asterisk:4569 - A.ext:4569 -> B.ext:65535 - A.ext:4569

 	There are three options I see that would fix this:

1. Prevent the linux router at site B from giving the 4569/4569 conntrack 
entry to a softphone.  Would be great, but as far as I can tell, there's 
no way to do this using a standard distribution kernel.  (Hopefully I'm 
wrong, but my research hasn't turned up anything at all useful in this 
regard)

2. Reconfigure all softphones to use a port other than 4569 as their 
source port.  In theory this is possible, but a huge pain to find/change 
every existing softphone, as well as to ensure that people don't 
accidentally end up with the default config in the future causing the 
same problem.

3. Reconfigure asterisk to use a port other than 4569 for its source port 
on outbound connections.  The number of asterisk servers relative to 
softphones is small, and the asterisk servers are configured/controlled by 
admins, not end users.  Thus we could have some guarantee that this 
solution couldn't be circumvented.

 	Am I overlooking something?  Is there an obvious solution here 
that's escaped me?

 	(Ugh, why couldn't iaxclient/zoiper/asterisk all just follow the 
RFCs and use ephemeral source ports to begin with?)

 	Thanks,

 	Chris

On 13:52, Tue 18 Dec 07, Chris Tracy wrote:
> All,
>  	Below is the reason for my asking, for the curious:
> 
>  	Currently, asterisk uses port 4569 as both the source and 
> destination port for all its outbound connections.  This is generally 
> fine, but I find myself in a very frustrating NAT issue as a result of 
> iaxclient also defaulting to using 4569 for both source and destination 
> ports.  We run several sites around the world, all using ENUM to place 
> calls between sites.  Thus, none of the sites register with each other. 
> Thus, until a call is made, there is no connection between site A and site 
> B, and thus no NAT entries in the router at site B for site A.
> 
>  	Normally, this is fine.  A call is placed from A to B and the 
> packets come into the router at B and get NATed properly:
> 
> A.ext:4569 - B.ext:4569 -> A.ext:4569 - B.int.asterisk:4569
> 
>  	The trouble though, comes when someone who normally works at site 
> A vists site B, but has their IAX softphone (zoiper) set to register back 
> to site A.  By default, this softphone, like asterisk, uses 4569 for both 
> the source and destination port.  Thus, if there is no call between site A 
> and site B and a softphone registers back to site A, a NAT mapping gets 
> created that looks like:
> 
> A.ext:4569 - B.ext:4569 -> A.ext:4569 - B.int.softphone:4569
> 
>  	Now, for the life of this NAT entry, if someone at site A dials 
> site B, their call will be routed to the "lucky" softphone that
got this
> entry, and not to the asterisk server at site B.  Of course, calls out 
> from site B to site A still work properly, since the NAT device just 
> changes the port number on the fly since 4569 already has a mapping:
> 
> B.int.asterisk:4569 - A.ext:4569 -> B.ext:65535 - A.ext:4569
> 
>  	There are three options I see that would fix this:
> 
> 1. Prevent the linux router at site B from giving the 4569/4569 conntrack 
> entry to a softphone.  Would be great, but as far as I can tell,
there's
> no way to do this using a standard distribution kernel.  (Hopefully I'm
> wrong, but my research hasn't turned up anything at all useful in this 
> regard)
> 
> 2. Reconfigure all softphones to use a port other than 4569 as their 
> source port.  In theory this is possible, but a huge pain to find/change 
> every existing softphone, as well as to ensure that people don't 
> accidentally end up with the default config in the future causing the 
> same problem.
> 
> 3. Reconfigure asterisk to use a port other than 4569 for its source port 
> on outbound connections.  The number of asterisk servers relative to 
> softphones is small, and the asterisk servers are configured/controlled by 
> admins, not end users.  Thus we could have some guarantee that this 
> solution couldn't be circumvented.
Why not let the softphones register to the closest asterisk
box and use dundi to route the calls to the box where the
softphone is registered ?

We use this in a couple of setups with great success.
Not with softphones, but with philips dect phones.
-- 

Michiel van Baak
michiel at vanbaak.eu
http://michiel.vanbaak.eu
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD

"Why is it drug addicts and computer afficionados are both called
users?"

> Why not let the softphones register to the closest asterisk
> box and use dundi to route the calls to the box where the
> softphone is registered ?
 	Not exactly sure how dundi would solve this issue.  How does a 
softphone configured to connect to sitea.asterisk.server connect to 
siteb.asterisk.server automagically when it's at siteb?  We can't just 
configure the softphones to connect to "asterisk" because they also
need to
work when the softphone is simply out in the world not at any site.

 	In the end, the system we have works quite well and we're not really 
interested in the complexity of moving to dundi unless there's no other way
or
a very compelling reason to do so.  (Glad it works well for you though)

 	The NAT issue is a serious one for us that really does seem to be an 
oversight in the design/implementation of IAX2.  Surely there's a way to
tell
asterisk to use an ephemeral source port for its outbound IAX2 connections...

 	Chris