Hi All,
I have an asterisk box on my DMZ, and I'm using a PF for my firewall, I
can make a call but some reasons I have a dead air.
Any Ideas? below are my rules...
ext_if = "bce0"
int_if = "bce1"
altitude = "172.16.1.0/24"
#### machines ####
vbox = "172.16.1.1"
uci = "172.16.1.4"
voices = "203.172.x.1"
ipc = "203.172.x.2"
#### default deny ####
set block-policy return
set loginterface $ext_if
set skip on lo
scrub in
#### nat ####
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat on $ext_if inet proto { udp tcp } from $vbox to any port 5060 ->
$ext_if port 5060
nat on $ext_if inet proto tcp from $uci to any port 1500 -> $ext_if port
1500
rdr on $ext_if proto { udp tcp } from any to $ext_if port 5060 -> $vbox
port 5060
rdr on $ext_if proto udp from any to $ext_if port 5100 -> $vbox port 5100
#### filtering section ####
pass out on { $int_if, ext_if } inet proto { udp tcp } from $altitude to any
pass in on $ext_if inet proto { tcp udp } from $ipc to any port 5060
pass in on $ext_if inet proto tcp from $ipc to any port 1500 flags S/SA
keep state
pass in on bce0 proto tcp from $ipc to any port ssh flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick on bce1
Horwich IT Services (Godwin Stewart)
2008-Mar-10 11:59 UTC
[asterisk-users] Dead Air on PF firewall
On Mon, 10 Mar 2008 07:00:17 +0800, NOC ph <nocph at aol.com> wrote:> I have an asterisk box on my DMZ, and I'm using a PF for my firewall, I > can make a call but some reasons I have a dead air.Judging by the fact that you're portforwarding port 5060, I'm guessing that you're using SIP with the outside. This also means that you need to allow the RTP stream though your NAT FW. Port 5060 only carries the signalling, the audio is carried by the RTP stream, which is why you're getting no audio. Google will probably let you know which UDP ports your appliances are using for the RTP stream. General help that you'll be able to refine WRT the specifics of your setup is available here: http://www.google.com/search?q=asterisk+%22no+audio%22 -- Godwin Stewart - Horwich IT services
On 07:00, Mon 10 Mar 08, NOC ph wrote:> Hi All, > > I have an asterisk box on my DMZ, and I'm using a PF for my firewall, I > can make a call but some reasons I have a dead air. > > Any Ideas? below are my rules... > > ext_if = "bce0" > int_if = "bce1" > altitude = "172.16.1.0/24" > > #### machines #### > vbox = "172.16.1.1" > uci = "172.16.1.4" > voices = "203.172.x.1" > ipc = "203.172.x.2" > > #### default deny #### > set block-policy return > set loginterface $ext_if > set skip on lo > scrub in > > #### nat #### > nat on $ext_if from !($ext_if) -> ($ext_if:0)> nat on $ext_if inet proto { udp tcp } from $vbox to any port 5060 -> > $ext_if port 5060 > nat on $ext_if inet proto tcp from $uci to any port 1500 -> $ext_if port > 1500Why those two rules ? The first nat rule already takes care of that> rdr on $ext_if proto { udp tcp } from any to $ext_if port 5060 -> $vbox > port 5060 > rdr on $ext_if proto udp from any to $ext_if port 5100 -> $vbox port 5100you have to forward the rtp ports as well rdr on $ext_if proto udp from any to $ext_if port 10000:20000 -> $vbox> > #### filtering section #### > pass out on { $int_if, ext_if } inet proto { udp tcp } from $altitude to any > pass in on $ext_if inet proto { tcp udp } from $ipc to any port 5060 > pass in on $ext_if inet proto tcp from $ipc to any port 1500 flags S/SA > keep stateAnd you should allow the rtp ports as well pass in on $ext_if inet proto udp from any to any port 10000:20000 keep state> pass in on bce0 proto tcp from $ipc to any port ssh flags S/SA keep state > pass in inet proto icmp all icmp-type echoreq keep state > pass in quick on bce1 >For reference, here are my pf rules for my internal pbx: ########## # Macros # ########## ext_if = "rl0" ext_ip = "82.95.XXX.XXX" int_if = "wb0" int_net = "192.168.2.0/24" voip_server = "192.168.2.4" voip_ports = "{ 4569, 5060, 10000:20000 }" #################################### # NAT rules: "rdr", "nat", "binat" # #################################### nat on $ext_if from $int_if:network to any -> $ext_ip # asterisk server rdr on $ext_if proto udp from any to any port $voip_ports -> $voip_server ############# # Filtering # ############# # voip always goes in the priority class pass out quick on $ext_if inet proto udp from any to any port $voip_ports keep state queue q_pri pass in quick on $ext_if inet proto udp from any to any port $voip_ports keep state queue q_pri Also, make sure in asterisk sip.conf you have the externip and localnet config parameters set. -- Michiel van Baak michiel at vanbaak.eu http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD "Why is it drug addicts and computer aficionados are both called users?"