asterisk users - Sep 2008 - Problems with 2 Asterisk servers on same LAN

OS = CentOS 5
Asterisk = 1.4.21
Router = WhiteRussian 0.9

Not sure whether I have a problem w/ Asterisk or White Russian config,
so I'm posting to both lists.

I have 2 Asterisk servers running behind a Linux router w/ White
Russian. I'm having a lot of trouble with REGISTER.  The servers are
set up this way:

192.168.2.160, SIP 5060, RTP 10000-20000
192.168.2.170, SIP 5070 RTP 21000-25000

On the 192.168.2.170 server I set rtp.conf, with the 21000-25000 ports
and I set bindport=5070 in sip.conf.

I _think_ I have the ports forwarded correctly on my router. I set
DESTINATION ports for the SIP & RTP ports above such that ports 5060 &
 10000-20000 go to 192.168.2.160 while ports 5070 & 21000-25000 got to
192.168.2.170.  Frankly I find the Firewall GUI a little unintuitive ?
here's what /etc/config/firewall looks like:

forward:proto=udp dport=5060:192.168.2.160
forward:proto=udp dport=10000-20000:192.168.2.160

forward:proto=udp dport=5070:192.168.2.170
forward:proto=udp dport=20001-25000:192.168.2.170

This doesn't work though.  I cannot get DIDs on the 192.168.2.170 to
register.  Ethereal indicates that the message gets sent and the
server responds.  The server seems to be responding on the right port
5070, but it gets a 401 from (one of) my machine(s)!

Here's the weirdest part for me.  While trouble shooting, I tried port
forwarding everything to 192.168.2.170:

forward:proto=udp dport=5060:192.168.2.170
forward:proto=udp dport=10000-20000:192.168.2.170

forward:proto=udp dport=5070:192.168.2.170
forward:proto=udp dport=20001-25000:192.168.2.170

The DiDs on 192.168.2.170 still don't register, but the one on
192.168.2.160 continues to work.  How's that possible if the ports
aren't forwarding there?!!

Any help troubleshooting most appreciated.

Hugh

On Sat, Sep 6, 2008 at 9:52 PM, hugolivude <hugolivude at gmail.com>
wrote:
> OS = CentOS 5
> Asterisk = 1.4.21
> Router = WhiteRussian 0.9
>
> Not sure whether I have a problem w/ Asterisk or White Russian config,
> so I'm posting to both lists.
>
> I have 2 Asterisk servers running behind a Linux router w/ White
> Russian. I'm having a lot of trouble with REGISTER.  The servers are
> set up this way:
>
> 192.168.2.160, SIP 5060, RTP 10000-20000
> 192.168.2.170, SIP 5070 RTP 21000-25000
>
> On the 192.168.2.170 server I set rtp.conf, with the 21000-25000 ports
> and I set bindport=5070 in sip.conf.
>
> I _think_ I have the ports forwarded correctly on my router. I set
> DESTINATION ports for the SIP & RTP ports above such that ports 5060
&
>  10000-20000 go to 192.168.2.160 while ports 5070 & 21000-25000 got to
> 192.168.2.170.  Frankly I find the Firewall GUI a little unintuitive ?
> here's what /etc/config/firewall looks like:
>
> forward:proto=udp dport=5060:192.168.2.160
> forward:proto=udp dport=10000-20000:192.168.2.160
>
> forward:proto=udp dport=5070:192.168.2.170
> forward:proto=udp dport=20001-25000:192.168.2.170
>
> This doesn't work though.  I cannot get DIDs on the 192.168.2.170 to
> register.  Ethereal indicates that the message gets sent and the
> server responds.  The server seems to be responding on the right port
> 5070, but it gets a 401 from (one of) my machine(s)!
>
> Here's the weirdest part for me.  While trouble shooting, I tried port
> forwarding everything to 192.168.2.170:
>
> forward:proto=udp dport=5060:192.168.2.170
> forward:proto=udp dport=10000-20000:192.168.2.170
>
> forward:proto=udp dport=5070:192.168.2.170
> forward:proto=udp dport=20001-25000:192.168.2.170
>
> The DiDs on 192.168.2.170 still don't register, but the one on
> 192.168.2.160 continues to work.  How's that possible if the ports
> aren't forwarding there?!!
>
> Any help troubleshooting most appreciated.
>
> Hugh
Keep alives most likely.

You may not even need port forwarding on your router if you are
registering to an external SIP server with different accounts on each
Asterisk box.

If you are using the same credentials/SIP account, then the one that
has registered most recently will always get the calls, same thing if
you have two phones register with the same credentials/account to your
Asterisk boxen.

If I were you, I would drop all port forwarding rules on the router,
comment out the port in sip.conf, make sure you are not running a
firewall on your Asterisk boxen, and make sure that you have your SIP
settings for NAT=yes for your SIP provider.

I bet it will "just work" so long as you are are using register and
qualify.

Thanks,
Steve Totaro

On Sat, 6 Sep 2008, hugolivude wrote:
> OS = CentOS 5
> Asterisk = 1.4.21
> Router = WhiteRussian 0.9
>
> Not sure whether I have a problem w/ Asterisk or White Russian config,
> so I'm posting to both lists.
>
> I have 2 Asterisk servers running behind a Linux router w/ White
> Russian. I'm having a lot of trouble with REGISTER.  The servers are
> set up this way:
>
> 192.168.2.160, SIP 5060, RTP 10000-20000
> 192.168.2.170, SIP 5070 RTP 21000-25000
>
> On the 192.168.2.170 server I set rtp.conf, with the 21000-25000 ports
> and I set bindport=5070 in sip.conf.
>
> I _think_ I have the ports forwarded correctly on my router. I set
> DESTINATION ports for the SIP & RTP ports above such that ports 5060
&
> 10000-20000 go to 192.168.2.160 while ports 5070 & 21000-25000 got to
> 192.168.2.170.  Frankly I find the Firewall GUI a little unintuitive ?
> here's what /etc/config/firewall looks like:
>
> forward:proto=udp dport=5060:192.168.2.160
> forward:proto=udp dport=10000-20000:192.168.2.160
>
> forward:proto=udp dport=5070:192.168.2.170
> forward:proto=udp dport=20001-25000:192.168.2.170
>
> This doesn't work though.  I cannot get DIDs on the 192.168.2.170 to
> register.  Ethereal indicates that the message gets sent and the
> server responds.  The server seems to be responding on the right port
> 5070, but it gets a 401 from (one of) my machine(s)!
>
> Here's the weirdest part for me.  While trouble shooting, I tried port
> forwarding everything to 192.168.2.170:
>
> forward:proto=udp dport=5060:192.168.2.170
> forward:proto=udp dport=10000-20000:192.168.2.170
>
> forward:proto=udp dport=5070:192.168.2.170
> forward:proto=udp dport=20001-25000:192.168.2.170
>
> The DiDs on 192.168.2.170 still don't register, but the one on
> 192.168.2.160 continues to work.  How's that possible if the ports
> aren't forwarding there?!!
Do the remote devices know to contact you on port 5070 rather than the 
default of 5060?

Gordon

Hi,

On Sat, Sep 06, 2008 at 09:52:45PM -0400, hugolivude
wrote:
> OS = CentOS 5
> Asterisk = 1.4.21
> Router = WhiteRussian 0.9
> 
> Not sure whether I have a problem w/ Asterisk or White Russian config,
> so I'm posting to both lists.
> 
> I _think_ I have the ports forwarded correctly on my router. I set
> DESTINATION ports for the SIP & RTP ports above such that ports 5060
&
>  10000-20000 go to 192.168.2.160 while ports 5070 & 21000-25000 got to
> 192.168.2.170.  Frankly I find the Firewall GUI a little unintuitive ?
> here's what /etc/config/firewall looks like:
> 
> forward:proto=udp dport=5060:192.168.2.160
> forward:proto=udp dport=10000-20000:192.168.2.160
> 
> forward:proto=udp dport=5070:192.168.2.170
> forward:proto=udp dport=20001-25000:192.168.2.170
> [...]
I think, that your problem is the port forwarding on the WhiteRussian
box.

Please try to setup the port forwarding in /etc/firewall.user
instead of /etc/config/firewall.

/etc/config/firewall has never worked for me.

Try something like this:

iptables -t nat -A prerouting_wan -p udp --dport 5060 -j DNAT --to 192.168.2.160
iptables        -A forwarding_wan -p udp --dport 5060 -d 192.168.2.160 -j ACCEPT

iptables -t nat -A prerouting_wan -p udp --dport 10000:20000 -j DNAT --to
192.168.2.160
iptables        -A forwarding_wan -p udp --dport 10000:20000 -d 192.168.2.160 -j
ACCEPT

Regards, Artem