Hi Everyone, I am running multiple instances of Asterisk in Proxmox and so far I had one central Asterisk feeding all others with trunks from one provider. Now, I want to connect each Asterisk server directly to the provider. Based on my understanding, each connection made to the provider port 5060 would be on a port that is unique to that server. And so other connections made to the same provider will go out through a different port and should receive responses through that different port. At least that is my understanding of NAT. The provider should see me trying to register from the same IP with multiple different ports (high number ports; not talking about 5060 as this is outbound and not inbound) and should be able to differentiate between SIP packets coming from various servers. However, it seems to not happen. There is some sort of clash and only one of the servers shows registered with the provider and other's trunks go down. I have noticed that keeping one server works. It could also be that my Fail2ban kicks in on all servers if the SIP packets received are broadcasted to all servers which shouldn't really happen and router should take of this by sending it to the server that has the established connection through that port. *My equipment:* Asterisk 1.6x Pfsense 1.2.3 Dumb Switch *My questions:* A- What is the rational behind this? B- Do I need a sip proxy server? Something like Siproxd, OpenSIPs, or Kamailio? C- Which one of the above is the easiest to get running given I never tried any of those. D- If I am doing an SIP proxy server then it might have to also be redundant. What options do I have in that and which of above or any other suggested package might be great for future expansions. Clarification on how NAT would work in situations like this would be much appreciated. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20110111/edeafe91/attachment.htm>
Hello Bruce,
Your understanding of NAT is correct, and your setup should work.
I?m not familiar with Pfsense, but I suspected that your problem was due to a
SIP ALG. Pfsense seems to have a SIP ALG and other special handling of VoIP
traffic. Hence, you are not using plain NAT. Pfsense is probably rewriting the
SIP packets in addition to the IP packets. Try reconfiguring Pfsense or swapping
it for something else. A good way to troubleshoot your scenario is to compare
the traffic in your end to the traffic on your providers end (or on either side
of pfsense). Pay attention to the source and destination IP and ports in
addition to the contents of the SIP messages.
http://doc.pfsense.org/index.php/VoIP_Configuration
http://en.wikipedia.org/wiki/Application-level_gateway
With kind regards,
Pan
From: Bruce B
Sent: Tuesday, January 11, 2011 8:58 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: [asterisk-users] Do I need a sip proxy?
Hi Everyone,
I am running multiple instances of Asterisk in Proxmox and so far I had one
central Asterisk feeding all others with trunks from one provider. Now, I want
to connect each Asterisk server directly to the provider. Based on my
understanding, each connection made to the provider port 5060 would be on a port
that is unique to that server. And so other connections made to the same
provider will go out through a different port and should receive responses
through that different port. At least that is my understanding of NAT. The
provider should see me trying to register from the same IP with multiple
different ports (high number ports; not talking about 5060 as this is outbound
and not inbound) and should be able to differentiate between SIP packets coming
from various servers. However, it seems to not happen.
There is some sort of clash and only one of the servers shows registered with
the provider and other's trunks go down. I have noticed that keeping one
server works. It could also be that my Fail2ban kicks in on all servers if the
SIP packets received are broadcasted to all servers which shouldn't really
happen and router should take of this by sending it to the server that has the
established connection through that port.
My equipment:
Asterisk 1.6x
Pfsense 1.2.3
Dumb Switch
My questions:
A- What is the rational behind this?
B- Do I need a sip proxy server? Something like Siproxd, OpenSIPs, or Kamailio?
C- Which one of the above is the easiest to get running given I never tried any
of those.
D- If I am doing an SIP proxy server then it might have to also be redundant.
What options do I have in that and which of above or any other suggested package
might be great for future expansions.
Clarification on how NAT would work in situations like this would be much
appreciated.
Thanks
--------------------------------------------------------------------------------
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20110111/684eb3d6/attachment.htm>
Hi,> At least > that is my understanding of NAT. The provider should see me trying to > register from the same IP with multiple different ports (high number > ports; not talking about 5060 as this is outbound and not inbound) and > should be able to differentiate between SIP packets coming from various > servers. However, it seems to not happen. > > There is some sort of clash and only one of the servers shows registered > with the provider and other's trunks go down. I have noticed that > keeping one server works.What I have noticed with consumer grade NAT routers is that they seem to be optimized to only keep track of one single client that is allowed to connect to a server:port tuple on the outside. So if a SIP client on local ip_a and port 5060 on the inside of the router is talking to a server outside of the NAT at ip_s and port 5060 it works fine, but the minute a second client at local IP ip_b and port 5060 starts to talk to ip_s at port 5060 on the outside of the same NAT router all traffic from server_s is sent to ip_b and ip_a will receive nothing. With NAT entry timeouts and regular traffic from ip_a and ip_b you might see only one local client being reachable all the time or connectivity hopping from one to te other at regular intervals. There are NAT implementations that do not have this problem, but that might require a more expensive router or you can configure the SIP clients to all use different local ports. Perhaps this is a result of some sort of SIP ALG or a stupid basic NAT implementation to reduce code complexity on the router, but it is a nuisance either way. -- Andreas Sikkema