On Tue, Apr 14, 2015 at 08:26:07AM +0200, Sebastian Kemper
wrote:> On Thu, Apr 02, 2015 at 11:33:38PM +0200, Daniel Heckl wrote:
> > I do not want set allowguest=yes. The problem is, there is no official
> > list with ip addresses of Telekom Germany. But I think all ip
> > addresses comes from the ip range 217.0.0.0/13.
>
> Hello Daniel,
>
> Judging by the lists I found I think it's more like this subnet:
> 217.0.16.0/255.255.248.0
>
Hi again,
I had poked a hole in my firewall for packets from above subnet to my
port 5060. I had done the same for the RTP ports.
A while back I realized that for RTP this was nonsense, as the RTP
packets came from servers not even part of the subnet. Although there
were no ports opened for those it just worked, because Telekom is doing
symmetric RTP (and so is Asterisk by default).
So I got rid of the firewall rule that opened the RTP ports. And then it
dawned on me that I don't even need to open the 5060 port. The REGISTER
requests established a UDP connection that the kernel's conntrack module
was tracking anyway. The only issue was that the REGISTERs occurred only
every 480s and the UDP connections were removed after 180s already.
So at first I raised net.netfilter.nf_conntrack_udp_timeout_stream to
500. That worked. But I didn't really want to raise the default. So
instead I added "qualify=yes" to the dtag_inbound peer. Now asterisk
is
sending an OPTIONS request to Telekom every 120s (I raised the frequency
from 60 to 120 by setting "qualifyfreq=120" under [general]), which
keeps the connection open.
Just wanted to add that.
Kind regards,
Sebastian
> > I have now the following addition to sip.conf. I think it is the only
> > safe option. Or what would you say?
> >
> > [telekom](!)
>
> <snip>
>
> > [DTAG-IP_IN18_016](telekom)
> > host=217.0.18.16
> >
> > [DTAG-IP_IN18_036](telekom)
> > host=217.0.18.36
> >
> > etc.
>
> This configuration is now running here:
>
> [general]
> context=unauthenticated
> allowguest=no
> srvlookup=no
> udpbindaddr=0.0.0.0
> tcpenable=no
> localnet=172.16.28.0/24
> alwaysauthreject=yes
> directmedia=no
> sdpsession=MyNewSessionString
> useragent=MyNewUserAgent
> language=de
> tonezone=de
> defaultexpiry=480
>
> register => 0NUMBER2:PASS:USER at t-online.de@tel.t-online.de/NUMBER2
> register => 0NUMBER3:PASS:USER at t-online.de@tel.t-online.de/NUMBER3
> register => 0NUMBER4:PASS:USER at t-online.de@tel.t-online.de/NUMBER4
>
> [my-codecs](!)
> allow=!all,alaw
>
> [home-phone](!,my-codecs)
> acl=voice_vlan
> type=friend
> host=dynamic
> context=LocalSets
>
> [XXXXXXXXXXX](home-phone)
> secret=XXXXXXXXXXXXX
>
> [dtag_inbound](my-codecs)
> acl=acl_dtag_inbound
> type=peer
> context=from_dtag
> host=tel.t-online.de
>
> [dtag_outbound](my-codecs)
> acl=acl_dtag_outbound
> type=peer
> defaultuser=USER at t-online.de
> remotesecret=PASS
> host=tel.t-online.de
> fromdomain=tel.t-online.de
>
> The thing is, the provider's SIP server hasn't changed the IP yet.
This
> morning it's still the same as yesterday. And yesterday it was the same
> the whole day.
>
> Don't know why I didn't run into the "load balancer"
issue (yet). I'm
> starting to think it's because I'm "hiding" that I'm
using Asterisk
> (sdpsession, useragent, also custom systemname in asterisk.conf). But
> probably that's not the reason. Anyway, I'm just going to wait
until it
> doesn't work and then worry about it.
>
> Regards,
> Sebastian