I become a bit lazy after using AVM FritzBoxes all the time and god, they surely make all the magic happen by themself
Anyhow I hope somebody has a bright idea for my problem: I have RB493G and it is really a great tool for me.
In my setup it is the NAT router in front of a cable modem for my little home network.
It does DHCP and all the rest, but nothing really fancy.
I made two traffic queues, one for P2P and one for the rest. Every port does get routed through,
I also added port 5060 and 10000 (my providers stun server) to the sip helper.
The VoIP calls does get in the high priority queue btw, so I would assume that is okay.
When I setup the call with my sip telephone everything is fine,
I can talk for minutes and nothing interferes at all.
If I get a call to my SIP telephone it works for a few seconds and then gets dropped.
Talking is possibe in both directions. In the log of the phone I can see,
that it does use the STUN server, but sadly it does not tell my why the call gets dropped.
I assume for some reason my routerboard closes some connection,
maybe somebody got a hint? I have read a bit about session tracking time out,
but not sure if that is it …
STUN should not be enabled if SIP helper (SIP ALG) is also enabled in your router. STUN requires that the NAT device allow all traffic that is directed to a particular port, and that the traffic is forwarded to the client on the inside. This means that STUN only works with less-secure NATs, so-called “full-cone” NATs, and that the internal client will be exposed to an attack from anyone who can capture the STUN traffic. STUN may be useful for some, but is generally not considered a viable solution for enterprises. In addition, STUN cannot be used with symmetric NATs. This may be a drawback in many situations as most enterprise-class firewalls are symmetric (including RouterOS).
Thanks for your elaborate explanation! So actually the only way with symetric NAT is to forward the according ports to the SIP device,
and expose it this way to the outside all the time? It would be nice if at least the SIP device could auto open the ports via UPNP or something like that.
I know it is not wise to use UPNP, as every device connected to the LAN could open ports, but still, it sounds a bit better than exposing the SIP device to the outside all time, right?
okay, I understand, in my case the PBX is a small Siemens BizIP and well, it is not maintained anymore, so I wonder what to do.
Also the setup it way too small for a proper Asterisk setup …
I have had similar problems with my Siemens VOIP phones, until I found out that RTP base port were hardcoded to 5004.
According to the manual, HiPath BizIP was developed primarily as a router behind the WAN. This is the most widespread application and is recommended without reservation. There is no information at all in the admin manual about RTP port numbers, only SIP port.
On page 135, it looks like the following is required for a PBX behind an external router. The manual for my Siemens VOIP phones said the same thing, but it worked quite well with port forwarding after I found out the correct hard coded port numbers.
Prerequisites
• Active SIP provider must have entered STUN = Activated and an available STUN server.
• The external router must transparently route incoming SIP packets to port 5060.
• The external router must transparently route incoming fragmented IP packets (for example, Freenet’s INVITE).
This worked with my Siemens VOIP phones (symmetric NAT section).
When dealing with Siemens IP telephony products we have usually found that seeing the traffic via Wireshark helps as this can show up any stuff that you might otherwise miss.
Awesome! Seems to work like a charm and gladly I only had to forward UDP ports,
so my security concerns were not that real.
btw: if you mirror traffic for wireshark analysis, do you use a routerboard for that?
Back when I was more into network engineering I always had this Hub with me to do that
Sadly I was a bit fast with saying everything is okay, but I am coming closer and narrowing down the problem.
I have found out something: as I use the BizIP AD 20 behind a router there are certain steps that need to be done,
as stated above I did that, activated stun, forwarded the ports, etc. but with the AD 20 something seems to be different.
When I setup the WAN connection with 0.0.0.0/0.0.0.0 as in the manual, then incoming calls work fine,
no time limitation, but on outgoing calls the voice of the partner is not arriving. So I tried different settings with STUN (on, off, automatic),
forwarded UDP 5004, 5006, etc and nothing did change that fact. Then I changed the WAN interface to 0.0.0.0/255.255.255.255,
which seemed better to me, then the incoming calls work fine, but break up after 30 seconds, but in that mode outgoing calls work just fine.
it is fun, that the WAN settings do even affect the whole setup, as the interface is just disabled…
With paket capturing I found nothing so far, as it seems that all the ports get forwarded correctly,
so the Routerboard seems to do its job properly, but something is still going wrong and that totally blows.
