Page 1 of 1

Remote Asterisk Extension Issues

Posted: Fri May 06, 2011 11:38 pm
by RenegadeScribe
Hello there everyone! I've pretty much hit a wall on this so I figured I would ask everyone out here for a possible solution.

I have an PBX-in-a-Flash (Asterisk) server installed behind an RB450G running RouterOS 4.1.7. I have no problems with PBX traffic going in and out, but for the life of me I cannot get a remote extension to register on the PBX.

Now, I've configured Asterisk correctly to allow the remote to connect and I can see it trying to connect to port 5060 in Service Connections but when I run sip set debug ip <expected connecting ip adress> I see no traffic reaching the PBX. I've also disabled SIP helper since there's been some forum posts mentioning that it does anything other than help.

So, I believe there is something wrong with my NAT or firewall rules, but I'm not sure what it is I'm doing wrong.

Here are my Firewall Filter and NAT rules.

Any assistance in this would be really appreciated.

Thanks in advance!

Filter Rules

0 chain=input action=accept protocol=icmp

1 chain=input action=accept connection-state=established
in-interface=ether1-gateway

2 chain=input action=accept connection-state=related in-interface=ether1-gateway

3 chain=input action=accept src-address=192.168.0.0/24 in-interface=!ether1-gateway

4 chain=forward action=drop src-address=0.0.0.0/8

5 chain=forward action=drop dst-address=0.0.0.0/8

6 chain=forward action=drop src-address=127.0.0.0/8

7 chain=forward action=drop dst-address=127.0.0.0/8

8 chain=forward action=drop src-address=224.0.0.0/3

9 chain=forward action=drop dst-address=224.0.0.0/3

10 ;;; deny BackOriffice
chain=udp action=drop protocol=udp dst-port=3133

11 ;;; deny TFTP
chain=udp action=drop protocol=udp dst-port=69

12 ;;; deny PRC portmapper
chain=udp action=drop protocol=udp dst-port=111

13 ;;; deny NBT
chain=udp action=drop protocol=udp dst-port=137-139

14 ;;; deny NFS
chain=udp action=drop protocol=udp dst-port=2049

15 ;;; deny TFTP
chain=tcp action=drop protocol=tcp dst-port=69

16 ;;; deny PRC portmapper
chain=udp action=drop protocol=udp dst-port=135

17 ;;; deny NFS
chain=tcp action=drop protocol=tcp dst-port=2049

18 ;;; deny RPC portmapper
chain=tcp action=drop protocol=tcp dst-port=111

19 ;;; deny RPC portmapper
chain=tcp action=drop protocol=tcp dst-port=135

20 ;;; deny NBT
chain=tcp action=drop protocol=tcp dst-port=137-139

21 ;;; deny cifs
chain=tcp action=drop protocol=tcp dst-port=445

22 ;;; deny NetBus
chain=tcp action=drop protocol=tcp dst-port=20034

23 ;;; deny BackOriffice
chain=tcp action=drop protocol=tcp dst-port=3133

24 ;;; deny DHCP
chain=tcp action=drop protocol=tcp dst-port=67-68

25 chain=input action=drop in-interface=ether1-gateway



NAT rules

0 chain=dstnat action=dst-nat to-addresses=192.168.0.160 to-ports=21 protocol=tcp
dst-port=21000

1 chain=dstnat action=dst-nat to-addresses=192.168.0.160 to-ports=3689
protocol=tcp dst-port=21002

2 chain=dstnat action=dst-nat to-addresses=192.168.0.147 to-ports=5900
protocol=tcp dst-port=5905

3 chain=dstnat action=dst-nat to-addresses=192.168.0.126 to-ports=80 protocol=tcp
dst-port=4001

4 chain=dstnat action=dst-nat to-addresses=192.168.0.210 to-ports=21 protocol=tcp
dst-port=21001

5 ;;; SIP - UDP
chain=dstnat action=dst-nat to-addresses=192.168.0.25 to-ports=5060 protocol=udp
in-interface=ether1-gateway dst-port=5060

6 ;;; SIP - TCP
chain=dstnat action=dst-nat to-addresses=192.168.0.25 to-ports=5060 protocol=tcp
in-interface=ether1-gateway dst-port=5060

7 ;;; RTP - UDP
chain=dstnat action=dst-nat to-addresses=192.168.0.25 to-ports=10000-20000
protocol=udp in-interface=ether1-gateway dst-port=10000-20000

8 ;;; IAX - UDP
chain=dstnat action=dst-nat to-addresses=192.168.0.25 to-ports=4569 protocol=udp
dst-port=4569

9 X chain=dstnat action=dst-nat to-addresses=192.168.0.25 dst-address=76.26.177.130

10 X chain=srcnat action=src-nat to-addresses=76.26.177.130 src-address=192.168.0.25

11 chain=srcnat action=masquerade out-interface=ether1-gateway

Re: Remote Asterisk Extension Issues

Posted: Sat May 07, 2011 4:39 pm
by RenegadeScribe
Has anyone run into this sort of issue and solved it? It's a little frustrating but there's so much conflicting info that I've found out there concerning getting SIP through the firewall that I'm not sure if I've implemented it correctly. And there's nothing (at least that I've found) in the docs that really acts as a real guide on how to make sure SIP is getting through the firewall correctly.

Either way, any sort of guidance would be really appreciated since I'm not able to figure out what I need to fix at the moment.

Thanks in advance!

Re: Remote Asterisk Extension Issues

Posted: Sat May 07, 2011 10:30 pm
by blake
Are the packets hitting a drop filter somewhere? Could you show us your logs?

Re: Remote Asterisk Extension Issues

Posted: Sun May 08, 2011 3:08 pm
by RenegadeScribe
Are the packets hitting a drop filter somewhere? Could you show us your logs?
I'm not seeing anything in the main system log concerning any sort of traffic. Unless you mean another log? Please point me (and if I need to change some settings, I'll do so also)to it and I'll post it.

Still learning some of the ins and outs of Rotuerboard, so please bear with me. :-)

Thanks in advance!

Re: Remote Asterisk Extension Issues

Posted: Mon May 09, 2011 7:42 am
by newranman
By default some of the newer versions have allow deny set for ext? If so it will only allow regristation of ext for local subnet. Login to FreePBX admin, go to your external ext, there are allow and deny remove them, reload. Make sure you have a good password for the ext.

Ran

Re: Remote Asterisk Extension Issues

Posted: Mon May 09, 2011 4:47 pm
by RenegadeScribe
By default some of the newer versions have allow deny set for ext? If so it will only allow registration of ext for local subnet. Login to FreePBX admin, go to your external ext, there are allow and deny remove them, reload. Make sure you have a good password for the ext.

Ran
I remember keeping those open when I initially configured it and the ALLOW/DENY to be open so that wouldn't be an issue. and after checking ti again it was clear.

I also SSH'ed into the box and did a sip debug IP on the IP that is supposed to be logging into the PBX, and the traffic's not even reaching the box so I think for sure that it's being stopped somehow at the router.

How can I see where traffic might be being filtered out on the Router?

Also, I'm thinking that I should've perhaps posted this under the Forwarding Protocols forum?

Re: Remote Asterisk Extension Issues

Posted: Tue May 10, 2011 7:50 am
by newranman
Make sure remote device is using udp for sip. And just basic sip with no encryption or header compression.

Any chance the Internet provider of the remote ext is blocking sip. I have had that problem with some cable providers.

Re: Remote Asterisk Extension Issues

Posted: Tue May 10, 2011 1:55 pm
by RenegadeScribe
Make sure remote device is using udp for sip. And just basic sip with no encryption or header compression.

Any chance the Internet provider of the remote ext is blocking sip. I have had that problem with some cable providers.
We're using SPA942's as our SIP phones and they're currently configured to use UDP for sip. As far as encryption or header compression there are no options for that from what I can tell so I'm assuming that those aren't the case.

As far as the ISP, SIP is traveling in and out to the PBX itself without any issues since we are receiving and sending SIP traffic from it. It just seems that from this remote extension that it is not able to connect, which is why it's driving me crazy.

Again, I'm not seeing packets actually hitting the PBX from the remote extension but I do see them getting to the router via the Service Connections tab under firewall. So I'm thinking that the firewall may be filtering/dropping the packets but I don't know how to be sure.

Do you know how to see where traffic may be being dropped in the filter or NAT rule chain?

Thanks!

Re: Remote Asterisk Extension Issues

Posted: Wed May 11, 2011 6:03 pm
by RenegadeScribe
Is there anyone who has gotten this to work that I can perhaps pick their brain on? Really could use some assistance.

Thanks!