UKVoIPTalk.com

Hi I am having trouble getting multiple SIP phones to work correctly
through a BT Business Hub Router
connecting to an asterisk server over the T'internet.

I am experiencing one way audio and dropped calls - signs which point
to a firewall issue.

I know the firewall at the asterisk end is fine 'cos it's a proper
Cisco Pix which I've configured
to allow SIP AIX and RTP to and from the external address of the BT
Hub.

Unfortunately I cannot seem to open the ports on the BT router for
more than one internal IP address
as this router's web interface does not seem to give a direct method
for opening ports.

What you have to do is create an 'application' which has ports
assigned to it, and then you can
assign this application to an IP address on the internal network.
Unfortunateley when I try to assign
this application to more than one phone the GUI gives me an error
saying I cannot apply this
to more than one IP.

Has anyone managed to get this working?

Any help gratefully received.


Alister.

"Alister" <alister.gcs@hotmail.co.uk> wrote in message
news:a2c25f52-c658-4d32-97de-f5f9d99e030b@f3g2000hsg.googlegroups.com...[color=blue]
>
> Unfortunately I cannot seem to open the ports on the BT router for
> more than one internal IP address
> as this router's web interface does not seem to give a direct method
> for opening ports.
>
> What you have to do is create an 'application' which has ports
> assigned to it, and then you can
> assign this application to an IP address on the internal network.
> Unfortunateley when I try to assign
> this application to more than one phone the GUI gives me an error
> saying I cannot apply this
> to more than one IP.[/color]

Can't you create multiple 'applications' or instances of your 'application'
and apply each of them to one of your required internal IP addresses?

Rob

On Thu, 10 Jan 2008 01:45:33 -0800, Alister wrote:
[color=blue]
> Unfortunately I cannot seem to open the ports on the BT router for more
> than one internal IP address as this router's web interface does not
> seem to give a direct method for opening ports.[/color]

Are you trying to allow your phones outbound access? You could try
disabling the firewall completely while you test it and see if that helps.
[color=blue]
> What you have to do is create an 'application' which has ports assigned
> to it, and then you can assign this application to an IP address on the
> internal network. Unfortunateley when I try to assign this application
> to more than one phone the GUI gives me an error saying I cannot apply
> this to more than one IP.[/color]

It sounds like you're trying to use the port-forwarding mechanism, which
isn't going to let you forward the same outside address:port to different
inside address:ports, unless you have multiple outside addresses [in
which case you could just give the phones outside IPs and be done with
it].

--
<http://ale.cx/> (AIM:troffasky) (UnSoEsNpEaTm@ale.cx)
13:53:29 up 5 days, 4:17, 2 users, load average: 1.53, 1.58, 1.55
2x Broadband/IT/Telecoms support positions in Newcastle city centre.
For more info call 0191 229 8870 and ask for Steve. No agencies.

On Jan 10, 10:29*am, "Rob" <nob...@this.place.invalid> wrote:[color=blue]
> Can't you create multiple 'applications' or instances of your 'application'
> and apply each of them to one of your required internal IP addresses?
>
> Rob[/color]

Hi Rob,

Thanks for the suggestion, but I tried that and it won't let you.

As alexd says, you can only use the port forwarding to forward
specific outside ports to one inside address.

Unfortunately this is the only firewall control this router gives you.

Cheers

Alister

On Jan 10, 2:00*pm, alexd <troffa...@hotmail.com> wrote:[color=blue]
> On Thu, 10 Jan 2008 01:45:33 -0800, Alister wrote:[color=green]
> > Unfortunately I cannot seem to open the ports on the BT router for more
> > than one internal IP address as this router's web interface does not
> > seem to give a direct method for opening ports.[/color]
>
> Are you trying to allow your phones outbound access? You could try
> disabling the firewall completely while you test it and see if that helps.
>[/color]

<grin> I'd love to, but this router doesn't give you that option.

[color=blue]
>
> It sounds like you're trying to use the port-forwarding mechanism, which
> isn't going to let you forward the same outside address:port to different
> inside address:ports, unless you have multiple outside addresses [in
> which case you could just give the phones outside IPs and be done with
> it].[/color]

You are quite correct, and I have investigated the router further with
the manufacturer and this is the case.
The only firewall control this router offers is port forwarding in the
manner you describe, or to assign a single
external IP (which is the same as the router's) to a DMZ which has no
firewall on it at all.

It looks like I will do this and have another router / firewall in the
DMZ with one interface as the external IP and the other
on an internal IP and then connect the phones via a switch.
I can then set up access-lists to only allow Voip traffic through the
second router. Bit of a pain though!

If you have any better suggestions I'd love to hear them!

Alister.

On Thu, 10 Jan 2008 08:07:14 -0800, Alister wrote:
[color=blue]
> On Jan 10, 2:00Â*pm, alexd <troffa...@hotmail.com> wrote:[/color]
[color=blue]
> You are quite correct, and I have investigated the router further with
> the manufacturer and this is the case. The only firewall control this
> router offers is port forwarding in the manner you describe, or to
> assign a single external IP (which is the same as the router's) to a DMZ
> which has no firewall on it at all.[/color]

Perhaps it's worth replacing the BT router, as you may run into a similar
problem again in the future with other applications.
[color=blue]
> It looks like I will do this and have another router / firewall in the
> DMZ with one interface as the external IP and the other on an internal
> IP and then connect the phones via a switch. I can then set up
> access-lists to only allow Voip traffic through the second router. Bit
> of a pain though![/color]

If I read you right, the plan is:

(Net)--(BT router)--(Another router)--(switch)--(handsets)
[color=blue]
> If you have any better suggestions I'd love to hear them![/color]

I think before you throw any more hardware at the problem, you should
validate that what you're planning is going to work. I can't see how
adding another link in the chain is going to fix a firewalling problem on
the BT router. If you just use the one handset, and modify the rules to
allow it out, does it work? How does internet browsing work if you have
to add an explicit permit rule to allow a host out, but can only add rule
at a time?

Do you have any sites where audio does work?

Have you tried using a handset [or softphone] from home to test it?

Does Asterisk have a public IP? If not, have you told it what it's public
address is? [[url]http://www.voip-info.org/wiki/index.php?page=Asterisk+SIP[/url]
+externip]

Are the handsets SIP or IAX?

Have you tried disabling/enabling SIP fixup on the PIX?

If you have to add another router, you'd probably be best off adding
something that can terminate a VPN from the PIX, and run the calls over
the VPN. This would bring all the usual benefits of VPNs with it.

--
<http://ale.cx/> (AIM:troffasky) (UnSoEsNpEaTm@ale.cx)
16:29:56 up 5 days, 6:54, 2 users, load average: 1.32, 1.23, 1.17
2x Broadband/IT/Telecoms support positions in Newcastle city centre.
For more info call 0191 229 8870 and ask for Steve. No agencies.

Maybe I am not getting the entire picture here - or maybe its an IAX
thing - but why do you need to specify port forwarding to every phone?

Lots of our sites have multiple (SIP) phones connected via ADSL to a
central Asterisk server and STUN takes care of 'what goes where' -
there's no specific SIP (in your case IAX) forwarding setup on the
site's router. Remember, the phones initiate the connection/registration
to the Asterisk server and so the setup is outbound with the help of
NAT/STUN- nothing unexpected is initially going to be inbound and thus
needs help getting past the firewall/NAT routing.

Worse case (and I still can't see why you'd need it), why not have a
local Asterisk server to which all the phones register and tie this
server to the remote one?

Fill me in, or tell me to shut up, if I'm missing something here!?

On Jan 10, 6:28 pm, alexd <troffa...@hotmail.com> wrote:
[color=blue]
>
> Perhaps it's worth replacing the BT router, as you may run into a similar
> problem again in the future with other applications.
>[/color]

I have considered that, but have heard a of number of instances where
a third party router would not work correctly with a BT ADSL
connection.
[color=blue]
>
> If I read you right, the plan is:
>
> (Net)--(BT router)--(Another router)--(switch)--(handsets)
>[/color]

Yes That's correct.

[color=blue]
>
> I think before you throw any more hardware at the problem, you should
> validate that what you're planning is going to work. I can't see how
> adding another link in the chain is going to fix a firewalling problem on
> the BT router. If you just use the one handset, and modify the rules to
> allow it out, does it work? How does internet browsing work if you have
> to add an explicit permit rule to allow a host out, but can only add rule
> at a time?
>[/color]

I may be wrong but it appears that the only way to turn the firewall
off on this router
is to assign whatever you are connecting to its internal interface to
the DMZ, to which it then assigns
an external (dynamic) IP, and as it only allows you to do this to one
host, this will have to be a router
with an inside and outside ethernet interface so that I can assign non
routable internal IP's to the phones.

It is incoming traffic which the BT Firewall is blocking - not 5060
but the RTP range 10000 - 12000
We can initiate and answer calls and register the handsets but lose
audio.
[color=blue]
>
> Have you tried using a handset [or softphone] from home to test it?
>
> Does Asterisk have a public IP? If not, have you told it what it's public
> address is? [[url]http://www.voip-info.org/wiki/index.php?page=Asterisk+SIP[/url]
> +externip]
>
> Are the handsets SIP or IAX?[/color]

SIP - a mixture of ATCOM AT530 and Seimens S450IP
[color=blue]
> Have you tried disabling/enabling SIP fixup on the PIX?[/color]

No need, the Pix end of things is quite happy.

The Asterisk Server has a public IP, and connections to it from other
sites we run
have no problems at all - we have a satellite office with its own
Asterisk and the
two are connected by IAX. We have a further site in france with
multiple phones on an
ADSL from wanadoo.fr which again connects to the main asterisk site
with no problems.

At home I have a sip phone which sits behind a BT Router with Static
IPs and it works fine.

It is just this site - and this router - which are the problem.
[color=blue]
> If you have to add another router, you'd probably be best off adding
> something that can terminate a VPN from the PIX, and run the calls over
> the VPN. This would bring all the usual benefits of VPNs with it.[/color]

I have a spare PIX 501 which I was thinking of using as the router,
which would mean I could
possibly use VPN, but on voip to voip calls wouldn't that effectively
stop RTP from bypassing the asterisk?

As I understand it, Asterisk initiates the connection but then hands
it off to the two hosts using RTP for the
voice and SIP for the call control. If I am wrong, I'm sure you'll let
me know :-)

btw I do appreciate the time you are taking to try and help - I'm
sorry if I haven't explained things clearly.

Alister

On Jan 10, 10:31 pm, Linker3000 <linker3...@goo-nohyphens-glemail.com>
wrote:[color=blue]
> Maybe I am not getting the entire picture here - or maybe its an IAX
> thing - but why do you need to specify port forwarding to every phone?
>
> Lots of our sites have multiple (SIP) phones connected via ADSL to a
> central Asterisk server and STUN takes care of 'what goes where' -
> there's no specific SIP (in your case IAX) forwarding setup on the
> site's router. Remember, the phones initiate the connection/registration
> to the Asterisk server and so the setup is outbound with the help of
> NAT/STUN- nothing unexpected is initially going to be inbound and thus
> needs help getting past the firewall/NAT routing.
>
> Worse case (and I still can't see why you'd need it), why not have a
> local Asterisk server to which all the phones register and tie this
> server to the remote one?
>
> Fill me in, or tell me to shut up, if I'm missing something here!?[/color]

<grin>

I wouldn't dream of telling you to shut up :-)

The phones are SIP and the problem is incoming connections -
specifically the RTP ports
that a VoIP call uses for voice traffic. There seems to be no way of
telling this router to let
traffic through from outside unless you do it on a per device basis.
I can register the handsets, and initiate and receive calls, but I get
either one-way audio or none at all.

I don't really want to have to go to the trouble of having another
asterisk at this office just for seven phones
- particularly as this office is in Somerset and I (as the only IT
bod) am based in Derbyshire.

We already run two Asterisk servers - one in Derbyshire and one in
Warwickshire, and I would rather these phones
used one or other of these. We run an office in France which uses the
Warwickshire asterisk with no problems.

My problem is just this bl***y BT Business Hub, which is designed to
be user friendly and consequently seems impossible
to configure for anything other than web browsing or e-mail.

Do you use BT Broadband at all? and if so what router have you got on
the end of it?

Cheers

Alister

On Fri, 11 Jan 2008 11:28:51 -0800, Alister wrote:
[color=blue]
> On Jan 10, 6:28 pm, alexd <troffa...@hotmail.com> wrote:[/color]
[color=blue]
> I may be wrong but it appears that the only way to turn the firewall off
> on this router
> is to assign whatever you are connecting to its internal interface to
> the DMZ,[/color]
[color=blue]
> It is incoming traffic which the BT Firewall is blocking - not 5060 but
> the RTP range 10000 - 12000
> We can initiate and answer calls and register the handsets but lose
> audio.[/color]

[url]http://www.dslreports.com/forum/2wire[/url]

There are some 2Wire experts in there, might be worth a shot if you're
reluctant to bin it.
[color=blue]
>[color=green]
>> Have you tried using a handset [or softphone] from home to test it?
>>
>> Does Asterisk have a public IP? If not, have you told it what it's
>> public address is?
>> [[url]http://www.voip-info.org/wiki/index.php?page=Asterisk+SIP[/url] +externip]
>>
>> Are the handsets SIP or IAX?[/color]
>
> SIP - a mixture of ATCOM AT530 and Seimens S450IP[/color]

OK here's another idea - how about putting the IAX firmware on the
Atcoms? Won't fix the Siemens, of course.
[color=blue]
> It is just this site - and this router - which are the problem.[/color]

Replace the router. It can't be that hard, all you need is username,
password and the static IP details [if you've got them]. Having googled
your router, I'm concerned that there is a VoIP implementation on there,
and it may be doing silly stuff to your SIP traffic.
[color=blue][color=green]
>> If you have to add another router, you'd probably be best off adding
>> something that can terminate a VPN from the PIX, and run the calls over
>> the VPN. This would bring all the usual benefits of VPNs with it.[/color]
>
> I have a spare PIX 501 which I was thinking of using as the router,
> which would mean I could
> possibly use VPN, but on voip to voip calls wouldn't that effectively
> stop RTP from bypassing the asterisk?[/color]

Yes. Calls will be fine from the branch to the site where Asterisk is,
but calls from said branch to other sites over SIP will again be one
sided. If you've got enough bandwidth at the Asterisk end, you could stop
the relevant extensions from being able to reinvite and you should be OK.
[color=blue]
> As I understand it, Asterisk initiates the connection but then hands it
> off to the two hosts using RTP for the voice and SIP for the call
> control. If I am wrong, I'm sure you'll let me know :-)[/color]

[url]http://www.voip-info.org/wiki/view/Asterisk+sip+canreinvite[/url]

explains how Asterisk handles re-invites.


--
<http://ale.cx/> (AIM:troffasky) (UnSoEsNpEaTm@ale.cx)
23:13:20 up 6 days, 13:37, 2 users, load average: 1.02, 1.06, 1.01
2x Broadband/IT/Telecoms support positions in Newcastle city centre.
For more info call 0191 229 8870 and ask for Steve. No agencies.