EFW Support

Support => General Support => Topic started by: bdmeyer on Wednesday 01 August 2012, 11:30:37 am


Title: How to get SIP to work on Community Editon 5.5.1
Post by: bdmeyer on Wednesday 01 August 2012, 11:30:37 am
I understand there is no more SIP proxy.

I added this to the outgoing rules:
    
Code:
6c:33:a9:11:f1:a1 	RED 	TCP+UDP/5060 TCP+UDP/5070 	ALLOW 	 SIP

I am pretty certain I only need UDP.

When i enable outbound rules, I get dial tone but no voice.
Eth1 is my DMZ. Nothing else is on it. i tried the same rules on the Green Interface. Same  and results.

With TCPDump I see this when I dial out:

Code:
tcpdump -i eth1 port 5060 or port 5070 -nnv

tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
21:15:03.755289 IP (tos 0x0, ttl  64, id 1131, offset 0, flags [none], proto: UDP (17), length: 30) 192.168.2.150.17107 > 216.234.78.8.5070: UDP, length 2
21:15:14.037785 IP (tos 0x0, ttl  64, id 1132, offset 0, flags [none], proto: UDP (17), length: 907) 192.168.2.150.17107 > 216.234.78.8.5070: UDP, length 879
21:15:14.077168 IP (tos 0x0, ttl  53, id 0, offset 0, flags [DF], proto: UDP (17), length: 354) 216.234.78.8.5070 > 192.168.2.150.17107: UDP, length 326
21:15:14.088451 IP (tos 0x0, ttl  53, id 0, offset 0, flags [DF], proto: UDP (17), length: 527) 216.234.78.8.5070 > 192.168.2.150.17107: UDP, length 499
21:15:14.198211 IP (tos 0x0, ttl  64, id 1133, offset 0, flags [none], proto: UDP (17), length: 397) 192.168.2.150.17107 > 216.234.78.8.5070: UDP, length 369
21:15:14.200904 IP (tos 0x0, ttl  64, id 1134, offset 0, flags [none], proto: UDP (17), length: 1092) 192.168.2.150.17107 > 216.234.78.8.5070: UDP, length 1064
21:15:14.238091 IP (tos 0x0, ttl  53, id 0, offset 0, flags [DF], proto: UDP (17), length: 354) 216.234.78.8.5070 > 192.168.2.150.17107: UDP, length 326

iptables -L (grep for MAC)

Code:
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:sip MAC 6c:33:a9:11:f1:a1 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:sip MAC 6c:33:a9:11:f1:a1
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:vtsas MAC 6c:33:a9:11:f1:a1 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:vtsas MAC 6c:33:a9:11:f1:a1

tailing the firewall log I see this though:
Code:
INPUTFW:ACCEPT:3:l3 IN=br1 OUT= MAC=00:1b:2f:35:82:72:6c:33:a9:11:f1:a1:08:00 SRC=192.168.2.150 DST=192.168.2.1 LEN=60 TOS=00 PREC=0x00 TTL=255 ID=1435 PROTO=ICMP TYPE=8 CODE=0 ID=0 SEQ=0 MARK=3000
FORWARD:DROP IN=br1 OUT=eth2 MAC=00:1b:2f:35:82:72:6c:33:a9:11:f1:a1:08:00 SRC=192.168.2.150 DST=12.69.64.40 LEN=280 TOS=00 PREC=0x00 TTL=63 ID=1439 PROTO=UDP SPT=49162 DPT=18560 LEN=260 MARK=3000
FORWARD:DROP IN=br1 OUT=eth2 MAC=00:1b:2f:35:82:72:6c:33:a9:11:f1:a1:08:00 SRC=192.168.2.150 DST=12.69.64.40 LEN=280 TOS=00 PREC=0x00 TTL=63 ID=1440 PROTO=UDP SPT=49162 DPT=18560 LEN=260 MARK=3000
FORWARD:DROP IN=br1 OUT=eth2 MAC=00:1b:2f:35:82:72:6c:33:a9:11:f1:a1:08:00 SRC=192.168.2.150 DST=12.69.64.40 LEN=280 TOS=00 PREC=0x00 TTL=63 ID=1441 PROTO=UDP SPT=49162 DPT=18560 LEN=260 MARK=3000

Is my device using non standard ports, or is the ports shown above on these dropped packets normal for a SIP phone?

Thank you for any guidance.

-= Bruce

Title: Re: How to get SIP to work on Community Editon 5.5.1
Post by: trymes on Friday 03 August 2012, 12:05:44 am
SIP communicates using more than one port. One is for signalling, usually 5060, and the other is for the RTP traffic, which is the voice/video/etc.

Generally, you need to allow for both port 5060 and a range of ports for RTP. When using asterisk, for example, I generally forward 5060 and 10,000-20,000, but those numbers vary depending on the settings and type of your SIP server.

Tom

Title: Re: How to get SIP to work on Community Editon 5.5.1
Post by: bdmeyer on Friday 03 August 2012, 12:32:03 am
Thanks for the reply Tom,
   I'll figure what the port range is, and give it a try. I ended up in the mean time just setting a rule for the MAC address of the device and then UDP port ANY which works, but is sloppy.

-= Bruce


Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media