[Freeswitch-users] Newbie question about inbound calls/NAT (yes I checked wiki first:-) )
Jeff Bernhardt
jeff at askcornerstone.net
Tue Apr 16 12:29:23 MSD 2013
You know, I actually just figured it out myself just a couple hours ago.... but I'm gonna give your method a shot too since I haven't played with ACLs yet and that would give me a chance to.
I discovered that the problem was actually how I'd setup Vitelity to route to the server. I didn't realize this before, but in Vitelity, you can either route to the server IP address to allow IP based authentication OR you can route to the account login name that the trunk is being registered with. The former was giving errors since I didn't have that account setup, whereas the latter worked with no problem. I'm guessing this is because with the IP based auth method, Vitelity connects to port 5060 (can't change this), which is taken as Freeswitch's default internal profile port (requires authentication) instead of port 5080 (the public profile with doesn't require authentication?), and since there was no internal user for what Vitelity was sending essentially unsolicited on 5060, it got denied. As to why it works by routing to the registered account login name I'm not sure, but perhaps that's part of what registration does; it sends to the public profile by default...?
Anyway, thanks for all the help! Great to see such an active and helpful list with something I'll need a lot of help with!
________________________________
From: freeswitch-users-bounces at lists.freeswitch.org [freeswitch-users-bounces at lists.freeswitch.org] on behalf of Michael Collins [msc at freeswitch.org]
Sent: Monday, April 15, 2013 7:15 PM
To: FreeSWITCH Users Help
Subject: Re: [Freeswitch-users] Newbie question about inbound calls/NAT (yes I checked wiki first:-) )
For inbound calls you can skip the authentication by adding the source IP address to the "domains" section of conf/autoload_configs/acl.conf.xml. This will prevent FreeSWITCH from challenging the inbound call if it comes from that IP address. This is more desirable than disabling call authentication altogether in your SIP profile. (i.e. you are allowing only a specific IP address to come in unauth'd as opposed to letting the whole world in!)
Find out the source IP address for your Vitelity SIP traffic and add it to the acl.conf.xml file in the "domains" section. It will be something like this:
<node type="allow" cidr="1.2.3.4/32<http://1.2.3.4/32>"/>
After you save that go to fs_cli and type "reloadacl". NOTE: simply doing a "reloadxml" is not sufficient to make the new ACL entry take effect. ("reloadxml" simply reloads the XML config; "reloadacl" does a reloadxml and then reloads the ACL entries.)
Hope this helps.
-MC
On Mon, Apr 15, 2013 at 12:30 AM, Jeff Bernhardt <jeff at askcornerstone.net<mailto:jeff at askcornerstone.net>> wrote:
Thanks. I had a look at the links and changed "domain and even "domain_name" in vars.xml to be the external ip, but the error now just says it can's find user abcd_1.2.3.4 at 1.2.3.4<mailto:abcd_1.2.3.4 at 1.2.3.4> instead of @192.168.10.32<http://192.168.10.32>.
And actually, I 'm mostly confused because I thought incoming calls were treated as unauthenticated and allowed to pass through. Isn't registering the trunk with the SIP provider enough to get incoming calls accepted?
The errors says "...you must configure your device to use the proper domain in it's authentication credentials," but how is the SIP trunk treated as a device?
Like I said, I think I'm misunderstanding something fundamental about this.
Thanks you.
________________________________
From: freeswitch-users-bounces at lists.freeswitch.org<mailto:freeswitch-users-bounces at lists.freeswitch.org> [freeswitch-users-bounces at lists.freeswitch.org<mailto:freeswitch-users-bounces at lists.freeswitch.org>] on behalf of Cal Leeming [Simplicity Media Ltd] [cal.leeming at simplicitymedialtd.co.uk<mailto:cal.leeming at simplicitymedialtd.co.uk>]
Sent: Sunday, April 14, 2013 3:38 PM
To: FreeSWITCH Users Help
Subject: Re: [Freeswitch-users] Newbie question about inbound calls/NAT (yes I checked wiki first:-) )
Hello Jeff,
Here is a related thread;
http://freeswitch-users.2379917.n2.nabble.com/You-must-define-a-domain-called-xx-com-in-your-directory-td7585944.html
http://lists.freeswitch.org/pipermail/freeswitch-users/2008-September/006232.html
You need to configure your domain and username, but as you can see here your gateway/users are sending the domain '192.168.10.32', but you have not configured this domain in sofia.conf.
If you are using multi-tenant then you'll need to put some more thought into how you're going to approach this.
If you are not using multi-tenant (i.e. one domain only) then you could force the domain as discussed here;
http://www.feedingedge.co.uk/blog/2010/08/03/techie-post-opensim-and-freeswitch-problems/
Hope this helps
Cal
On Sun, Apr 14, 2013 at 10:36 AM, Jeff Bernhardt <jeff at askcornerstone.net<mailto:jeff at askcornerstone.net>> wrote:
Setting up my first test box with Freeswitch. I'm really excited about getting it up and running.
I'm trying to get inbound calls working from external using a Vitelity trunk. Let's say my username from Vitelity is "abcd_efg" and password is "password," external IP is 1.2.3.4 and internal is 192.168.10.32. I get registered to Vitelity fine (their web panel shows I'm registered and fs_cli confirms). However, when I make a call inbound, I get:
[WARNING] sofia_reg.c:2621 Can't find user [abcd_1.2.3.4 at 192.168.10.32<mailto:abcd_1.2.3.4 at 192.168.10.32>] from <vitelity-inbound-trunk-ip>
You must define a domain called '192.168.10.32' in your directory and add a user with the id="abcd_1.2.3.4" attribute
and you must configure your device to use the proper domain in it's authentication credentials.
I don't know if this is related, but to get around NAT, I have this in vars.xml:
<X-PRE-PROCESS cmd="set" data="external_rtp_ip=1.2.3.4"/>
<X-PRE-PROCESS cmd="set" data="external_sip_ip=1.2.3.4"/>
and this in both internal.xml and external.xml:
<param name="ext-rtp-ip" value="$${external_rtp_ip}"/>
<param name="ext-sip-ip" value="$${external_sip_ip}"/>
I have a feeling I've misunderstood something fundamental about setting up Freeswitch for inbound access. I've put in the above configs as per what I've found in the wiki, but I'm not sure how to do what the warning says or if it really means I have something not setup right. What am I doing wrong?
Thank you.
_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org<mailto:consulting at freeswitch.org>
http://www.freeswitchsolutions.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org<mailto:FreeSWITCH-users at lists.freeswitch.org>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
_________________________________________________________________________
Professional FreeSWITCH Consulting Services:
consulting at freeswitch.org<mailto:consulting at freeswitch.org>
http://www.freeswitchsolutions.com
Official FreeSWITCH Sites
http://www.freeswitch.org
http://wiki.freeswitch.org
http://www.cluecon.com
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org<mailto:FreeSWITCH-users at lists.freeswitch.org>
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
--
Michael S Collins
Twitter: @mercutioviz
http://www.FreeSWITCH.org
http://www.ClueCon.com
http://www.OSTAG.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130416/3495a5d9/attachment-0001.html
Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users
mailing list