[Freeswitch-users] Freeswitch send UDP to port outside range

Sergey Safarov s.safarov at gmail.com
Thu Oct 1 18:31:09 MSD 2015 

Also statically bind your FS server to private ip  and configure ext_ip
sip_rpofile params to private ip.

Also try runs FS with  keys "-nonat -nonatmap"

Sergey

On Thu, Oct 1, 2015 at 4:43 PM, Charles Bujold <cjbujold at accra.ca> wrote:

>
>
> We are encountering an error which we do not know how to fix.  If somebody
> can help, it would be appreciated.
>
>
>
> Our configuration is we have 2 offices.  Both offices are joined together
> via a VPN.  The users in the remote office use Freeswitch via the VPN and
> connect to Freeswitch SIP port 5060 via the VPN.  Their phones register
> without issue.  The issue comes when they try to make a call.  They connect
> to Freeswitch via SIP without error however early in the connection
> Freeswitch no longer recognizes them as being local and tries to
> communicate with them via the WAN.   Worst case we could open the firewall
> to permit such communication but the issue with that, for some reason
> Freeswitch no longer uses the UDP port range set in Freeswitch it uses a
> port outside of the range causing the call to fail.
>
>
>
> Our acl.config has both Lan entered into it  192.168.20.0/24 (Main
> Office)   and 192.168.25.0/24 (Remote Office)  however the main office
> lan is set to deny, we presume it is because one of the default list
> already includes it.
>
>
>
> Here is a pcap summary of what we see.   How can we setup so that the
> remote office will work every time and still be seen as part of the overall
> local office?
>
>
>
> 192.168.25.18 is a remote phone
>
> 192.168.20.153 is Freeswitch server in main office.
>
> 142.162.8.143 is our WAN IP
>
> Port 49790 is outside of the max port which is 32768
>
>
>
> 83           12.279953            192.168.25.18     192.168.20.153
> SIP/SDP 935         Request: INVITE sip:*97 at 192.168.20.153
>
> 84           12.375683            192.168.20.153  192.168.25.18
> SIP          375         Status: 100 Trying |
>
> 85           12.376097            192.168.20.153  192.168.25.18
> SIP          880         Status: 407 Proxy Authentication Required
>
> 86           12.393746            192.168.25.18     192.168.20.153
> SIP          318         Request: ACK sip:*97 at 192.168.20.153
>
> 87           12.458854            192.168.25.18     192.168.20.153
> SIP/SDP 1181       Request: INVITE sip:*97 at 192.168.20.153
>
> 88           12.542911            192.168.20.153  192.168.25.18
> SIP          375         Status: 100 Trying
>
> 89           12.718778            192.168.20.153  192.168.25.18
> SIP/SDP 1153       Status: 200 OK
>
> 90           12.752832            192.168.25.18     142.162.8.143
> SIP          680         Request: ACK sip:*97 at 142.162.8.143:49790;transport=udp
>
>
>
>
>
>
> Our acl.conf file
>
>
>
> <configuration name="acl.conf" description="Network Lists">
>
>   <network-lists>
>
>     <!--
>
>                  These ACL's are automatically created on startup.
>
>
>
>                 rfc1918.auto  - RFC1918 Space
>
>                 nat.auto      - RFC1918 Excluding your local lan.
>
>                 localnet.auto - ACL for your local lan.
>
>                 loopback.auto - ACL for your local lan.
>
>     -->
>
>
>
>     <list name="lan" default="allow">
>
>       <node type="deny" cidr="192.168.20.0/24"/>
>
>       <node type="allow" cidr="192.168.25.0/24"/>
>
>     </list>
>
>
>
>     <!--
>
>                 This will traverse the directory adding all users
>
>                 with the cidr= tag to this ACL, when this ACL matches
>
>                 the users variables and params apply as if they
>
>                 digest authenticated.
>
>     -->
>
>     <list name="domains" default="deny">
>
>       <!-- domain= is special it scans the domain from the directory to
> build the ACL -->
>
>       <node type="allow" domain="$${domain}"/>
>
>       <!-- use cidr= if you wish to allow ip ranges to this domains acl.
> -->
>
>       <!-- <node type="allow" cidr="192.168.20.0/24"/>  -->
>
>       <!-- <node type="allow" cidr="192.168.25.0/24"/>  -->
>
>     </list>
>
>
>
>   </network-lists>
>
> </configuration>
>
>
>
> If you can tell us how we should configure Freeswitch to work for both
> offices it would be appreciated.
>
>
>
> Thanks
>
> cjb
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20151001/34fe065c/attachment.html

Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list