<div dir="ltr">Also statically bind your FS server to private ip  and configure ext_ip sip_rpofile params to private ip.<div><br></div><div>Also try runs FS with  keys &quot;-nonat -nonatmap&quot;</div><div><br></div><div>Sergey</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 1, 2015 at 4:43 PM, Charles Bujold <span dir="ltr">&lt;<a href="mailto:cjbujold@accra.ca" target="_blank">cjbujold@accra.ca</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA">We are encountering an error which we do not know how to fix.  If somebody can help, it would be appreciated.  <u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA">Our configuration is we have 2 offices.  Both offices are joined together via a VPN.  The users in the remote office use Freeswitch via the VPN and connect to Freeswitch SIP port 5060 via the VPN.  Their phones register without issue.  The issue comes when they try to make a call.  They connect to Freeswitch via SIP without error however early in the connection Freeswitch no longer recognizes them as being local and tries to communicate with them via the WAN.   Worst case we could open the firewall to permit such communication but the issue with that, for some reason Freeswitch no longer uses the UDP port range set in Freeswitch it uses a port outside of the range causing the call to fail.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA">Our acl.config has both Lan entered into it  <a href="http://192.168.20.0/24" target="_blank">192.168.20.0/24</a> (Main Office)   and <a href="http://192.168.25.0/24" target="_blank">192.168.25.0/24</a> (Remote Office)  however the main office lan is set to deny, we presume it is because one of the default list already includes it.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA">Here is a pcap summary of what we see.   How can we setup so that the remote office will work every time and still be seen as part of the overall local office?   <u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA">192.168.25.18 is a remote phone<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA">192.168.20.153 is Freeswitch server in main office.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA">142.162.8.143 is our WAN IP<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA">Port 49790 is outside of the max port which is 32768<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA">83           12.279953            192.168.25.18     192.168.20.153  SIP/SDP 935         Request: INVITE sip:*<a href="mailto:97@192.168.20.153" target="_blank">97@192.168.20.153</a> <u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA">84           12.375683            192.168.20.153  192.168.25.18     SIP          375         Status: 100 Trying |<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA">85           12.376097            192.168.20.153  192.168.25.18     SIP          880         Status: 407 Proxy Authentication Required <u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA">86           12.393746            192.168.25.18     192.168.20.153  SIP          318         Request: ACK sip:*<a href="mailto:97@192.168.20.153" target="_blank">97@192.168.20.153</a> <u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA">87           12.458854            192.168.25.18     192.168.20.153  SIP/SDP 1181       Request: INVITE sip:*<a href="mailto:97@192.168.20.153" target="_blank">97@192.168.20.153</a> <u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA">88           12.542911            192.168.20.153  192.168.25.18     SIP          375         Status: 100 Trying <u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA">89           12.718778            192.168.20.153  192.168.25.18     SIP/SDP 1153       Status: 200 OK <u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA">90           12.752832            192.168.25.18     142.162.8.143     SIP          680         Request: ACK sip:*97@142.162.8.143:49790;transport=udp <u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA">Our acl.conf file<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">&lt;configuration name=&quot;acl.conf&quot; description=&quot;Network Lists&quot;&gt;<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">  &lt;network-lists&gt;<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">    &lt;!-- <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">                 These ACL&#39;s are automatically created on startup.<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">                rfc1918.auto  - RFC1918 Space<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">                nat.auto      - RFC1918 Excluding your local lan.<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">                localnet.auto - ACL for your local lan.<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">                loopback.auto - ACL for your local lan.<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">    --&gt;<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">    &lt;list name=&quot;lan&quot; default=&quot;allow&quot;&gt;<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">      &lt;node type=&quot;deny&quot; cidr=&quot;<a href="http://192.168.20.0/24" target="_blank">192.168.20.0/24</a>&quot;/&gt; <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">      &lt;node type=&quot;allow&quot; cidr=&quot;<a href="http://192.168.25.0/24" target="_blank">192.168.25.0/24</a>&quot;/&gt;<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">    &lt;/list&gt;<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">    &lt;!--<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">                This will traverse the directory adding all users <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">                with the cidr= tag to this ACL, when this ACL matches<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">                the users variables and params apply as if they <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">                digest authenticated.<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">    --&gt;<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">    &lt;list name=&quot;domains&quot; default=&quot;deny&quot;&gt;<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">      &lt;!-- domain= is special it scans the domain from the directory to build the ACL --&gt;<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">      &lt;node type=&quot;allow&quot; domain=&quot;$${domain}&quot;/&gt;<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">      &lt;!-- use cidr= if you wish to allow ip ranges to this domains acl. --&gt;<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">      &lt;!-- &lt;node type=&quot;allow&quot; cidr=&quot;<a href="http://192.168.20.0/24" target="_blank">192.168.20.0/24</a>&quot;/&gt;  --&gt;<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">      &lt;!-- &lt;node type=&quot;allow&quot; cidr=&quot;<a href="http://192.168.25.0/24" target="_blank">192.168.25.0/24</a>&quot;/&gt;  --&gt; <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">    &lt;/list&gt;<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">  &lt;/network-lists&gt;<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA">&lt;/configuration&gt;<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA">If you can tell us how we should configure Freeswitch to work for both offices it would be appreciated.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA">Thanks<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA">cjb<u></u><u></u></span></p></div></div><br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div>