<div dir="ltr">Also statically bind your FS server to private ip and configure ext_ip sip_rpofile params to private ip.<div><br></div><div>Also try runs FS with keys "-nonat -nonatmap"</div><div><br></div><div>Sergey</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 1, 2015 at 4:43 PM, Charles Bujold <span dir="ltr"><<a href="mailto:cjbujold@accra.ca" target="_blank">cjbujold@accra.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA">We are encountering an error which we do not know how to fix. If somebody can help, it would be appreciated. <u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA">Our configuration is we have 2 offices. Both offices are joined together via a VPN. The users in the remote office use Freeswitch via the VPN and connect to Freeswitch SIP port 5060 via the VPN. Their phones register without issue. The issue comes when they try to make a call. They connect to Freeswitch via SIP without error however early in the connection Freeswitch no longer recognizes them as being local and tries to communicate with them via the WAN. Worst case we could open the firewall to permit such communication but the issue with that, for some reason Freeswitch no longer uses the UDP port range set in Freeswitch it uses a port outside of the range causing the call to fail.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA">Our acl.config has both Lan entered into it <a href="http://192.168.20.0/24" target="_blank">192.168.20.0/24</a> (Main Office) and <a href="http://192.168.25.0/24" target="_blank">192.168.25.0/24</a> (Remote Office) however the main office lan is set to deny, we presume it is because one of the default list already includes it.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA">Here is a pcap summary of what we see. How can we setup so that the remote office will work every time and still be seen as part of the overall local office? <u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA">192.168.25.18 is a remote phone<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA">192.168.20.153 is Freeswitch server in main office.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA">142.162.8.143 is our WAN IP<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA">Port 49790 is outside of the max port which is 32768<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA">83 12.279953 192.168.25.18 192.168.20.153 SIP/SDP 935 Request: INVITE sip:*<a href="mailto:97@192.168.20.153" target="_blank">97@192.168.20.153</a> <u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA">84 12.375683 192.168.20.153 192.168.25.18 SIP 375 Status: 100 Trying |<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA">85 12.376097 192.168.20.153 192.168.25.18 SIP 880 Status: 407 Proxy Authentication Required <u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA">86 12.393746 192.168.25.18 192.168.20.153 SIP 318 Request: ACK sip:*<a href="mailto:97@192.168.20.153" target="_blank">97@192.168.20.153</a> <u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA">87 12.458854 192.168.25.18 192.168.20.153 SIP/SDP 1181 Request: INVITE sip:*<a href="mailto:97@192.168.20.153" target="_blank">97@192.168.20.153</a> <u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA">88 12.542911 192.168.20.153 192.168.25.18 SIP 375 Status: 100 Trying <u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA">89 12.718778 192.168.20.153 192.168.25.18 SIP/SDP 1153 Status: 200 OK <u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA">90 12.752832 192.168.25.18 142.162.8.143 SIP 680 Request: ACK sip:*97@142.162.8.143:49790;transport=udp <u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA">Our acl.conf file<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"><configuration name="acl.conf" description="Network Lists"><u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"> <network-lists><u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"> <!-- <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"> These ACL's are automatically created on startup.<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"> rfc1918.auto - RFC1918 Space<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"> nat.auto - RFC1918 Excluding your local lan.<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"> localnet.auto - ACL for your local lan.<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"> loopback.auto - ACL for your local lan.<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"> --><u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"> <list name="lan" default="allow"><u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"> <node type="deny" cidr="<a href="http://192.168.20.0/24" target="_blank">192.168.20.0/24</a>"/> <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"> <node type="allow" cidr="<a href="http://192.168.25.0/24" target="_blank">192.168.25.0/24</a>"/><u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"> </list><u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"> <!--<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"> This will traverse the directory adding all users <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"> with the cidr= tag to this ACL, when this ACL matches<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"> the users variables and params apply as if they <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"> digest authenticated.<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"> --><u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"> <list name="domains" default="deny"><u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"> <!-- domain= is special it scans the domain from the directory to build the ACL --><u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"> <node type="allow" domain="$${domain}"/><u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"> <!-- use cidr= if you wish to allow ip ranges to this domains acl. --><u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"> <!-- <node type="allow" cidr="<a href="http://192.168.20.0/24" target="_blank">192.168.20.0/24</a>"/> --><u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"> <!-- <node type="allow" cidr="<a href="http://192.168.25.0/24" target="_blank">192.168.25.0/24</a>"/> --> <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"> </list><u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"> </network-lists><u></u><u></u></span></p><p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-CA"></configuration><u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA">If you can tell us how we should configure Freeswitch to work for both offices it would be appreciated.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-CA">Thanks<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-CA">cjb<u></u><u></u></span></p></div></div><br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" rel="noreferrer" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://confluence.freeswitch.org" rel="noreferrer" target="_blank">http://confluence.freeswitch.org</a><br>
<a href="http://www.cluecon.com" rel="noreferrer" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" rel="noreferrer" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" rel="noreferrer" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div>