[Freeswitch-users] Freeswitch send UDP to port outside range
Brian West
brian at freeswitch.org
Thu Oct 1 18:39:33 MSD 2015
Sounds like your local-network-acl isn't correct, thats what dictates what
is internal (*-ip) vs external (ext-*-ip)
On Thu, Oct 1, 2015 at 9:31 AM, Sergey Safarov <s.safarov at gmail.com> wrote:
> Also statically bind your FS server to private ip and configure ext_ip
> sip_rpofile params to private ip.
>
> Also try runs FS with keys "-nonat -nonatmap"
>
> Sergey
>
> On Thu, Oct 1, 2015 at 4:43 PM, Charles Bujold <cjbujold at accra.ca> wrote:
>
>>
>>
>> We are encountering an error which we do not know how to fix. If
>> somebody can help, it would be appreciated.
>>
>>
>>
>> Our configuration is we have 2 offices. Both offices are joined together
>> via a VPN. The users in the remote office use Freeswitch via the VPN and
>> connect to Freeswitch SIP port 5060 via the VPN. Their phones register
>> without issue. The issue comes when they try to make a call. They connect
>> to Freeswitch via SIP without error however early in the connection
>> Freeswitch no longer recognizes them as being local and tries to
>> communicate with them via the WAN. Worst case we could open the firewall
>> to permit such communication but the issue with that, for some reason
>> Freeswitch no longer uses the UDP port range set in Freeswitch it uses a
>> port outside of the range causing the call to fail.
>>
>>
>>
>> Our acl.config has both Lan entered into it 192.168.20.0/24 (Main
>> Office) and 192.168.25.0/24 (Remote Office) however the main office
>> lan is set to deny, we presume it is because one of the default list
>> already includes it.
>>
>>
>>
>> Here is a pcap summary of what we see. How can we setup so that the
>> remote office will work every time and still be seen as part of the overall
>> local office?
>>
>>
>>
>> 192.168.25.18 is a remote phone
>>
>> 192.168.20.153 is Freeswitch server in main office.
>>
>> 142.162.8.143 is our WAN IP
>>
>> Port 49790 is outside of the max port which is 32768
>>
>>
>>
>> 83 12.279953 192.168.25.18 192.168.20.153
>> SIP/SDP 935 Request: INVITE sip:*97 at 192.168.20.153
>>
>> 84 12.375683 192.168.20.153 192.168.25.18
>> SIP 375 Status: 100 Trying |
>>
>> 85 12.376097 192.168.20.153 192.168.25.18
>> SIP 880 Status: 407 Proxy Authentication Required
>>
>> 86 12.393746 192.168.25.18 192.168.20.153
>> SIP 318 Request: ACK sip:*97 at 192.168.20.153
>>
>> 87 12.458854 192.168.25.18 192.168.20.153
>> SIP/SDP 1181 Request: INVITE sip:*97 at 192.168.20.153
>>
>> 88 12.542911 192.168.20.153 192.168.25.18
>> SIP 375 Status: 100 Trying
>>
>> 89 12.718778 192.168.20.153 192.168.25.18
>> SIP/SDP 1153 Status: 200 OK
>>
>> 90 12.752832 192.168.25.18 142.162.8.143
>> SIP 680 Request: ACK sip:*97 at 142.162.8.143:49790;transport=udp
>>
>>
>>
>>
>>
>>
>> Our acl.conf file
>>
>>
>>
>> <configuration name="acl.conf" description="Network Lists">
>>
>> <network-lists>
>>
>> <!--
>>
>> These ACL's are automatically created on startup.
>>
>>
>>
>> rfc1918.auto - RFC1918 Space
>>
>> nat.auto - RFC1918 Excluding your local lan.
>>
>> localnet.auto - ACL for your local lan.
>>
>> loopback.auto - ACL for your local lan.
>>
>> -->
>>
>>
>>
>> <list name="lan" default="allow">
>>
>> <node type="deny" cidr="192.168.20.0/24"/>
>>
>> <node type="allow" cidr="192.168.25.0/24"/>
>>
>> </list>
>>
>>
>>
>> <!--
>>
>> This will traverse the directory adding all users
>>
>> with the cidr= tag to this ACL, when this ACL matches
>>
>> the users variables and params apply as if they
>>
>> digest authenticated.
>>
>> -->
>>
>> <list name="domains" default="deny">
>>
>> <!-- domain= is special it scans the domain from the directory to
>> build the ACL -->
>>
>> <node type="allow" domain="$${domain}"/>
>>
>> <!-- use cidr= if you wish to allow ip ranges to this domains acl.
>> -->
>>
>> <!-- <node type="allow" cidr="192.168.20.0/24"/> -->
>>
>> <!-- <node type="allow" cidr="192.168.25.0/24"/> -->
>>
>> </list>
>>
>>
>>
>> </network-lists>
>>
>> </configuration>
>>
>>
>>
>> If you can tell us how we should configure Freeswitch to work for both
>> offices it would be appreciated.
>>
>>
>>
>> Thanks
>>
>> cjb
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
--
*Brian West*
brian at freeswitch.org
*Twitter: @FreeSWITCH , @briankwest*
http://www.freeswitchbook.com
http://www.freeswitchcookbook.com
Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
/r/freeswitch <https://www.reddit.com/r/freeswitch>
*T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
*iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20151001/d462116e/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list