SIP proxy

mtanen · #1 (**permalink**) 11-11-2006, 12:04 AM

I might also be missing something, but the SIP proxy is very different. Where do I enable transparent proxy and setup a SIP routing table for different domains? I tried a simple non-transparent configuration, but that also doesnt appear to function.

Gert Hansen · #2 (**permalink**) 11-11-2006, 12:33 AM

Hi there all,

as mentioned in another thread,
the SIP proxy has been replaced by a true statefull SIP connection tracking helper.

In V6, the SIP Proxy had limitations, as it was only possible to do outbound calls, which means that a Sip client behind the firewall could connect to a SIP server on the internet.

But there were three limitations:
1) no inbound support for SIP calls to your own sip server
2) all SIP RTP packets where proxied by the applications, which created a higher latency and we were forced to open a big udp range for incoming packets.
3) QoS was not abler to properly determain the RTP connections, therefor VoIP prioritization was poor.

This has all been addressed by a helper similar to FTP, which parses the SIP traffic and detects when a calls takes place and opens the matching ports to only allow this specific flow and only for the duration of the call.

Also it is now possible to simply mark the SIP TCP connection (tcp/5060) with a specific number, which gets automatically inheritet to the RTP call packets. This we can easily prioritize the VoIP traffic.

On top of that, the whole handling is now handled in the kernel and not in userspace anymore, which reduces the latency dramatically.

In order to use the new SIP functions, just add:
Internal Network to 'SIP Client'
and
Any to 'SIP Server'.

Than configure your phone to not use a SIP proxy of the firewall, but to directly connect the SIP Servers, as there were no firewall.

Than the ASG will do the magic and handle everything.

On top of that, you can create a DNAT rule to FORWARD port tcp/5060 to you own SIP server, to handle incoming SIP calls.

I hope that was understandable and helps.

best regards
Gert

mtanen · #3 (**permalink**) 11-11-2006, 03:52 PM

So my setup is fairly straight forward as this was a test for the AS7 firewall. As I mentioned the configuration we are used to from the v6 series is that the phones are configured to go to the address of the SIP server, the proxy was set to transparent. Allowed hosts was the Internal side, and the interface was Internet.

Before reading your note, I had the v7 configuration with the server being the IP that of the foreign SIP server, and Internet network as the client.
The firewall has one rule for MASQ of all clients on the Internal network. There are three phones at this location, but only one is enabled during the testing period. Since I do not have an inbound server and I dont have extra IPs I dont have a DNAT rule.

My packet filter rulebase is an any any allow outbound rule, with a new rule added that allows all inbound from the IP network of the SIP server.

My Internet connection type is Cable Modem (DHCP).

Still no joy on this. I am going to have pull sniffer traces to see what the firewall is producing in terms of packets.

binky72 · #4 (**permalink**) 11-11-2006, 10:22 PM

As I wrote in an other SIP thread I still have issues after following Gert's "guide". I can make and receive calls but can't hear anything since the RTP ports is blocked på the firewall. According to Gert's the firewall should do some magic, but that's not the case for me.

Am I doing something wrong or is this setup only ment for SIP servers behind the firewall and not a VoIP adapter (i.e. Sipura 2100)?

Eirik

KoC · #5 (**permalink**) 11-12-2006, 09:23 PM

Hi,

disable the usage of STUN and if applicatable of NAT ind the configuration of your phone. After sisabling these options in your phone, power off the phone and reboot the firewall. Startup your phone again and everything should be fine.

Regards KoC

mtanen · #6 (**permalink**) 11-12-2006, 10:57 PM

I still havent made much progress with the new SIP connection helper. I started to do an more detailed analysis by setting all rules to log all and then look at the results to see where the traffic was breaking down. No SIP traffic is appearing in the packet filter logs, and the SIP log remains empty. I will post as I find more information, but generally speaking if I switch to the v6 firewall in transparent mode - all is good. TFTP of the configuration is successful to the device, but no SIP traffic is moving. Disabling the SIP connection helper yields a registration with the wrong (internal IP), enabling yields a null result.

mdallagi · #7 (**permalink**) 01-19-2007, 02:53 PM

Hi Gert,

I'm trying to use a fresh ASG 6.993 for SIP VoIP test.
To do that, I configured my ASG with a NAT masquerading rule and I enabled the "VoIP Security" -> "SIP":

SIP server networks: Any
SIP client networks: <SIP phone IP>

I'm not using a SIP server behind my ASG so I believe there is not necessary to define a DNAT rule...

However, when I call from my SIP-phone, I can establish a connection but there is no voice traffic.
Here a packet filter log line:

2007:01:19-16:29:36 (none) ulogd[2493]: id="2016" severity="info" sys="SecureNet" sub="packetfilter" name="SIP call RTP" action="SIP call RTP" fwrule="60018" initf="eth1" outitf="eth0" dstmac="00:02:b3:3a:5c:08" srcmac="00:17:c2:ef:c4:2d" srcip="192.168.60.5" dstip="x.y.z.w" proto="17" length="60" tos="0x00" prec="0xe0" ttl="126" srcport="20000" dstport="58786"

Here, 192.168.60.5 is the SIP-phone IP address and x.y.z.w is the public IP of the SIP proxy.
The RTP port on the phone is 20000.

Why doesn't it work?

jonesboy · #8 (**permalink**) 02-06-2007, 05:33 PM

i have the same problem. I have an astrisk server on a different subnet that i can't talk to.. Our phones use ports 10000 and up.. but i can't figure out how to get it working yet...and it looks like astaro isn't helping much on this issue either..

fobe · #9 (**permalink**) 02-24-2007, 02:02 PM

I have the same problem with V7.001! When I disable VoIP Security I can receive calls and dial but I have voice traffic!!! But when I configure VoIP Security the phone is ringing but NO voice traffic is possible! Also when I use my voip-phone I can dial but still NO voice traffic! I configured at the server option my sip-provider and the client is my voip-phone. Is this a known bug????

jroe · #10 (**permalink**) 09-12-2007, 01:26 AM

Same issue here, running the latest version - have sip proxy configured with any for internal and any for external - we have a trixbox server and multiple voip hardphones internally that function fine iwth calls to an external sip wholesaler externally - calls from remote phones to external numbers (dials the server which connects the external provider and remote phone) function fine - calls to internal extensions have no audio.