Reply
New Member
Posts: 46
Registered: ‎03-10-2013
Kudos: 29
Solutions: 1
Accepted Solution

VoIP SIP Phone through NAT on EdgeMax

Hi there,


I'm the proud owner of a ERL device. My home setup looks like this:

VDSL2EthernetConverter --> ERL --> Homenetwork (VoIP Base with DECT). Internet is provided by the ERL using PPPoE on VLAN 7 as my provider wants it that way. Pretty simple so far.


Till last week everything was working fine, but then I updated to the latest firmware 1.4.1.
Since then, my VoIP Phone dosn't work for incoming calls (no ring nor any sign of activity on the callers end).

Outgoing calls work fine however. Maybe i should mention that my VoIP base is doing STUN and sending keep alives every 30 secs to keep the connection open.

Any ideas?

 

 

Here's my config:

 

firewall {
    all-ping enable
    broadcast-ping disable
    group {
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name drop-all {
        default-action drop
        description ""
        enable-default-log
    }
    name eth0-in {
        default-action accept
        description "Wired network to other networks."
    }
    name eth0-local {
        default-action accept
        description "Wired network to router."
    }
    name eth1-in {
        default-action accept
        description "Wireless network to other networks"
    }
    name eth1-local {
        default-action accept
        description "Wireless network to router."
    }
    name pppoe-in {
        default-action drop
        description "packets from Internet to internal networks"
        enable-default-log
        rule 1 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop invalid state"
            log enable
            protocol all
            state {
                invalid enable
            }
        }
    }
    name pppoe-local {
        default-action drop
        description "Internet to router"
        enable-default-log
        rule 1 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Drop invalid state"
            log enable
            protocol all
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            interface-type pppoe
            interface-type pptp
            mss 1492
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    bridge br0 {
        address 10.10.0.1/24
        aging 300
        hello-time 2
        max-age 20
        priority 0
        promiscuous disable
        stp false
    }
    ethernet eth0 {
        bridge-group {
            bridge br0
        }
        duplex auto
        firewall {
            in {
                name eth0-in
            }
            local {
                name eth0-local
            }
        }
        speed auto
    }
    ethernet eth1 {
        bridge-group {
            bridge br0
        }
        duplex auto
        firewall {
            in {
                name eth1-in
            }
            local {
                name eth1-local
            }
        }
        speed auto
    }
    ethernet eth2 {
        duplex auto
        firewall {
            in {
                name drop-all
            }
            local {
                name drop-all
            }
        }
        speed auto
        vif 7 {
            address dhcp
            description VDSL
            firewall {
                in {
                    name drop-all
                }
                local {
                    name drop-all
                }
            }
            pppoe 0 {
                default-route auto
                firewall {
                    in {
                        name pppoe-in
                    }
                    local {
                        name pppoe-local
                    }
                }
                mtu 1492
                name-server auto
                password SecretPassword
                user-id SecretUserId
            }
        }
    }
    loopback lo {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name wired-eth0 {
            authoritative disable
            description "Wired Network - Eth1"
            subnet 10.10.0.0/24 {
                default-router 10.10.0.1
                dns-server 10.10.0.1
                domain-name local
                lease 86400
                ntp-server 10.10.0.1
                start 10.10.0.50 {
                    stop 10.10.0.150
                }
                time-server 10.10.0.1
            }
        }
    }
    dns {
        dynamic {
            interface pppoe0 {
                service dyndns {
                    host-name someHost
                    login mylogin
                    password "mypassword"
                    server dyndnsHost
                }
            }
        }
        forwarding {
            cache-size 1000
            listen-on eth0
            listen-on eth1
            listen-on br0
            system
        }
    }
    gui {
        https-port 443
        listen-address 10.10.0.1
    }
    nat {
        rule 5010 {
            description "Masquerade to WAN"
            log disable
            outbound-interface pppoe0
            protocol all
            type masquerade
        }
    }
    ssh {
        listen-address 10.10.0.1
        port 22
        protocol-version v2
    }
    upnp {
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    host-name Edge
    ipv6 {
        disable
    }
    login {
        user ubnt {
            authentication {
                encrypted-password CryptedLoginPass
                plaintext-password ""
            }
            level admin
        }
    }
    name-server MyDNSServers
    name-server MyDNSServers
    ntp {
        server MyNTPServer {
        }
        server MyNTPServer {
        }
        server MyNTPServer {
        }
    }
    offload {
        ipsec enable
        ipv4 {
            forwarding enable
        }
        ipv6 {
            forwarding disable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Europe/Berlin
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.4.1.4648309.140310.1607 */

 

 

Attachment

Accepted Solutions
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5460
Solutions: 1656
Contributions: 2

Re: VoIP SIP Phone through NAT on EdgeMax

Was the router upgraded from 1.3.0 (or earlier) to 1.4.1? If so, the kernel is much newer so that could be a factor. You might try disabling the SIP "helper" kernel modules in the config, e.g.,

set system conntrack modules sip disable

and commit/save/etc. then see if that changes anything.

View solution in original post


All Replies
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5460
Solutions: 1656
Contributions: 2

Re: VoIP SIP Phone through NAT on EdgeMax

Was the router upgraded from 1.3.0 (or earlier) to 1.4.1? If so, the kernel is much newer so that could be a factor. You might try disabling the SIP "helper" kernel modules in the config, e.g.,

set system conntrack modules sip disable

and commit/save/etc. then see if that changes anything.

New Member
Posts: 37
Registered: ‎03-02-2014
Kudos: 11
Solutions: 1

Re: VoIP SIP Phone through NAT on EdgeMax

Just to check try openning 5060 (or whatever SIP signalling port used on your phone) on the firewall, you can forward the port to Phone IP and restrict source IP to you VoIP provider.

New Member
Posts: 46
Registered: ‎03-10-2013
Kudos: 29
Solutions: 1

Re: VoIP SIP Phone through NAT on EdgeMax

Thanks ancheng, that was exacly the problem! You're the hero of my day :-)

I knew that my provider is using non standard SIP/STUN (old SIP implementation long before the final RFCs). However, I didn't know you guys build in some SIP-Helper modules till now.

Disabled it - everything works (without nasty NAT holes).

 

 

Thanks again,


all the best

 

Robert

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5460
Solutions: 1656
Contributions: 2

Re: VoIP SIP Phone through NAT on EdgeMax

Good to know it works now, thanks for the update!

New Member
Posts: 1
Registered: ‎07-19-2014
Kudos: 1

Re: VoIP SIP Phone through NAT on EdgeMax

Just bought a Edgerouter POE for my home and ran into a similar problem. I have a SPA504G IP Phone at home that is connected to my office pbx system. It was not able to register to the pbx system.

 

Used the method ancheng stated and it started to register. Then everything worked besides when someone would dial the ip phone extension from the office. No sound can be heard although the IP Phone would receive the call. To resolve this I opened up ports 5000-5500 and after everything was working as it should. 

 

Hopefully this thread will be helpful for another person with a similar issue.

 

Thank You for the help guys! 

 

Jay

New Member
Posts: 5
Registered: ‎01-03-2015
Kudos: 1

Re: VoIP SIP Phone through NAT on EdgeMax

First off, I wanted to thank everyone in this thread because disabling the SIP conntrack module also helped me get my obi202 registered with vitelity. 

 

I wanted to ask if anyone knows the theory behind why disabling the module helps though?  Isn't the SIP conntrack module supposed to do the opposite and help make it work behind iptables?  I'm even pretty sure in my very old WRT54GL with tomato I was using before I bought my edgerouter, I had the SIP conntrack module enabled and SIP worked?

New Member
Posts: 1
Registered: ‎04-19-2015
Kudos: 3

Re: VoIP SIP Phone through NAT on EdgeMax

I had trouble configuring SIP through NAT firewall on EdgeMAX PoE router. Had to go into the Configtree, open ports UDP, TCP according to the VOIP-provider and direct it from WAN port to the subnet (in my case eth3). The I also had to change system-conntrack-modules-sip-enable indirect media and enable indirect signalling, SIP should be enabled.

A now pick up incoming calls  works! In the Cisco SPA122 I had to go through SIP config and enable NAT keepalive and also define a STUN server.

New Member
Posts: 1
Registered: ‎06-29-2015

Re: VoIP SIP Phone through NAT on EdgeMax

I have a EdgeRouter Pro here at work. I can get my one sip account to go right through. However I can not get my other one to go through at all. All the ports are open and good. I can ping my Sip server just fine. Any Ideas?

New Member
Posts: 4
Registered: ‎07-10-2014
Kudos: 1

Re: VoIP SIP Phone through NAT on EdgeMax

I'm having the same issue as well.......

 

One Aastra phone with 3 accounts... first one gets through, but the others don't....

New Member
Posts: 5
Registered: ‎01-27-2016
Kudos: 1

Re: VoIP SIP Phone through NAT on EdgeMax


johuus wrote:

I had trouble configuring SIP through NAT firewall on EdgeMAX PoE router. Had to go into the Configtree, open ports UDP, TCP according to the VOIP-provider and direct it from WAN port to the subnet (in my case eth3). The I also had to change system-conntrack-modules-sip-enable indirect media and enable indirect signalling, SIP should be enabled.

A now pick up incoming calls  works! In the Cisco SPA122 I had to go through SIP config and enable NAT keepalive and also define a STUN server.


This did the trick for me as well, thanks for the tip!

 

I live in Sweden, use Bahnhof IP telephony. I opended port according to their recommendation. But could not answer incoming calls. Changed settings described by @johuus. Now it works. Thanks Man Happy

Emerging Member
Posts: 74
Registered: ‎01-03-2014
Kudos: 21
Solutions: 4

Re: VoIP SIP Phone through NAT on EdgeMax

ems like this sip conntrack module breaks more than it fixes. I have migrated from a dd-wrt based setup to a setup based on EdgeMax and a couple of managed switched at home, and I just realized that one of my two SIP lines do not work for incoming calls. I did a "google" and found this thread.

 

set system conntrack modules sip disable

 

did the trick for me, now both lines works perfect.

 

So I really wonder, exactly what does this module do since it seems to mess things up for people, and both my SIP services works just fine without it?

 

I don't have any other nasty holes or incoming re-directs in my firewall either, things just works as they should after I disable the above module.

 

So, someone from UBNT please clearify what this module is supposed to do.

 

Reply