From owner-freebsd-questions@freebsd.org Fri Jun 11 23:34:46 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 626E366694A for ; Fri, 11 Jun 2021 23:34:46 +0000 (UTC) (envelope-from freebsd@omnilan.de) Received: from mx0.gentlemail.de (mx0.gentlemail.de [IPv6:2a00:e10:2800::a130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "CN", Issuer "CN" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4G1xyY2DSVz4sZx for ; Fri, 11 Jun 2021 23:34:44 +0000 (UTC) (envelope-from freebsd@omnilan.de) Received: from mh0.gentlemail.de (ezra.dcm1.omnilan.net [78.138.80.135]) by mx0.gentlemail.de (8.15.2/8.15.2) with ESMTP id 15BNYYeh044787; Sat, 12 Jun 2021 01:34:35 +0200 (CEST) (envelope-from freebsd@omnilan.de) X-Authentication-Warning: mx0.gentlemail.de: Host ezra.dcm1.omnilan.net [78.138.80.135] claimed to be mh0.gentlemail.de Received: from titan.inop.mo1.omnilan.net (s1.omnilan.de [217.91.127.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mh0.gentlemail.de (Postfix) with ESMTPSA id 11793FB1; Sat, 12 Jun 2021 01:34:34 +0200 (CEST) Subject: Re: FreeBSD, Asterisk 16, pf, and pjsip, nat To: David Mehler , freebsd-questions References: From: Harry Schmalzbauer Organization: OmniLAN Message-ID: Date: Sat, 12 Jun 2021 01:34:33 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Greylist: inspected by milter-greylist-4.6.2 (mx0.gentlemail.de [78.138.80.130]); Sat, 12 Jun 2021 01:34:35 +0200 (CEST) for IP:'78.138.80.135' DOMAIN:'ezra.dcm1.omnilan.net' HELO:'mh0.gentlemail.de' FROM:'freebsd@omnilan.de' RCPT:'' X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (mx0.gentlemail.de [78.138.80.130]); Sat, 12 Jun 2021 01:34:35 +0200 (CEST) X-Rspamd-Queue-Id: 4G1xyY2DSVz4sZx X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of freebsd@omnilan.de designates 2a00:e10:2800::a130 as permitted sender) smtp.mailfrom=freebsd@omnilan.de X-Spamd-Result: default: False [-3.30 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; HAS_XAW(0.00)[]; HAS_ORG_HEADER(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_ALL(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCPT_COUNT_TWO(0.00)[2]; FREEMAIL_TO(0.00)[gmail.com,freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:e10:2800::a130:from]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:61157, ipnet:2a00:e10:2800::/38, country:DE]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_NA(0.00)[]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[omnilan.de]; SPAMHAUS_ZRD(0.00)[2a00:e10:2800::a130:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MAILMAN_DEST(0.00)[freebsd-questions] X-Mailman-Approved-At: Sat, 12 Jun 2021 09:10:19 +0000 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jun 2021 23:34:46 -0000 Am 09.03.2019 um 22:49 schrieb David Mehler: > Hello, > > I'm running Asterisk 16 via ports on a FreeBSD 11 system. I'm running > pf and believe I have things correct, I'm allowing ports UDP 5060 and > 5061, as well as for rtp UDP 10000 to 20000 through. I'm running this > on a vps with an public IP, it is not natted. My local connection to > the internet is behind a natted cable modem. I can connect via soft > phone to the asterisk sip server, says account ready. Everything works > except audio. I believe I'm having a nat issue as the connecting : : : > Suggestions welcome. I had a similar issue today. Mine was suspicious to NAT too, but turned out to be a source selection problem of the RTP socket. Solution came from: https://community.asterisk.org/t/pjsip-no-audo-port-unreachable/79482 (haven't read the whole thread/problem descrition, but these are the originally well formatted finalizing lines:   So I tried adding to the endpoint config:   media_address=10.0.0.202   bind_rtp_to_media_address=yes ) Last time I checked with asterisk's SIP configuration was a decade ago for chan_sip. Today, there are many copy'n'paste templates out there - more or less correct and more or less outdated - but all of them almost completely lack any documentation/description/defaults. I'd like to share what I collected so far for the pjsip module to setup an outbound registration and RTP peering with asterisk 18, with details for SIP-trunk of Deutsche Telekom. Hopefully the one or the other comment helps fellows finding out the right thing to do. Might look confusing at a first sight, but I think there's no single superflous word and hopefully nothing missing aswell...  Your welcome to add blank lines yourself for better reading, but order/blocks should reflect dependencies/relations. ; pjsip-registrations.conf ; ; To be included by pjsip.conf. ; This separate config file is used to define REGISTER relevant sections ; describing 3rd party telco peers (DeutschlandLAN SIP-Trunk by Telekom). ; For easier maintenance, we also define the corresponding endpoint(s) here! ; ; Created based on Asterisk 18 available documentation and 1TR118, published by ; Telekom Deutschland GmbH (https://www.telekom.de/hilfe/downloads/1tr118.pdf. ; Any non-self-explaning parameters are documented, hence it doesn't look ; too user friendly, but it is if you want/need to adjust! ; ; see xten/globalvars.conf for the following variables:     ;internationalPrefix=+     ;localCountryCode=49     ;nationalPrefix=0     ;localAreaCode=89     ;telcolink1=SIP/telekom_trunk10SITE1     ;PSTNpnTrunk1=181 (pilot number only)     ;and $idpfxTelco1 to match 'contact_user'. ;------ TRANSPORTS for PSTN/remote peers ------ [NATv4plain_tcp]   type=transport   protocol=tcp  ;udp,tcp,tls,ws,wss,flow   bind=192.0.2.140 ;${nativeIPv4address}   local_net=192.0.2.0/24   local_net=127.0.0.1/32   external_media_address=198.51.100.5 ;${publicIPv4address}   external_signaling_address=198.51.100.5 ;${publicIPv4address} ; ; REGISTER ; [telcolink1]   type=registration   transport=NATv4plain_tcp     ;match your arbitrary (but suitable) definition   server_uri=sip:sip-trunk.telekom.de ;(sip:sip-trunk.telekom.de:5060)   outbound_auth=telcolink1_181trunk10    ;match your arbitrary definition       auth_rejection_permanent=no ;non-critical    (default=yes)       max_retries=5          ;non-critical    (default=10)       retry_interval=45          ;non-critical    (default=60)       forbidden_retry_interval=90 ;non-critical    (default=0)       expiration=120 ;(480=t-online, 120=telekom, default=3600)   outbound_proxy=sip:reg.sip-trunk.telekom.de ;    provider dependent _URI_!   ;_client_uri_:   ; Both header fields "From:" and "To:" of the REGISTER message are composed   ; from the 'client_uri' variable.   ; According to 1TR118, for the (NGN) SIP-trunk, one of the routable and   ; customer specific provisioned E.164 prefix numbers (number blocks,   ; pilot number) must be used (${internationalPrefix}${localAreaCode}${PSTNpn})   client_uri=sip:+49228181@sip-trunk.telekom.de ;not appending port (:5060)   ;_contact_user_:   ;  The "Contact:" header field of REGISTER messages is composed of it's value.   ; RFC 3261 specifies that a FQTN@ part is to be used, while RFC 6140 requires   ; a IP socket to be defined (Contact:sip:164.168.138.1:5060;bnc e.g.).   ;  pjsip appends @IPboundto:5060,;transport=${TRANSPORT->protocol} to   ; 'contact_user'.  There is currently no possibility to define the complete   ; "Contact:" header fiels, so RFC 6140 is not supported as of asterisk 18.   ; IMPORTANT: Telekom (SIP-Trunk) respects the "Contact:" header sent within   ;    our registration message.  What we define with 'contact_user' will be   ;    used for all provider initiated messages, like INVITE messages.   contact_user=+49228181    ;To be set according to idpfxTelcoN definition                 ;(in xten/globalvars.conf)!!!   line=yes    ; Telekom supports line parameter in the Contact: header field   endpoint=telekom_trunk10SITE1    ;This defines the endpoint to use for messages                 ;containing the negotiated line parameter for                 ;our registration ; ; authentication object(s) ; [telcolink1_181trunk10]   type=auth   auth_type=userpass    ;md5 unavailable (handle_client_registration(void *)):             ;     Failed to set initial authentication credentials             ;Take care of file permissions!   username=550123456789   password=hgfedcba   realm=sip-trunk.telekom.de ; ; endpoint (B2BUA to telco provider - receiving calls) ; [telekom_trunk10SITE1] ; 0228-181 0-9 Telekom DeutschlandLAN SIP-Trunk   type=endpoint   aors=telekom_trunk10SITE1 ;where to look whom to send outgoing calls to   context=pstn_incoming      ;where to look for incoming calls   identify_by=header,ip    ;this is fallback order for identify sections only,             ;we define line/endpoint during registration!   allow_unauthenticated_options=yes    ;RFC 3261 requires OPTIONS to be handled                     ;like INVITE (default=no)   allow_subscribe=yes   allow=!all,g722,g726,alaw    ;NGN SIP-Trunk consistently uses g722 as of 2021   dtmf_mode=auto ;(default=rfc4733) SIP INFO is unsupported with NGN SIP-Trunk,          ;auto uses INBAND if rfc4733 fails (auto_info was valid too)   outbound_auth=telcolink1_181trunk10    ;match your arbitrary definition   outbound_proxy=sip:reg.sip-trunk.telekom.de    ;provider dependent _URI_!   timers=no        ;Session timers for SIP packets (default=yes)   ;force_rport=yes    ;Force use of return port (default=yes)   ;ice_support=no    ;no NAT traversal help needed, see 1TR118 (default=no)   ; --- NAT specific endpoint settings (NGN/SIP-Trunk) -------------------------   rewrite_contact=yes    ;(default=no) sdp contact fields become (transport)             ; external_media_address, header contact field becomes             ; external_signaling_address (as defined in transport).   disable_direct_media_on_nat=yes ;no direct_mediasession refreshes (default=no)   ; ----------------------------------------------------------------------------   ;direct_media=no    ;default=yes, we do disable direct_media_on_nat, keep             ; allowed for non-NAT (IPv6).   ;rtp_symmetric=yes    ;ignore c= and m= of sdp, send media back to source IP.             ;Recommended for dynamic IPv4 and NAT environments.             ;Not necessary if external_media_address matches static             ;IPv4 and rewrite_contact=yes   rtp_keepalive=15    ;seconds between RTP comfort noise keepalive packets   rtp_timeout=30    ;terminate call if no RTP (while off hold) is exceeded   rtp_timeout_hold=7200    ;allowed time for calls on hold before terminating   ; all RTP timeout values above are '0' by default (no timeout)   ignore_183_without_sdp=yes    ;cosmetic (default=no)   sdp_session=OmniPBX (pjsip-ast18)   ;.------ Special tuning, needed only for FreeBSD jails without vimage -------.   ; If peer receives no media and 'rtp set debug on' reveals negative length for   ; correct IP in "Sent RTP packet to", you want these two lines:   media_address=192.0.2.140    ;specify the (source) IP of the interface to be   bind_rtp_to_media_address=yes    ;used for RTP (pre-NAT) and tie socket to it.   ; '----- (rtp media transmitted on wrong interface) -------------------------'   asymmetric_rtp_codec=yes    ;TO BE OBSERVED: Differing codecs for receiving                 ;and sending media shouldn't cause any problems.   ;send_pai=no ;default=no, we add PPI using dialplan function PJSIP_HEADER()   from_user=+492281810    ;always append 0 to pilot number   from_domain=site1.example.org    ;will be replaced by NGN (@telekom.de)   contact_user=+49228181    ;To be set according to idpfxTelcoN definition                                 ;(in xten/globalvars.conf)!!!   language=de ;which IVR subdirectories to use e.g. ; ; Address of Records, the location information(s) for endpoints to use outbound ; [telekom_trunk1SITE1]   type=aor   outbound_proxy=sip:reg.sip-trunk.telekom.de ;used for sending OPTIONS request   ;_contact_:   ; Permanent contacts assigned to AoR (endpoints use this location(s) URI(s) to   ; send calls to).   contact=sip:+49228181@sip-trunk.telekom.de ;consistent with contact_user   default_expiration=600    ;default=3600   qualify_frequency=180        ;default=0 ; ; Identify (endpoints selection criterias for inbound requests) ; [telekom_trunk10SITE1]   type=identify   ;srv_lookups=no ;lookup _sip._udp, _sip._tcp, and _sips._tcp (defaults to yes)   ;match=reg.sip-trunk.telekom.de ;IP or hostname (exapmple:'[2001:db8:0::1]:5060')   match_header=To: /181.*@sip-trunk.telekom.de/ ;/.../ means regex   endpoint=telekom_trunk10SITE1    ;match your arbitrary definition