From owner-freebsd-questions@FreeBSD.ORG Sun Jan 23 07:22:51 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 88E5F106566B for ; Sun, 23 Jan 2011 07:22:51 +0000 (UTC) (envelope-from freebsd-questions@herveybayaustralia.com.au) Received: from mail.unitedinsong.com.au (mail.unitedinsong.com.au [150.101.178.33]) by mx1.freebsd.org (Postfix) with ESMTP id 3BF018FC0C for ; Sun, 23 Jan 2011 07:22:50 +0000 (UTC) Received: from laptop1.herveybayaustralia.com.au (laptop1.herveybayaustralia.com.au [192.168.0.186]) by mail.unitedinsong.com.au (Postfix) with ESMTP id 6B6365C44 for ; Sun, 23 Jan 2011 17:29:54 +1000 (EST) Message-ID: <4D3BD689.80805@herveybayaustralia.com.au> Date: Sun, 23 Jan 2011 17:19:37 +1000 From: Da Rock User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.16) Gecko/20101227 Thunderbird/3.0.11 ThunderBrowse/3.3.4 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: My Asterisk server is trying to drive me insane X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Jan 2011 07:22:51 -0000 I have a FreeBSD 8.1 pf firewall, and a FreeBSD 8.1 system running Asterisk 1.8. I have been hammering at this for a few weeks now with little forward progress. I'm about to go nuts trying to figure out what the hell is going on. I have set up asterisk to trunk to my provider, and originally I couldn't get incoming calls working but I could ring out- I'm happy to report I can now receive incoming calls, but annoyingly now I can't ring out! In order to get incoming calls I had to upgrade from asterisk 1.4 - 1.8 and change my firewall settings: $voip = asterisk server $nodephone = provider server $voip_tcp = 5060 $voip_udp = { 5060, 4569, 5036, 2727 } nat on $ext_if inet proto { tcp, udp } from any port $voip_tcp to any -> ($ext_if) port $voip_tcp rdr on $ext_if inet proto { tcp, udp } from any to ($ext_if) port $voip_tcp -> $voip port $voip_tcp rdr on $ext_if inet proto { tcp, udp } from $voip port $voip_tcp to any port $voip_tcp -> ($ext_if) port $voip_tcp block log (all, log) block in quick on $ext_if from $no_route_ips to any block out quick on $ext_if from any to $no_route_ips pass in $log on $ext_if inet proto tcp from any to $voip port $voip_tcp flags S/SA keep state pass in $log on $ext_if inet proto udp from any to $voip port $voip_udp keep state pass out $log on $int_if inet proto udp from any port $voip_udp to $voip port $voip_udp keep state pass out $log on $int_if inet proto tcp from any port $voip_tcp to $voip port $voip_tcp flags S/SA keep state pass out $log on $ext_if from $localnet to any Everything appears to work, but the provider comes back with 200 and asterisk seems to do nothing and so it times out and errors with what it says is "circuit busy" from the provider. tcpdump from both m/c's shows traffic to and from the asterisk server and the provider on port 5060, but rtp traffic (port 20000+) between the provider and asterisk only when an incoming call comes in, and between asterisk and the client. Also in the invites from asterisk to the provider it says audio at port 5060. Am I missing something? I've tried the Asterisk list but I've gotten only one miniscule reply in nearly a weeks time, and my provider will not support Asterisk and won't say boo (mainly dependent on who you talk to at the time)- the only thing I get is its working their end (yay for them... :P). Incidentally, their only response (to any problems with the service: asterisk, ata's, whatever) is to "open up all ports between our server and your server/ata". Apparently they "automagically" get around nat issues so nat is not necessary. But my main issue with that is what happens if someone spoofs their ip address? Not to mention I want to host this service (not their trunk, but my services) so I need to be able to accept from more than just their server. They don't seem to be able to track the ports they're using. The only change I can tell is the upgrade to 1.8 and firewall settings that now allow me to receive calls- am I doomed to have only one or the other :( ? Any clues before I lose all my hair guys?