Solved

Multiple SIP Devices at one location

Posted on 2009-05-16
15
676 Views
Last Modified: 2013-11-12
My question involves routing the right calls to the correct SIP devices from an asterisk server, over a WAN.

In a typical firewall setup, you have to forward an open port to a specific device or host.  

So how would you setup multiple SIP devices on a network, if the firewall is forwarding SIP packets on port 5060 to one selected ip address?
0
Comment
Question by:jkockler
  • 6
  • 4
  • 2
  • +2
15 Comments
 
LVL 4

Expert Comment

by:denisdsr20
Comment Utility
Hi, Your question is not so clear, I will first try to clarify.

My understanding : your asterisk is behind a firewall and SIP devices (called UA = User Agent) are on the internet.

First of all each SIP device is supposed to Register on asterisk each send a SIP request to asterisk on port 5060, asterisk will grant the registration and remember the details of SIP device (IP, SIP ports, name, ...)

From your firewall you may allow incoming SIP request from the internet to be routed on asterisk box. You may allow any outgoing SIP request (from asterisk box / port 5060) to be deliver on the internet.

From SIP point of view it should be enough.

But the tricky part in VOIP is the RTP flow (UDP on dynamic ports in range mostly 20000 to 30000), these ports are negociated for each call and there is a RTP "channel" to send voice and another one to receive voice.

If these are not allowed to cross firewalls you may experience no voice at all or only "half way" audio (just send voice or just receive voice).

To solve this issue you need somewhere a RTP proxy, it will enhance the ability to cross firewall and manage NAT/PAT.
 
To manage RTP flow I may suggest to check out SER and rtproxy resource (google it, new name is openSIPS) For sure this part is the really difficult one in SIP over WAN architecture.

Remember you can divert the RTP from asterisk (using canreinvite=yes in sip.conf) it allows to connect RTP between 2 UA directly without any asterisk on the path.

Hope this help

Denis DIDIER
SR20 Service / France

0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Thank you for the information, it was very informative but not quite what I was asking.

My SIP Peers (UA) or devices, are communicating perfectly over the internet to my Asterisk server.  I am able to hear audio both ways, etc.

In my current scenario I have only one sip peer ip phone, at each remote location.  

My question is about putting multiple sip ip phone peers at a remote location.  If I were to open port 5060 on the firewall at the remote location, how would the firewall pass sip data on port 5060 to multiple devices?  A typical firewall setup will only allow you to forward data through a specific port to ONE host.  So for example, in the firewall, you say port 5060 points to host 192.168.0.1.  That only covers one device.  How do I get data on port 5060 to the other sip ip phones which host addresses are 192.168.0.2,,,, 192.168.0.3,,,,, 192.168.0.4,,,, 192.168.0.5  etc etc

0
 
LVL 4

Accepted Solution

by:
denisdsr20 earned 500 total points
Comment Utility
OK.

I can suggest 2 solutions :
1) use a sip Proxy at each remote location it will manage NAT/PAT for each devices but it is heavy
2) use a different SIP port for each of your devices UA1 uses 5060, UA uses 5061, etc ... Then your rules on firewalls are rather simple

Denis DIDIER
SR20 Service /France
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
Another suggestion is talk to your IS and see if they have a plan which includes multiple IP addresses. Some ISP's have some plans such as they can assign 5 or 8 addresses not just one. This way you'll be able to register multiple devices assigning them 506 of other available addresses and your firewall will then reverse NAT these to your multiple gateways.
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Thanks for the info!

How high can I go on the 5060, 5061, 5062, 5062 ports ?  Is there even a limit?
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Also, I have another thread that pertains to this issue in a way, if you could check it out.
In the thread, asterisk is using 5061 to send data to one of my sip peers, instead of 5060.  I do not know why it is doing this.  I am concerned that if I use different ports for each of the sip peers at a remote location, that I may not have a choice as to what port asterisk sends the data to.  I had the sip peer communicating on 5060 and asterisk registered it fine on 5060 but when it sent back, it would use 5061 for some reason.

http://www.experts-exchange.com/viewQuestion.jsp?shareit=0n8V97zxx%2BoVNe9C2MCJwtf%2Be0sEQ8Hrz3W6eS9E4U/WGPONzaAptAKEVCgXSacH9iQdL9AzEI4%3D&shared=0&cid=864

0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
if you're using peer-to-per SIP you wont even need separate addresess since you manually configure them you can  easily specify to llok at wahat address and what port.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 4

Author Comment

by:jkockler
Comment Utility
ok thanks.  And what is the max port number for SIP?  Could I for example use 5100?
0
 
LVL 4

Assisted Solution

by:denisdsr20
denisdsr20 earned 500 total points
Comment Utility
Choose whatever you want if the requested port is available not used by any other process.

Denis DIDIER
SR20 service/France
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Ok, well now I am being told in another thread that Asterisk will only listen on 1 port.  I do not see how this is true if I am able to communicate with one of my peer devices on 5061, and my sip.conf shows bindport as 5060.
0
 
LVL 4

Assisted Solution

by:denisdsr20
denisdsr20 earned 500 total points
Comment Utility
BindPort in asterisk says asterisk wait for incoming sip requests at default SIP port which is 5060.

But remember my previous post when I said the UA sends its registration detail it can say : I'm UA name=myName I can be contacted at IP =uaIP on port (let say 5061). That's it !

Then when asterisk need to send request to this UA it will send sip message at uaIP:5061 or whatever the UA set as contact details.

But asterisk may not be able to accept incoming on port different frkom its bindPort (5060).

To check what are the listen currently in use, at linux prompt enter "netstat -a|grep udp"
You should see something like :
udp 0 0 *:sip ......   (sip is 5060 in /etc/services)
if you do not see any *:5061 (or sip-tls) this means no process are bind to 5061 and no incoming toward this port will be accepted.

0
 
LVL 39

Expert Comment

by:noci
Comment Utility
If all talk goes trough asterisk, and you are running one
how can there be a problem.

My guess is that you also need to have asterisk switch the voice channel. (RTP)
And have internally all phones & equipment connect to asterisk.
you might need to set 'canreinvite=no' in the client profile to force asterisk to be in the middle.

Another way to skin this cat:
if you make a VPN tunnel between the sites, there is a NETWORK in beteen and not just two addresses. You can look into tunnel technology like IPSEC and stunnel. IPSEC should be prefered because it keeps the underlying assumption of  IP in tact and is not a udp/tcp over an encypted tcp link.
0
 
LVL 4

Author Comment

by:jkockler
Comment Utility
Thanks for all the help .  

I did find that I can specify ports directly for each peer in sip.conf.

The command is "port="

Anyone ever use that before?
0
 
LVL 9

Expert Comment

by:tkalchev
Comment Utility
What about

nat=yes

in sip.conf ?
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Suggested Solutions

If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now