1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Toastman Entware Asterisk config issue

Discussion in 'Tomato Firmware' started by n4mwd, Apr 2, 2013.

  1. n4mwd

    n4mwd Serious Server Member

    I have an Asus N16 running ToastmanTomatoUSB and entware asterisk on a thumb drive. I have configured asterisk so that it works for calls within the LAN (using 192.168.1.1 as the SIP server address), and calls can be sent out to VOIP providers, but they can't come back in (incoming calls).

    When I did an external port scan, it shows 5060 as timed out.

    I was wondering if this could be a firewall issue. My goal is to place asterisk in front of the NAT so that it sits right on the internet and also accepts connections from the LAN. I can't use port forwarding because I want it in front of the NAT. Any idea?

    As you can probably tell, my linux/asterisk experience is minimal.

    Thanks in advance.
     
  2. koitsu

    koitsu Network Guru Member

    The important thing for readers to note is that the OP is running Asterisk on his RT-N16 router itself.

    Opening up a port for a daemon running on the router itself is very very easy. Here's an example for TCP port 23 (telnet):

    Code:
    iptables -A INPUT -i `nvram get wan_iface` -p tcp --dport 23 -j ACCEPT
    
    You're going to need to figure out what TCP or UDP port numbers Asterisk relies on for inbound connections. netstat -l -n might help you, but this doesn't disclose what the program is that's associated with the listening port; you'll need to install lsof in Entware to accomplish that, then use lsof -a -n -P -p {pidnumberofasterisk} | grep LISTEN to look at what ports the daemon is listening on and what protocol (TCP or UDP). If the daemon has an administrative interface (web page, etc.) you probably should not open that up to the world, for obvious reasons. The Asterisk documentation should document all of these ports (and if it doesn't, that's absolutely unacceptable). I mention UDP because VoIP crap tends to use UDP.

    Once you figure out what ports need to be opened, you can put the relevant iptables lines in your Scripts -> Firewall section, and it should Just Work(tm) from that point forward, after every reboot.
     
  3. n4mwd

    n4mwd Serious Server Member

    Thanks again.

    The udp ports required are 5060 and 10000-20000. I added these lines to the firewall script (there are no other ones there):
    Code:
    # SIP on UDP port 5060. Other SIP servers may need TCP port 5060 as well
    iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT
     
    # IAX2- the IAX protocol
    iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT
     
    # RTP - the media stream
    # (related to the port range in /etc/asterisk/rtp.conf)
    iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
    Clicked SAVE and then from the prompt, iptables -L -v and got this (the relevant part):
    Code:
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target    prot opt in    out    source              destination
        0    0 DROP      all  --  br0    any    anywhere            adsl-XXX-XXX-XXX-XXX.sip.bct.bellsouth.net
        0    0 DROP      all  --  any    any    anywhere            anywhere            state INVALID
      21  3734 ACCEPT    all  --  any    any    anywhere            anywhere            state RELATED,ESTABLISHED
        0    0 ACCEPT    all  --  lo    any    anywhere            anywhere
        3  144 ACCEPT    all  --  br0    any    anywhere            anywhere
        0    0 ACCEPT    icmp --  any    any    anywhere            anywhere            limit: avg 1/sec burst 5
        0    0 ACCEPT    udp  --  any    any    anywhere            anywhere            udp dpts:33434:33534 limit: avg 5/sec 5
        0    0 ACCEPT    udp  --  any    any    anywhere            anywhere            udp dpt:sip
        0    0 ACCEPT    udp  --  any    any    anywhere            anywhere            udp dpt:iax
        0    0 ACCEPT    udp  --  any    any    anywhere            anywhere            udp dpts:10000:20000
    Ok, I lied a little bit. The SAVE button didn't change anything, but when I went to PORT FORWARDING and clicked SAVE there, then it took it and I got the iptables results above.

    Now I went here: http://www.seomastering.com/port-scanner.php
    and scanned 5060 and it said it was still closed. It says it checks both tcp and udp, but who knows.

    I could not find lsop in entware.

    I feel like I'm getting closer, but something still isn't quite right.

    EDIT: Its LSOF not LSOP. Found it and installed it.
     
  4. koitsu

    koitsu Network Guru Member

    I strongly recommend you decrease the port range size for RTP; 10k ports is an insane amount to have passed at all times. I recommend you configure a smaller range (say 128 ports, which should support up to 64 simultaneous RTP sessions), and configure the range to be something much higher (say in the 62000 range).

    I didn't say lsop. I said lsof.
     
  5. n4mwd

    n4mwd Serious Server Member

    Yes I caught the lsof error.
    The lsof command is not returning a LISTEN.
     
  6. Monk E. Boy

    Monk E. Boy Network Guru Member

    Unless I'm too sick/tired/confused (definitely the first two, but maybe all three), items added in Scripts only take effect when the system is rebooted (well, I guess wanup could take effect immediately if you bounced the wan port).

    If you want items under firewall to execute immediately without rebooting, you can just telnet/ssh in and paste in the same commands.
     
  7. n4mwd

    n4mwd Serious Server Member

    Rebooting didn't help. I'm going to recheck my asterisk configs.

    Here is the netstat results. I don't know this program very well, but it looks like its saying that nobody is listening on 5060, but one guy is using it.
    Code:
    root@tomato:/tmp/home/root# netstat -l -n
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address          Foreign Address        State
    tcp        0      0 192.168.1.1:139        0.0.0.0:*              LISTEN
    tcp        0      0 192.168.1.1:80          0.0.0.0:*              LISTEN
    tcp        0      0 0.0.0.0:21              0.0.0.0:*              LISTEN
    tcp        0      0 0.0.0.0:53              0.0.0.0:*              LISTEN
    tcp        0      0 0.0.0.0:22              0.0.0.0:*              LISTEN
    tcp        0      0 192.168.1.1:445        0.0.0.0:*              LISTEN
    tcp        0      0 :::53                  :::*                    LISTEN
    tcp        0      0 :::22                  :::*                    LISTEN
    tcp        0      0 :::23                  :::*                    LISTEN
    udp        0      0 192.168.1.1:137        0.0.0.0:*
    udp        0      0 0.0.0.0:137            0.0.0.0:*
    udp        0      0 192.168.1.1:138        0.0.0.0:*
    udp        0      0 0.0.0.0:138            0.0.0.0:*
    udp        0      0 127.0.0.1:38032        0.0.0.0:*
    udp        0      0 0.0.0.0:53              0.0.0.0:*
    udp        0      0 0.0.0.0:67              0.0.0.0:*
    udp        0      XXX XXX.XXX.XXX.255:5060      0.0.0.0:*
    udp        0      0 :::53                  :::*
    raw        0      0 0.0.0.0:255            0.0.0.0:*              255
    Active UNIX domain sockets (only servers)
    Proto RefCnt Flags      Type      State        I-Node Path
    unix  2      [ ACC ]    STREAM    LISTENING      2649 /opt/var/run/asterisk/asterisk.ctl
    root@tomato:/tmp/home/root#
     
  8. koitsu

    koitsu Network Guru Member

    Could you please provide output from lsof -a -n -P -p {pidofasteriskprocess} ? Thanks.
     
  9. n4mwd

    n4mwd Serious Server Member

    Here it is:

    Code:
    root@tomato:/tmp/home/root# lsof -a -n -P -p 1068
    COMMAND  PID USER  FD  TYPE    DEVICE SIZE/OFF  NODE NAME
    asterisk 1068 root  cwd    DIR      31,2      208    50 /
    asterisk 1068 root  rtd    DIR      31,2      208    50 /
    asterisk 1068 root  txt    REG        8,1  1672128 30594 /opt/sbin/asterisk
    asterisk 1068 root  mem    REG        8,1    31696 45907 /opt/lib/ld-uClibc-0.9.32.so
    asterisk 1068 root  mem    REG        8,1  341724 46067 /opt/lib/libssl.so.1.0.0
    asterisk 1068 root  mem    REG        8,1  1453624 46066 /opt/lib/libcrypto.so.1.0.0
    asterisk 1068 root  mem    REG        8,1    9580 45902 /opt/lib/libdl-0.9.32.so
    asterisk 1068 root  mem    REG        8,1    83408 45919 /opt/lib/libpthread-0.9.32.so
    asterisk 1068 root  mem    REG        8,1  291608 46077 /opt/lib/libncurses.so.5.7
    asterisk 1068 root  mem    REG        8,1    50436 45900 /opt/lib/libm-0.9.32.so
    asterisk 1068 root  mem    REG        8,1    1652 45903 /opt/lib/libresolv-0.9.32.so
    asterisk 1068 root  mem    REG        8,1    78848 45911 /opt/lib/libgcc_s.so.1
    asterisk 1068 root  mem    REG        8,1  684288 45895 /opt/lib/libuClibc-0.9.32.so
    asterisk 1068 root  mem    REG        8,1    86560 45967 /opt/lib/libz.so.1.2.7
    asterisk 1068 root  mem    REG        8,1    17164 46129 /opt/lib/asterisk/modules/res_crypto.so
    asterisk 1068 root  mem    REG        8,1    13192 46132 /opt/lib/asterisk/modules/res_srtp.so
    asterisk 1068 root  mem    REG        8,1    82504 46125 /opt/lib/libsrtp.so.0.0
    asterisk 1068 root  mem    REG        8,1    46312 46501 /opt/lib/asterisk/modules/res_smdi.so
    asterisk 1068 root  mem    REG        8,1    41440 46122 /opt/lib/asterisk/modules/res_musiconhold.so
    asterisk 1068 root  mem    REG        8,1    41620 46092 /opt/lib/asterisk/modules/pbx_config.so
    asterisk 1068 root  mem    REG        8,1    5184 46093 /opt/lib/asterisk/modules/app_echo.so
    asterisk 1068 root  mem    REG        8,1    61408 46094 /opt/lib/asterisk/modules/res_rtp_asterisk.so
    asterisk 1068 root  mem    REG        8,1  637604 46095 /opt/lib/asterisk/modules/chan_sip.so
    asterisk 1068 root  mem    REG        8,1    13740 46096 /opt/lib/asterisk/modules/app_playback.so
    asterisk 1068 root  mem    REG        8,1    12968 46097 /opt/lib/asterisk/modules/format_wav.so
    asterisk 1068 root  mem    REG        8,1    29160 46098 /opt/lib/asterisk/modules/func_strings.so
    asterisk 1068 root  mem    REG        8,1    15660 46099 /opt/lib/asterisk/modules/format_gsm.so
    asterisk 1068 root  mem    REG        8,1    18100 46100 /opt/lib/asterisk/modules/app_macro.so
    asterisk 1068 root  mem    REG        8,1    9436 46101 /opt/lib/asterisk/modules/func_logic.so
    asterisk 1068 root  mem    REG        8,1    62172 46102 /opt/lib/asterisk/modules/codec_gsm.so
    asterisk 1068 root  mem    REG        8,1    11248 46103 /opt/lib/asterisk/modules/format_pcm.so
    asterisk 1068 root  mem    REG        8,1    7004 46104 /opt/lib/asterisk/modules/codec_ulaw.so
    asterisk 1068 root  mem    REG        8,1    25628 46105 /opt/lib/asterisk/modules/func_callerid.so
    asterisk 1068 root  mem    REG        8,1    7988 46106 /opt/lib/asterisk/modules/func_timeout.so
    asterisk 1068 root  mem    REG        8,1    8184 46107 /opt/lib/asterisk/modules/res_rtp_multicast.so
    asterisk 1068 root  mem    REG        8,1    26036 46108 /opt/lib/asterisk/modules/format_wav_gsm.so
    asterisk 1068 root  mem    REG        8,1    60500 46109 /opt/lib/asterisk/modules/app_dial.so
    asterisk 1068 root  mem    REG        8,1    6644 46112 /opt/lib/asterisk/modules/app_senddtmf.so
    asterisk 1068 root  mem    REG        8,1    5136 46115 /opt/lib/asterisk/modules/app_setcallerid.so
    asterisk 1068 root  mem    REG        8,1    38876 46118 /opt/lib/asterisk/modules/app_sms.so
    asterisk 1068 root  mem    REG        8,1  189544 46499 /opt/lib/asterisk/modules/app_voicemail.so
    asterisk 1068 root  mem    REG        8,1    7768 46617 /opt/lib/asterisk/modules/func_db.so
    asterisk 1068 root    0u  CHR        1,3      0t0  199 /dev/null
    asterisk 1068 root    1u  CHR        1,3      0t0  199 /dev/null
    asterisk 1068 root    2u  CHR        1,3      0t0  199 /dev/null
    asterisk 1068 root    3u  unix 0x878364e0      0t0  2649 /opt/var/run/asterisk/asterisk.ctl
    asterisk 1068 root    4w  REG        8,1    23212  7670 /opt/var/log/asterisk/messages
    asterisk 1068 root    5u  REG        8,1    8192  7674 /opt/var/lib/asterisk/astdb
    asterisk 1068 root    6u  IPv4      48538      0t0  UDP *:5060
    asterisk 1068 root    7r  FIFO        0,5      0t0  2707 pipe
    asterisk 1068 root    8w  FIFO        0,5      0t0  2707 pipe
    asterisk 1068 root  12w  REG        8,1    2312  7671 /opt/var/log/asterisk/queue_log
    root@tomato:/tmp/home/root#
    I have since added "-i ppp0" to the iptables and I can get my external voip provider to work for incoming calls, but since its a registered device, I don't think that is significant.

    One thing is that I used to be able to use hostname.com in the local voip device, but asterisk is no longer seeing that. It has to be 192.168.1.1 or else it wont register now.
     
  10. ryzhov_al

    ryzhov_al Networkin' Nut Member

    Could someone confirm this issues?
    Issue #139:
    Issue #140:
     
  11. n4mwd

    n4mwd Serious Server Member

    You mean someone besides me I guess.
     
  12. koitsu

    koitsu Network Guru Member

    And therein lies the answer -- it's using UDP, not TCP.

    Code:
    iptables -A INPUT -i `nvram get wan_iface` -p udp --dport 5060 -j ACCEPT
    
    Should do the trick.
     
  13. Monk E. Boy

    Monk E. Boy Network Guru Member

    FWIW port forwarding normally opens holes on the NAT table as well, you can check the output of iptables -nvL -t nat specifically the WANPREROUTING chain to see if anything's amiss there.
     
  14. n4mwd

    n4mwd Serious Server Member

    Well, I'm pretty new to this stuff and both asterisk and linux are both powerful and complicated. Thanks to your help, I have it working now.

    This is the original first line in the iptables INPUT section. BR0 is the lan. So its saying to discard anything from the lan that's headed back into the router from the outside.
    Code:
    0    0 DROP      all  --  br0    any    anywhere            adsl-XXX-XXX-XXX-XXX.sip.bct.bellsouth.net
    
    I found in the FIREWALL section of Tomato a checkbox for "NAT Loopback". I saw this before but I didn't understand it. Basically, I had it set to "Forwarded Only" which says to allow packets that are going to be port forwarded, but not anything into the router itself. So I changed "NAT Loopback" to "ALL" and the above line in IPTables disappeared and the router was now visible from behind the NAT.

    I went out to a wifi hotspot and asterisk is working properly outside the NAT. The port scan tool I posted earlier is not working for UDP ports and continues to report the port as closed.

    The Firewall add-on is now the following where 'ppp0' is the value of `nvram get wan_iface`
    Code:
    iptables -A INPUT -p udp -m udp -i ppp0 --dport 5060 -j ACCEPT
    
    Furthermore, I modified the sip.conf file to include the following:
    Code:
    [general]
    transport=udp
    bindaddr=0.0.0.0:5060
    externip=MY.IP.ADD.RES
    localnet=192.168.1.0/255.255.255.0
    nat=yes                 
    
    I'm not sure if that did anything important, but its working now. I'm not 100% sure what 'nat=yes' is doing, but as best as I can tell, it has to do with other people's nat's and not mine.

    Again, thanks for your help.
     
  15. Monk E. Boy

    Monk E. Boy Network Guru Member

    NAT loopback affects clients that are on your LAN - clients which are using Network Address Translation (NAT) and talking to the router's forwarded ports on the WAN interface. The pieces you're not seeing change are in the iptables -nvL -t nat since iptables -nvL only lists entries on the filter table (in other words iptables -nvL -t filter is the same as iptables -nvL).

    Forwarded only means that when a device on your LAN wants to talk to another device on your LAN using the forwarded ports on your router's WAN the traffic will flow in the router's LAN port, out to the router WAN port, get assigned the WAN's public IP address, then hit the port forwards and come back in to the LAN again. The packets coming in to the forwarded LAN will have the WAN (public) IP address as their source, even though both clients are on the same LAN.

    All means there is no NAT performed on these operations. Traffic flows in the router's LAN port, out to the WAN port, in to the port forwards, then is forwarded to the LAN address/port and at all times the source of the traffic still has the same IP address (a NAT IP address on the LAN).

    As a general rule you shouldn't run traffic through the WAN port forwards if you're on the same LAN as the device you're talking to. In this particular instance I can't think of a particularly good alternative. Maybe have a DNS name for your WAN IP address, then in Advanced -> DNS/DHCP create a DNS record for that DNS name with your LAN IP address, then use the DNS name for the device to connect to the router. When you're out someplace on the internet you connect to the WAN IP address, when you're on the LAN you connect to the LAN IP address. It'd probably work.
     
    koitsu likes this.
  16. koitsu

    koitsu Network Guru Member

    It does work -- and this is what a lot of people have begun to use when using dnsmasq. It's pretty easy -- in the dnsmasq custom config section, use the address directive:

    address=/some.dns.name/192.168.1.1

    Many people, particularly those using DynDNS services, end up specifying their public DynDNS hostname. Since the above, obviously, only affects DNS lookups on the LAN segment (for clients who, of course, are speaking to the router for DNS queries), DNS resolution of my.dyndns.hostname from the LAN then returns 192.168.1.1 -- rather than doing a full recursive DNS query and getting back what folks on the Internet would get (the WAN IP). :)
     
  17. Monk E. Boy

    Monk E. Boy Network Guru Member

    Agreed, that's why I was thinking it'd work. My only concern is that since the router is running Asterisk it may expect the DNS name to correspond with it's WAN IP address. It'd be a bad assumption to make but that's never stopped anyone.

    Easy enough to test and see if it works, if it's broken then it's easy to flip back.
     
  18. n4mwd

    n4mwd Serious Server Member

    The problem I'm having now is that the tomato entware packages don't seem to include the asterisk meetme() application which is used for conference room calls. Its starting to look like I'm going to have to compile it myself. Unfortunately, I don't know how to do that. Is there a tutorial around here somewhere that's written for people like me who are still searching for the C: drive in linux? And gcc doesn't seem to be a entware package either.
     
  19. koitsu

    koitsu Network Guru Member

    The Entware site has documentation on how to build your own Entware packages.

    http://code.google.com/p/wl500g-repo/wiki/Compiling

    If this is too much effort/too complex/painful, simply ask someone to do it in the ticket/bug system. Again: all of this stuff needs to be dealt with by the Entware folks, and they're a very good/responsive set of folks.

    P.S. -- I clearly see meetme support in the asterisk-1.8.x package in trunk, which was added November 8th, 2012.

    http://code.google.com/p/wl500g-repo/source/browse/trunk/packages/asterisk-1.8.x/fix-path.patch

    I can see that the code there refers to a package called asterisk18-app-meetme, which does not appear to have been built + pushed out to the package servers. ryzhov_al should be able to provide the package or put it up in the official repo.
     
  20. n4mwd

    n4mwd Serious Server Member

    As usual koitsu, that was VERY good information. :)
    Should I file another issue on the website? Or do these guys maybe have a reason for omitting it?
     
  21. koitsu

    koitsu Network Guru Member

    Let this thread sit for a day or two and maybe ryzhov_al will see it -- he's a busy guy. :) If he doesn't that's totally OK/cool too, in which case open up an issue/ticket for the Entware folks and ask about it. You can mention/reference this forum thread/post if you want.
     
  22. ryzhov_al

    ryzhov_al Networkin' Nut Member

    I'm apologize for the late answer, I'm on business trip for whole next week. I will not leave your request without attention.
     

Share This Page