Help - Network issues for Asterisk on Tomato w/USB

Discussion in 'Tomato Firmware' started by st3amco0ker, Feb 13, 2010.

  1. st3amco0ker

    st3amco0ker Addicted to LI Member


    I'm new to the board. Hope you're doing well.

    If you could help me address this issue, I'd like to thank you in advanced.

    Here's the background:

    I have configured Asterisk to work on Tomato and everything is working great (internally speaking). Every SIP client on LAN is able connect to the * server on Tomato, no problem there. I get both call-in and out to work for every ATA devices in the house.

    However, I'd like to have other SIP clients outside the local network to be able to successfully register the * server. That's where the problem lies. Even though the firewall is configured to accept incoming connections on port 5060, it drops all external attempts on this rule. Please note though, I did use the external IP to connect to the router.

    Please take a look at the iptables output messages: iptables -nvL

    As you can see, I also have port 22 opened for SSH connections and it works fine. The firewall rule for port 5060 is similar but it doesn't work. Why not?

    Your help is greatly appreciated. Thank you!
  2. anik

    anik Addicted to LI Member

    Don't know if this is your issue, but don't you also need to open a range of UDP ports for RTP (e.g. 10000-20000 in most Asterisk installations)? If you don't do that you won't get any audio to pass. I'm certainly no expert at this stuff, so have no idea if that's your problem or not.
  3. teddy_bear

    teddy_bear Network Guru Member

    Try this in the Firewall script:
    iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT
  4. st3amco0ker

    st3amco0ker Addicted to LI Member

    Your suggestion is added in the Firewall scripts along with mine:

    It's still dropping connection...

  5. teddy_bear

    teddy_bear Network Guru Member

    Don't use both - they are conflicting with each other. The one I posted works for me.

    Also make sure the bindport in sip.conf is the same - 5060 - as in iptables command, and you're not restricting the bindaddr (bindaddr=
  6. st3amco0ker

    st3amco0ker Addicted to LI Member

    You're awesome.

    Thank you!
  7. st3amco0ker

    st3amco0ker Addicted to LI Member

    You're right, I do need to enable those ports for RTP connections.

    Using this rule, the firewall still rejects ports 10000:10100.

    What's causing this? Is it because my firewall rule is incorrect?
  8. teddy_bear

    teddy_bear Network Guru Member

    I too run Asterisk on my Tomato router, and I do not need any additional iptables rules for RTP ports. What's the problem - what happens if you remove that 10000:10100 rule?
    Maybe you need to verify your * config - specifically "nat" setting for peers and sip providers.
  9. st3amco0ker

    st3amco0ker Addicted to LI Member

    With or without any RTP rules, I do not get audio for my calls.

    To answer your Q, using the 10000:10100 rule, the firewall log says something like this:

    DROP [...]
    DST= LEN=200 TOS=0x00 PREC=0x20 TTL=49 ID=23527 PROTO=UDP SPT=61065 DPT=10026 LEN=180
    If I didn't set that rule, the firewall would say the same thing within the range I set in rtp.conf.. 10000:10100

    Here's my sip.conf file:

    externip=dyndns ip here
  10. mactogo

    mactogo Addicted to LI Member

    When I was setting up my asterisk on the router I also encountered the same problem of being unable to register sip clients on the WAN side. After reading through pages of forums and trial and error, eventually solved it but to be honest with you, I don't know what actually worked after all the configurations and tweaks. From what I recall I could never get it to work on asterisk 1.6 optware version so these settings apply to 1.4 optware. Don't know which one's are directly related to the problem but here are some of my router settings that work on my setup:
    >>>DMZ is disabled, ports 5060 and 12000-13000 forwarded to your asterisk/router IP, nat loopback set to ALL, nat target set to MASQUERADE, firewall scripts for 5060, 2727, and 12000:13000

    >>>sip.conf host=dynamic, canreinvite=no, qualify=yes,nat=yes

    Honsetly, I'm not sure if these are the best settings or even if they're related to the problem but this is what's worked for me. Your milage may vary so use and titrate accordingly. Best of luck!
  11. st3amco0ker

    st3amco0ker Addicted to LI Member


    After resetting the device to default settings, everything seems to run now.
  12. hieppo

    hieppo Serious Server Member

    Anyone else is having the same issue as st3amco0ker?

    I tried teddy_bear suggestion by adding the INPUT chain but it is still dropping 5060 request.

    Any help would be appreciated.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice