VoIP Device Behind Tomato

Discussion in 'Tomato Firmware' started by Reiper, Oct 19, 2006.

  1. Reiper

    Reiper LI Guru Member

    I've got a Linksys PAP2 (VoIP ATA) behind my WRT54GL running the latest version of Tomato. Prior to this I had a Telco AC211N (VoIP ATA) running behind my router with the same configuration. Now that the background is out of the way.... I never had an issue with the AC211N behind Tomato's firewall however on a few occasions I've had one-way audio with the Linksys ATA behind Tomato's firewall? The Linksys ATA works fine in DMZ but I don't understand why it doesn't always work when behind Tomato's firewall. Doesn't Tomato support STUN? I know Tomato supports UPnP but I'm not sure if the Linksys PAP2 does? I can forward ports to the ATA but I'm convinced that the Linksys ATA should work behind Tomato's firewall without ports forwarded? Any insight to this would be appreciated!

  2. NateHoy

    NateHoy Network Guru Member

    First, I don't think Tomato has to support STUN. The whole point of STUN is to get an external reference point that can locate your public IP address, as I understand it.

    I have a Vonage WRTP54G that is very happy behind Tomato 0.06, and it's working just fine, but Vonage uses outbound connections initiated by the VoIP device (and not dependency on a forwarded port) for VoIP.
  3. Reiper

    Reiper LI Guru Member

    Ok, well here's a stupid question then? If Vonage uses outbound connections initiated by the ATA how do inbound calls get through the firewall? By the way I'm using ViaTalk and I'm not exactly how they have things set up?

    As always thanks Natheoy!
  4. njeske

    njeske Network Guru Member

    i have my pap2 from viatalk behind my router running tomato. the only issue i have is with some choppy audio while utorrent is running on my system. still need to fine tune my qos i guess.
  5. Reiper

    Reiper LI Guru Member

    Maybe it was my ISP then?? I know they have been asigning the router a private IP lately so it could be the double NAT?

    Are you forwarding any ports or running it in DMZ?
  6. njeske

    njeske Network Guru Member

    neither. the only thing i'm doing is forwarding WAN port 8082 to port 80 on my PAP2 so that i can let the viatalk guys login to the PAP2 without having to put it into the DMZ.
  7. Reiper

    Reiper LI Guru Member

    Well I'll have to stick it back behind the firewall and see if it has any additional problems??

  8. wycf

    wycf Network Guru Member

    I have a PAP2 behind tomato. I also have a Asterisk box (I am learning it now). On tomato I forward ports to the Asterisk box but nothing need to be done for the PAP2. The PAP2 works fine.

    For one-way audio, it most likely is NAT issue. I think tomato has nothing to do with it. If you like to try use STUN, you should set it up at your PAP2.
  9. NateHoy

    NateHoy Network Guru Member

    As I understand it, the Vonage device makes an outbound connection intermittently to keep itself in the NAT table, so an incoming call is technically a response to the outbound request, and not an incoming request.
  10. Reiper

    Reiper LI Guru Member

    That makes sense Natheoy... I went ahead and put the ATA back behind the firewall and, even thought I probably don't need to, forwarded the following to the ATA's Static IP

    5060-5061 UDP
    10000-20000 UDP

    Again, I'm thinking the couple of times that I had 1-way audio had more to do with my ISP's NAT versus Tomato's. One of the evils of being behind their router and getting assigned a Private IP. I should note that my modem is a Motorola Canopy which is acting as a bridge to the Wireless AP so it isn't doing any NAT, just the ISP itself.
  11. turbo53

    turbo53 Network Guru Member

    From the Tomato QOS details screen, I see that my WRTP54G (which is behinid my WRT54GL) constantly keeps a UDP connection open on port 10000.

    Just lovin' the QOS and bandwidth screens! :)
  12. Reiper

    Reiper LI Guru Member

    That's interesting... My PAP2 only keeps ports 5060-5061 open (as SIP registers every few min) but only opens ports in the 10,000 range (RTP) when a call is made or received?
  13. njeske

    njeske Network Guru Member

    reiper, i also happen to work for a small voip provider in sacramento and have a tip for you. if you can access the admin area of your pap2, try reducing the registration timer. we usually set our devices to register every 30 seconds. that way the device is sure to stay in a nat table and rarely have any issues recieving calls or with one-way audio.

    viatalk will give you the admin password for your pap2 if you ask for it. i read that on dslreports.com and decided to ask for mine. they gave it to me without even asking why i wanted it.
  14. Reiper

    Reiper LI Guru Member

    I actually requested my password before I even got the ATA and they were happy to accommodate! I've been pretty happy with ViaTalk! That is a good idea with respect to registration time... I'll have to give that a go!

    So you're telling me that you work for a small VoIP company and you're using ViaTalk's service over you own company's? Traitor! :)
  15. fareal

    fareal LI Guru Member

    This is how I tell which ViaTalk server I'm connected to, if I am ever curious, just look for this entry (5060-5061) in Tomato's QOS Details. Since we can no longer see this info in VT's control panel.

    I also forward ports 5060-5061 and 10k-20k. I've had one way audio issues maybe on only a couple of calls in the past couple of months.

    Hello, fellow VT - Tomato users!
  16. Reiper

    Reiper LI Guru Member

    :) Good combo so far!
  17. njeske

    njeske Network Guru Member

    back when i started with the company we offered a really crappy voip product that didn't have any sort of web control at all. so yeah, i got viatalk. :) now though, we've got a whole new voip platform installed that's really nice. we don't offer residential service though. except to our employees and friends of executives.

    also, there is no need to forward ports to your pap2. the pap2 initiates the sessions on the 5060 and 5061 ports and then just streams data over UDP 10k-20k. it won't hurt anything to have the ports forwarded, but it's not needed. just add a QoS rule for your PAP2's MAC address where it has the highest priority and make that rule the first rule. that'll take care of most quality issues.
  18. Reiper

    Reiper LI Guru Member

    Thanks for all the info! I was looking at my settings on the PAP2 and it registers every 600 sec. I haven't had a chance to change it as of yet but I'll give it a try. Hopefully provisioning won't reset this setting? What you were saying made a lot of sense! Would also explain why it worked most of the time but I had a few occurrences of one-way audio. My guess is the PAP2 hadn't registered for a while and "fell" out of the NAT routing table (Not sure how often Tomato updates the IP tables), which caused the occasional one-way audio.

    Great info!! Thanks!!!
  19. fareal

    fareal LI Guru Member

    I tried changing the 600 second timer for the Registration and provisioning does overwrite it. Noticed right next to that "Register Expires" setting is a "Proxy Fallback Intvl" setting that is also set to 600 seconds. Just wondering if those two settings should match if we do change the "Registration Expires" setting to a lower interval? Not sure what "Proxy Fallback Intvl" does.

    I just disabled the forwarding of ports 5060-5061 and 10 to 20k. Wonder if I'll experience more frequent one way audio issues.

    njeske: You guys do 30 second registrations and viatalk does 600 seconds... why such a huge difference?
  20. mmisnan

    mmisnan Network Guru Member

    Some ATA devices will drop your phone connection during the reregistration. I do think PAP2 does the same to.. My SPA3K has register expires setting set to 7200 ..
  21. fareal

    fareal LI Guru Member

    That would mean those of us with the PAP2 on ViaTalk set to 600 sec registration wouldn't be able to talk for more than 10 minutes at at time. No way. PAP2 doesn't drop connection during registration.
  22. NateHoy

    NateHoy Network Guru Member

    Not at all.

    When you are talking, packets are going through the router continuously in both directions and that keeps the NAT routing entry updated.

    It's only when your phone is idle and you are waiting for a call that the registration timing is useful. If you set the number too high, your router eventually "forgets" about the connection (as determined by the active to idle timeout in your IP_CONNTRACK settings). Once that happens, if you get an incoming call, the router will not know what to do with the incoming call signal and throw it away.

    So, if you have IP_CONNTRACK active->idle (second number in the setting) set to 300 seconds and your registration timer set to 600 seconds, then every 10 minutes your VoIP device will "remind" the router that it is there, and 5 minutes later, the router will forget, so you'll get about 50% of your calls.
  23. fareal

    fareal LI Guru Member

    Which Conntrack setting would that be in Tomato?

  24. fareal

    fareal LI Guru Member

    But how about the NAT keep alive setting in the PAP2? Isn't that doing something to prevent the router from forgetting the ata is there?

    As I look at the QOS details in Tomato it looks like I see 5060 and or 5061 entries to the ATA appear in the list more frequently than 600 seconds which is my reregistration time, but its hard to be sure since there are no timestamp in the QOS details in Tomato. But if that is the case and I am seeing them more frequently than 600 seconds, isn't that the NAT keep alive from the PAP2?

  25. njeske

    njeske Network Guru Member

    we only set 30 second registration times on our polycom SIP phones. when we setup ATAs were typically do 300 seconds, or 5 minutes. The Polycom's don't have a NAT keep alive setting which is why we need them to register so often. Even with a NAT keep alive option, some routers still won't keep the connection active unless it sees a registration signal from the ATA. That's why reducing your registration timer can help fix one-way audio, dropped calls, and calls not getting to your ATA correctly.
  26. NateHoy

    NateHoy Network Guru Member

    Conntrack TCP / ESTABLISHED.
  27. ctaranto

    ctaranto Addicted to LI Member

    Yes, I'm coming out of left field on a 4 year old thread, but considering replacing DD-WRT with Tomato (after replacing Tomato with DD-WRT due to random loss of registrations).

    Wouldn't the setting to change be:
    Conntrack/Netfilter : UDP Timeout : Assured ?

    On DD-WRT, I can see this:
    root@wrt54gl-2:~# grep /proc/net/ip_conntrack
    udp 17 92 src= dst= sport=5061 dport=5060 src= dst=24.xx.xx.xx sport=5060 dport=5061 [ASSURED] use=1 rate=110 mark=10
    udp 17 90 src= dst= sport=5060 dport=5060 src= dst=24.xx.xx.xx sport=5060 dport=5060 [ASSURED] use=1 rate=110 mark=10 is my PAP2T. is the server my PAP2T registers with. Since both 5060 and 5061 are ASSURED, and my PAP2T retries every 295 seconds, I need to make sure my UDP Timeout Assured is greater than that amount to ensure it doesn't go stale.

    Please correct me if I'm wrong...

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice