Koozali.org formerly Contribs.org

Voip/Sip handling

Voip/Sip handling
« on: July 25, 2019, 11:29:49 AM »
Hello,

At some stage in the near future I will need the ability to allow voip/Sip packets thru the smeserver (since, imho they are data anyway). My question is will they pass thru an unmodified smeserver 9.x? And if so, will they pass thru a heavily fortified smeserver 9.x (with mods to the iptables via a custom template) I'm happy to post the fragment here. I've had to substantially up the protections on the smeserver to stop 'bad actors' from slowing it down to a crawl, and from trying to break in.

[If this is the incorrect section to ask this question, can a mod move it to the right section, or send me a message - Thanks]

Any help appreciated.

Best Regards,
Louis
----
Regards,

Louis

Online janet

  • ****
  • 4,782
Re: Voip/Sip handling
« Reply #1 on: July 25, 2019, 12:27:23 PM »
louhaven

Quote
My question is will they pass thru an unmodified smeserver 9.x?

Yes should be OK generally speaking, performance will depend somewhat on other factors relating to your server load & hardware speed etc.
It would probably be advisable or essential to use some sort of traffic shaping or Quality of Service QoS control script eg see the Wondershaper Howto.


Quote
And if so, will they pass thru a heavily fortified smeserver 9.x (with mods to the iptables via a custom template).

Probably will depend on what mods you have made.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Re: Voip/Sip handling
« Reply #2 on: July 28, 2019, 10:53:42 AM »
louhaven

Probably will depend on what mods you have made.

If I quote my entire iptables fragment here, could you tell me if the vopi/sip packets would be allowed, or/and/if/ there might be any changes to be made?

Best Regards,
Louis
----
Regards,

Louis

Offline ReetP

  • *
  • 2,186
Re: Voip/Sip handling
« Reply #3 on: July 28, 2019, 11:33:18 AM »
Not enough detail to make a comment.

Are you talking about running a voip server eg Freepbx behind SME or SIP phones connecting to a remote server?

You should do some general reading on SIP before you start hacking about.

Ports concerned are

UDP 5060
TCP 10000-20000

For outgoing you probably don't need to do much.

For incoming a local Voip server it will depend where it is.

You most likely will need some sort of QoS.

Don't post post loads of templates here.

If you really need too, paste the masq file on say pastebin or similar.

But first try to tell us a bit more about what you are trying to do.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: Voip/Sip handling
« Reply #4 on: November 08, 2019, 07:05:50 AM »
Ports concerned are

UDP 5060
TCP 10000-20000

For outgoing you probably don't need to do much.

For incoming a local Voip server it will depend where it is.

You most likely will need some sort of QoS.

Okay, after much reading, digesting, quiet periods to think, and lots and lots of hours diagnosing, I've worked out the following:

the sme server is blocking both incoming and outgoing sip/voip packets.

The ata is plugged into a managed switch (TP-Link) which prioritizes voip traffic; the ATA has an ip within the local range.

I was considering adding the following to the iptables file aka masq via a custom template (not sure what to call it, as Ive already got a 40denyzombies) :

Code: [Select]
iptables -A FORWARD -p udp -d xxx.xxx.xxx.52 --sport 5060:5061 --dport 5060:5061 -j ACCEPT
iptables -A FORWARD -p udp -d xxx.xxx.xxx.52 --sport 10000:20000 --dport 10000:20000 -j ACCEPT

iptables -A FORWARD -p udp -s xxx.xxx.xxx.52 --sport 5060:5061 --dport 5060:5061 -j ACCEPT
iptables -A FORWARD -p udp -s xxx.xxx.xxx.52 --sport 10000:20000 --dport 10000:20000 -j ACCEPT

will this allow both in and out packets to the ata 'box' - an spa122 plugged into a managed switch.

Does this look like it will work, say I call it '45allowsip'

.. expanding the template and reloading iptables/masq.


Questions/comments/thoughts type away....


Best Regards,
Louis
----
Regards,

Louis

Offline ReetP

  • *
  • 2,186
Re: Voip/Sip handling
« Reply #5 on: November 08, 2019, 09:14:04 PM »
There are some tricks you can do with SME to help here but I away until later Saturday so can't do anything til then.

Note outbound should be ok. Not sure why that would be blocked. Do your iptable logs tell you anything.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Online janet

  • ****
  • 4,782
Re: Voip/Sip handling
« Reply #6 on: November 09, 2019, 02:33:38 AM »
louhaven

1) Please describe completely the network arrangement of your SME server, the managed switch, any firewall & where devices are located in the data flow.

2) What mode is your SME configured for ie, private server, server only, server & gateway, (in server & gateway mode is it in Static IP configuration or not) ?

3) What type of modem & configuration is between SME server & Internet ie bridged modem ?

4) You mention the ata, I assume you mean an Analogue Telephone Adapter (ATA), correct ? .... and to that you attach an old style PSTN (analogue) phone rather than an IP style phone ?

5) You mention the managed switch & that it prioritizes VOIP traffic. That may all be very well, but if that switch is connected to the LAN side of SME server then you also need QoS (traffic shaping & priority for VOIP) on SME server.

6) As requested can you paste your iptables &/or template contents to a image site etc & post a link here.

7) For some years I have used an ATA on the LAN side of an SME server (connected via the local network hub), with SME in server & gateway mode (with Wondershaper) & it worked fine. From memory I did not need to make additional changes to the SME server firewall settings, or open ports.

« Last Edit: November 09, 2019, 02:38:42 AM by janet »
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.