Gamma SIP trunks 2

[MMWTEK]

Hi

I have a customer who wants to use Gamma sip on their leased line. The ip office is connected via LAN 1 onto their
network. Iam looking to confirm what they need to setup on their firewall to enable this to work.

I have advised them to forward udp 5060 to the ip office lan 1 and I have also got them to forward the rtp range which is
shown in the ip office setup. Would I also need them to forward ports 6000 - 40000 ( udp ) to the ip office. Just looking
for advice to pass onto their IT for configuring their firewall / best practice. Any advice appreciated.


M

 

[CMUK]

Yes, port 5060 , 6000-40000 and the RTP ports open to the gamma address.
This is all that is required from the firewall.

Calum M
ACSS

 

[janni78]

You don't need to open the Gamma RTP range to IP Office, it should be open for outgoing from IP Office to Gamma.

"Trying is the first step to failure..." - Homer

 

[IPGuru]

just in case it has not been made clear yet you should only be forwarding traffic from Gamma.

Traffic from the rest of the internet MUST still be blocked if you want to minimise your risk from hacking



Do things on the cheap & it will cost you dear

 

[MMWTEK]

Hi

Thanks for the replies . I havent been able to get the line working yet. Iam getting a 403 source
ip forbidden error. Gamma have came back saying they are receiving an internal add in the header
instead of the public endpoint add. I take it this would be the customers responsibility to setup
nat on the router / firewall. I have tried adding the public ip add via network topology but doesnt
make any difference.



Cheers

M

 

[IPGuru]

you would need to configure the IPO to correctly send the public IP address in its headers, it may also be possible to get this working using SIP-ALG on the router but that is usually troublesome.






Do things on the cheap & it will cost you dear

 

[TheSmash]

It all depends if the router/firewall is SIP aware. I prefer to not play the lottery on relying on the firewall to modify the SIP packets correctly as sooner or later a patch will break it and you won't know whats happening anymore.

As such I like to re-write the public IP in the SIP header/packet (Gamma tear the whole packet apart).

To achieve this you need to set the Transport tab - Use network topology info - on the SIP line to use LAN1 or LAN2 appropriately.

Then on LAN1/LAN2 (delete where appropriate), Network Topology Tab

Blank the STUN Server IP field

Set the Firewall/NAT type to Static Port Block (you may have to modify this depending on the firewall used)

Set the Binding refresh to 60

Set the Public IP address for the internet line that you are using.

Set the ports that you are using for SIP (5060 by default)

Your outging options messages should look something like this;

336971760mS SIP Tx: UDP [ipo private ip]:5060 -> [gamma ip]:5060
                    OPTIONS sip:[gamma ip] SIP/2.0
                    Via: SIP/2.0/UDP [your public ip]:5060;rport;branch=z9hG4bK0c0c7f95e7e02f29fe820dd911c15629
                    From: <sip:[your public ip]>;tag=7898649192fa3989
                    To: <sip:[gamma ip]>
                    Call-ID: f4519bedc43d4bc8055cce97aa2ded22
                    CSeq: 400009043 OPTIONS
                    Contact: <sip:[your public ip]:5060;transport=udp>
                    Max-Forwards: 70
                    Allow: INVITE,ACK,CANCEL,OPTIONS,BYE,INFO,NOTIFY,UPDATE
                    Supported: timer
                    User-Agent: IP Office 11.0.0.0.0 build 849
                    Content-Length: 0

Hope that helps.


ACSS (SME)

 

[MMWTEK]

Perfect . I will have a look at setting this up.


M

 

[MMWTEK]

Hi

Tried setting the public ip with those instructions above , no joy , sip trunk out of service after reboot.
There is an error within in the transport tab - " network topology is set to lan , the stun server ip address cannot be 0.0.0.0." Would that be something to worry about

As it stands I have the ip office connected via lan1 onto their local network . I have ip routes pointing to their firewall gateway
for the gamma sbcs. I can ping the sbc via lan 1. I have asked the customer to forward 5060 udp to the ip office lan 1 and also forward the RTP( udp ) - 49152 - 53246 to the ip office lan1. Its a watchguard firewall they have. I will get some monitor traces tomorrow. Any advice appreciated.

Cheers

m

 

[janni78]

It shouldn't use 49152 - 53246 for RTP, unless it's a upgraded system, even so you should change it to the new default port range recommended.

IP500 Range = 46750 to 50750.
Linux Range = 47000 to 50750



"Trying is the first step to failure..." - Homer

 

[TheSmash]

Ok have you spoken to Gamma to ask if they are receiving and responding to your Options Messages? If they are but you aren't seeing them in Monitor then the firewall isn't forwarding them to the IPO. Are you still getting the 403 Forbidden IP you mentioned previously? If so the outgoing NAT IP might be incorrect on the firewall.

ACSS (SME)

 

[MMWTEK]

Hi


Tried making a test call via the sip trunk , just get -


2018-06-05T08:54:15 46407805mS Sip: SIP Line (27) NTD profile selected but discovery failed
2018-06-05T08:54:15 46407805mS Sip: SIP Line (28) NTD profile selected but discovery failed
2018-06-05T08:54:15 46407806mS Sip: SIP Line (27) NTD profile selected but discovery failed
2018-06-05T08:54:15 46407806mS Sip: SIP Line (28) NTD profile selected but discovery failed

Trunk is hard down out of service . Gamma arent seeing any activity their end. I can ping the Gamma sbc
and the Watchguard firewall ok. I take it thats just a general connectivity error above and doesnt tell me much.

Iam going to set it back the way it was before assigning the Network Topology - Public Ip , the trunk was in
the idle state at that point and you got trace information,thats when Gamma said were sending the internal lan
address.

M

 

[TheSmash]

What happens if you uncheck "Check OOS" on the SIP trunk? This should change the SIP trunk to "In Service" in SSA as it won't be checking responses to the OPTIONS it sends out.

ACSS (SME)

 

[Johnhyde]

I would suggest not using Gamma for SIP, we've had so many intermittent issue, that we are now migrating all of our base to another provider.
They use old SBC, no stun server and more importantly their network is over loaded hence the intermittent issues with incoming/outgoing calls.