FreeBSD, Asterisk 16, pf, and pjsip, nat

Harry Schmalzbauer freebsd at
Fri Jun 11 23:34:46 UTC 2021

Am 09.03.2019 um 22:49 schrieb David Mehler:
> Hello,
> I'm running Asterisk 16 via ports on a FreeBSD 11 system. I'm running
> pf and believe I have things correct, I'm allowing ports UDP 5060 and
> 5061, as well as for rtp UDP 10000 to 20000 through. I'm running this
> on a vps with an public IP, it is not natted. My local connection to
> the internet is behind a natted cable modem. I can connect via soft
> phone to the asterisk sip server, says account ready. Everything works
> except audio. I believe I'm having a nat issue as the connecting
> Suggestions welcome.

I had a similar issue today.
Mine was suspicious to NAT too, but turned out to be a source selection 
problem of the RTP socket.
Solution came from:
(haven't read the whole thread/problem descrition, but these are the 
originally well formatted finalizing lines:
   So I tried adding to the endpoint config:

Last time I checked with asterisk's SIP configuration was a decade ago 
for chan_sip.
Today, there are many copy'n'paste templates out there - more or less 
correct and more or less outdated - but all of them almost completely 
lack any documentation/description/defaults.
I'd like to share what I collected so far for the pjsip module to setup 
an outbound registration and RTP peering with asterisk 18, with details 
for SIP-trunk of Deutsche Telekom.
Hopefully the one or the other comment helps fellows finding out the 
right thing to do.
Might look confusing at a first sight, but I think there's no single 
superflous word and hopefully nothing missing aswell...  Your welcome to 
add blank lines yourself for better reading, but order/blocks should 
reflect dependencies/relations.

; pjsip-registrations.conf
; To be included by pjsip.conf.
; This separate config file is used to define REGISTER relevant sections
; describing 3rd party telco peers (DeutschlandLAN SIP-Trunk by Telekom).
; For easier maintenance, we also define the corresponding endpoint(s) here!
; Created based on Asterisk 18 available documentation and 1TR118, 
published by
; Telekom Deutschland GmbH 
; Any non-self-explaning parameters are documented, hence it doesn't look
; too user friendly, but it is if you want/need to adjust!
; see xten/globalvars.conf for the following variables:
     ;PSTNpnTrunk1=181 (pilot number only)
     ;and $idpfxTelco1 to match 'contact_user'.

;------ TRANSPORTS for PSTN/remote peers ------
   protocol=tcp  ;udp,tcp,tls,ws,wss,flow
   bind= ;${nativeIPv4address}
   external_media_address= ;${publicIPv4address}
   external_signaling_address= ;${publicIPv4address}

   transport=NATv4plain_tcp     ;match your arbitrary (but suitable) 
definition ;(
   outbound_auth=telcolink1_181trunk10    ;match your arbitrary definition
       auth_rejection_permanent=no ;non-critical    (default=yes)
       max_retries=5          ;non-critical    (default=10)
       retry_interval=45          ;non-critical    (default=60)
       forbidden_retry_interval=90 ;non-critical    (default=0)
       expiration=120 ;(480=t-online, 120=telekom, default=3600) ;    provider dependent 
   ; Both header fields "From:" and "To:" of the REGISTER message are 
   ; from the 'client_uri' variable.
   ; According to 1TR118, for the (NGN) SIP-trunk, one of the routable and
   ; customer specific provisioned E.164 prefix numbers (number blocks,
   ; pilot number) must be used 
   client_uri=sip:+49228181 at ;not appending port (:5060)
   ;  The "Contact:" header field of REGISTER messages is composed of 
it's value.
   ; RFC 3261 specifies that a FQTN@ part is to be used, while RFC 6140 
   ; a IP socket to be defined (Contact:sip:;bnc e.g.).
   ;  pjsip appends @IPboundto:5060,;transport=${TRANSPORT->protocol} to
   ; 'contact_user'.  There is currently no possibility to define the 
   ; "Contact:" header fiels, so RFC 6140 is not supported as of 
asterisk 18.
   ; IMPORTANT: Telekom (SIP-Trunk) respects the "Contact:" header sent 
   ;    our registration message.  What we define with 'contact_user' 
will be
   ;    used for all provider initiated messages, like INVITE messages.
   contact_user=+49228181    ;To be set according to idpfxTelcoN definition
                 ;(in xten/globalvars.conf)!!!
   line=yes    ; Telekom supports line parameter in the Contact: header 
   endpoint=telekom_trunk10SITE1    ;This defines the endpoint to use 
for messages
                 ;containing the negotiated line parameter for
                 ;our registration

; authentication object(s)
   auth_type=userpass    ;md5 unavailable 
(handle_client_registration(void *)):
             ;     Failed to set initial authentication credentials
             ;Take care of file permissions!

; endpoint (B2BUA to telco provider - receiving calls)
[telekom_trunk10SITE1] ; 0228-181 0-9 Telekom DeutschlandLAN SIP-Trunk
   aors=telekom_trunk10SITE1 ;where to look whom to send outgoing calls to
   context=pstn_incoming      ;where to look for incoming calls
   identify_by=header,ip    ;this is fallback order for identify 
sections only,
             ;we define line/endpoint during registration!
   allow_unauthenticated_options=yes    ;RFC 3261 requires OPTIONS to be 
                     ;like INVITE (default=no)
   allow=!all,g722,g726,alaw    ;NGN SIP-Trunk consistently uses g722 as 
of 2021
   dtmf_mode=auto ;(default=rfc4733) SIP INFO is unsupported with NGN 
          ;auto uses INBAND if rfc4733 fails (auto_info was valid too)
   outbound_auth=telcolink1_181trunk10    ;match your arbitrary definition    ;provider dependent _URI_!
   timers=no        ;Session timers for SIP packets (default=yes)
   ;force_rport=yes    ;Force use of return port (default=yes)
   ;ice_support=no    ;no NAT traversal help needed, see 1TR118 (default=no)
   ; --- NAT specific endpoint settings (NGN/SIP-Trunk) 
   rewrite_contact=yes    ;(default=no) sdp contact fields become 
             ; external_media_address, header contact field becomes
             ; external_signaling_address (as defined in transport).
   disable_direct_media_on_nat=yes ;no direct_mediasession refreshes 
   ;direct_media=no    ;default=yes, we do disable direct_media_on_nat, keep
             ; allowed for non-NAT (IPv6).
   ;rtp_symmetric=yes    ;ignore c= and m= of sdp, send media back to 
source IP.
             ;Recommended for dynamic IPv4 and NAT environments.
             ;Not necessary if external_media_address matches static
             ;IPv4 and rewrite_contact=yes
   rtp_keepalive=15    ;seconds between RTP comfort noise keepalive packets
   rtp_timeout=30    ;terminate call if no RTP (while off hold) is exceeded
   rtp_timeout_hold=7200    ;allowed time for calls on hold before 
   ; all RTP timeout values above are '0' by default (no timeout)
   ignore_183_without_sdp=yes    ;cosmetic (default=no)
   sdp_session=OmniPBX (pjsip-ast18)
   ;.------ Special tuning, needed only for FreeBSD jails without vimage 
   ; If peer receives no media and 'rtp set debug on' reveals negative 
length for
   ; correct IP in "Sent RTP packet to", you want these two lines:
   media_address=    ;specify the (source) IP of the 
interface to be
   bind_rtp_to_media_address=yes    ;used for RTP (pre-NAT) and tie 
socket to it.
   ; '----- (rtp media transmitted on wrong interface) 
   asymmetric_rtp_codec=yes    ;TO BE OBSERVED: Differing codecs for 
                 ;and sending media shouldn't cause any problems.
   ;send_pai=no ;default=no, we add PPI using dialplan function 
   from_user=+492281810    ;always append 0 to pilot number    ;will be replaced by NGN (
   contact_user=+49228181    ;To be set according to idpfxTelcoN definition
                                 ;(in xten/globalvars.conf)!!!
   language=de ;which IVR subdirectories to use e.g.

; Address of Records, the location information(s) for endpoints to use 
   type=aor ;used for sending OPTIONS 
   ; Permanent contacts assigned to AoR (endpoints use this location(s) 
URI(s) to
   ; send calls to).
   contact=sip:+49228181 at ;consistent with contact_user
   default_expiration=600    ;default=3600
   qualify_frequency=180        ;default=0

; Identify (endpoints selection criterias for inbound requests)
   ;srv_lookups=no ;lookup _sip._udp, _sip._tcp, and _sips._tcp 
(defaults to yes)
   ; ;IP or hostname 
   match_header=To: /181.* ;/.../ means regex
   endpoint=telekom_trunk10SITE1    ;match your arbitrary definition

More information about the freebsd-questions mailing list