solution to being behind Symmetric NAT?

Discussion in '3CX Phone System - General' started by vanDivX, Mar 19, 2007.

  1. vanDivX

    Joined:
    Feb 20, 2007
    Messages:
    36
    Likes Received:
    0
    I am having trouble with one way voice and I keep getting these messages in Server Status: "StunClient::process: STUN failed to resolve external IP using server 80.239.235.209"

    the problem I think is that I have 3CX PBX behind NAT router and 3CX soft phones as remote extensions (located on WAN in several locations) which are also all behind NAT router

    as a layman I would have thought why can't I tell the PBX what my IP is so it can stop laboring trying to resolve it for god's sake, it is dynamic but really is static, it never changed in two or three years since I got that internet account setup and that's why I never used DynDNS service on it

    I have forwardedthese ports to IP of 3CX PBX :

    SIP - 5060 UDP
    STUN - 3478 UDP
    RTP - 9000-9007 UDP (for up to 4 simultaneous calls as in a conference call)

    I think I have several options:

    #1 - put 3CX winXP system in DMZ - not good especially when the system also runs security cameras in the house) plus it will be connected to PSTN landline

    #2 - forget about remote extensions and register them with FWD or some other voip provider and then simply make SIP calls between the 'extensions' - may do this if option number 3 will not work out

    #3 - I found my router has SER built in which is short for 'SIP Express Router' http://www.iptel.org/ser/using
    the router is WRT54GL flashed with DD WRT Voip firmware which contains this SIP server in it - under tab SIPatH it has the following info:

    I am wondering if I could employ this SER to solve my problems with the external IP resolution and symmetric NAT, it can do Redirect and function as an Outbound Proxy and local Registrar Server, ho hum

    somehow I don't see it and with 3CX pbx the whole SER thing seems redundant since 3CX can route internal calls between local extensions just as well, I just thought that if it sits right on the router that it might 'know' how to pass calls in and out without any NAT problems but likely fat chance

    would it make sense at all to use this SER as outbound proxy if I setup Voip provider extensions in 3CX?

    vanDivX
     
  2. 3CXsupport

    3CXsupport New Member
    3CX Staff

    Joined:
    Aug 21, 2006
    Messages:
    193
    Likes Received:
    0
    Hi,

    You can try setting up the device but I unfortunatley have never looked at it's configuration.

    Having 3CX PhoneSystem is really no problem behind NAT. The external devices should be able to connect too.

    Before you go on trying any configuration you should try to resolve the STUN issue. This will be needed when contacting the external phones over the internet.

    The only reason I can see stun fail is if for somereason it is blocked by some firewall ACL. Is this the case? if not please have a look at the trace logs or capture netwrok traffic and see if you ARE getting a reply from the stun server.
     
  3. vanDivX

    Joined:
    Feb 20, 2007
    Messages:
    36
    Likes Received:
    0
    I have just updated the PBX to newest version and these are one of the first fails of resolving the external IP, although after some tries it seems always to succede

    pondering it now as I write this, I wonder if the culprit might not be my SPA3102 which is on the LAN and uses ports 5060 and 5061 (for its PSTN and LINE1 interfaces) to connect to the PC that runs the 3CX PBX

    coming to think of it now, I am not sure if its ok to have SPA connecting to PC on port 5060 while that same port is forwarded to that same PC from the internet gateway (gatway firewall rule: forwarded port - from:5060 to:5060 )
    perhaps that is where the glitch is, the port 5060 of the PC is tied up by the SPA and only occasionally the PBX succeeds to get the external IP sent to it over the port 5060 (if that's the port which is used for this communication)

    'blocked by a firewall ACL'... what is ACL? anyway the IP usually gets resolved after several failed attempts and that would seem to indicate that its not blocked by firewall, else it would never succeed - the PC that the PBX sits on has no firewall (WinXP firewall is switched off) and it is located behind WRT54GL Linksys router flashed with custom DD-WRT Voip firmware

    the firewall on the router is set to:

    Block WAN Requests TAB ->

    Block Anonymous Internet Requests (yes)
    Filter Multicast (yes)
    Filter Internet NAT Redirection (no)
    Filter IDENT (Port 113) (yes)

    vanDivX
     
  4. Anonymous

    Anonymous Guest

    No drama to use the SPA 3102 behind a fire wall or nat, I have it sitting behind a ISA server and a Fire wall.

    Mind you I only use the WAN config on the SPA, having said that my SPA is using the WAN port and that one is directly plugged into a Switch, so no comp is hanging of the SPA 3202

    My wan setup is using the "internal lan" for example 192.168.0.150 and has the gateway as my ISA server. The WAN and LAN cannot be the same IP address.

    Same applies for the Primary and Secondary DNS both point to my ISA server IP address. If the IP's are the issue change everything to DNS resolve eg use HostNames you can do this.

    You have your PC connected to your SPA and than the SPA to your modem/switch. Why do that? you introduct more complexity as it is. If you use a softphone on your PC you use a different subnet than your wan and you need to do nat, than you do nat again when you go to the internet, very very confusing.

    On the other hand can you setup a gateway in the SPA 3102 for your VoIP etc. THis is how that works.

    gateway1 enter userid@proxy (the proxy is the name of your SIP server from the VSP.
    GW1 Auth ID this is the user ID given to you by your VSP.
    GW1 NAT Mapping enable (I guess this is going to be YES)
    GW1 password, this is the password given to you by your VSP.

    So now that is done, you need a dial plan.
    (<#1,:>XX.<:mad:GW1>|000S0<:mad:GW0>|<#0,:>xx.<:mad:gw0|xx.)

    <#1,:>XX.<:mad:GW1> this means everytime you type #1 + dialed number the connection will go through gateway1.

    THis actually might solve some NAT routing issues.

    Henk.
     
  5. vanDivX

    Joined:
    Feb 20, 2007
    Messages:
    36
    Likes Received:
    0
    I believe I have the same setup as you as far as SPA goes, it is one of the LAN 'machines' sitting behind my gateway router with couple PCs in standard setup (none is piggybacking on any other machine, they all are connected to a gateway router switch and have assigned static IPs

    it is silly that Linksys forces us to connect Wan port of the SPA to LAN with private IP setup on its WAN interface but what you gonna do

    I think you misinterpreted what posted, probably because of that comment about ports on the SPA, I love to hate ports, on one hand I understand them and on the other I don't (this later happens when I try to understand what I am doing)

    I have PSTN and Line1 interface of the SPA registered as 'External Line' and Extension respectively with the 3CX PBX and there is entry in SPA about SIP ports on the tabs of those two interfaces - by default one uses port 5060 and the other 5061 and I assume that is for communication with the PC on which the 3CX PBX is running because these interfaces are registered by it and all communication or activity on these two interfaces are now mediated by the PBX

    and I am only guessing here, if the SPA interface that uses the port 5060 to connect to the PBX on the PC might not interfere with the port 5060 on the PC on which the PBX is installed because it contacts the STUN server on port 5060 (5060 on the PC and 5060 on the gateway...)

    however I begin to feel this is intractable issue, it looks like I should get rid of my still new gateway router, just as I thought I was getting something standard and best there is in this price bracket and nifty and all that and it apparently let me down like that, makes me feel tired...

    I have to say that again, my IP is static, why can't I tell the pbx what it is and be done with it, why does it have to find it out periodically, I could damn well tell it what it is for god's sake

    BTW I thought if I have the PBX that I won't have to craft dialplan in the SPA, at least nothing too involved, I think it should be done in the PBX, right? that said I think 3CX PBX probably doesn't allow for too complex dialplan as SPA does but I may be mistaken about it

    vanDivX
     
  6. vanDivX

    Joined:
    Feb 20, 2007
    Messages:
    36
    Likes Received:
    0
    this is the port use by the 3CX PBX on the PC:

    Open Ports

    I have also disabled the SPI Firewall on the router and will watch if I still get failed attempts

    also opened extra ports 5061-5080 UDP for the hell of it

    in General settings, I specified another port to STUN server as stun.3cx.com:5061 and doubled the Timeout to 6sec, left the Recheck external IP at 20 min default (for now)

    I don't think I have some ACL (Access control list) on the router, if that means some restrictions like parental access etc, I got none of that, that options is disabled

    vanDivX
     
  7. vanDivX

    Joined:
    Feb 20, 2007
    Messages:
    36
    Likes Received:
    0
    nothing works, I saved out log (it starts after reboot of service from the bottom) and formated it in color and made spaces between 'attempts' at resolving my external IP (I changed my IP to another in the log)

    the rtf file is here on FTP

    Stun log.rtf

    if it makes any sense, sometimes I have period of respite when its ok maybe for few hours but then it starts having trouble again, go figure

    I have firewall SPI on the router switched off and all as per above post, I am thoroughly stumped and don't see what is wrong

    is it my XP installation? is it my hardware? is it my ISP? is it 3CX PBX?

    I am ready to throw in towel, what was the other Win based PBX that people mentioned here on forum, started with letter A if I remember, I want to give it a spin, tired of this thing very much, I have yet to make any call iin over a month FFS

    vanDivX
     
  8. Anonymous

    Anonymous Guest

    I am printing your posts and your files, I am going to have a look at this.

    Now no guarantee, but this problem of yours got me baffled. So time to grab the ..... by the b..... :).

    Give it a few hrs and Ill get back to you for sure.

    Henk.
     
  9. Anonymous

    Anonymous Guest

    Ok this is what I think you have:

    1(3cx --- > NAT) --- > [pstn] ---> 2(NAT ---> Softphone)

    1 is your network
    PSTN is the internet
    2 is other network which is not yours?

    Lets see if we can get things to work on 1 first.

    SPA should be on your local network (this makes it easier) same IP range as your 3cx box.

    SPA settings (not all of them but the ones that impact you are listed here)
    Static IP same network as your 3cx
    Gateway use the same as you have on your PC as gateway. Eg could be your router or if you have ISA it is your ISA server.

    Line1
    Proxy, your VSP
    Sip port 5060

    PSTN
    Proxy is your 3cx IP address
    Sip 5061

    3cx
    VOIP outbound proxy name = VSP
    Proxy is 5060
    Device is external

    Dialplan
    As provided by your VSP

    PSTN
    Gateway host IP= is the ip or your SPA
    Gateway port is 5061 (same as you entered in the PSTN).
    Device is internal (as it is on same network)


    Dial plan
    As in the manual of 3cx (configure line8 to (s0:10001)

    Make sure your VOIP is on line 10000 and your pstn is on line10001, not sure why that needs to be but I noticed it causes less problems.

    So what we got?

    We bound the VOIP outgoing direct to the VSP server
    We bound the PSTN to SPA
    We bound the SPA to 3cx

    Make sure you have no media devices enabled in 3cx, I noticed that cause trouble in my config.

    The ports you need open (eg allow internal to external)
    SIP 5060 - 5061 (you only use those two)
    STUN 3478 (not sure if you need that actually, simply because it does not work with Symmetric NAT. So I would forget that.)
    RTP not only 9000 - 9007 but also 10000 - 20000 if you have extensions that are jumping from internal to external (looks like your config) than you also need the 7000 - 7500 open.


    Anyway have a go with that, in the mean time I will try to figure out what you can do if it does not work.

    I am still a bit in the dark with your softphones, I believe they are in different locations are they not? Could you do something with VPN ?

    Henk.
     
  10. vanDivX

    Joined:
    Feb 20, 2007
    Messages:
    36
    Likes Received:
    0
    thx to your post, I talked to my brother for half hour now (he was using analog phone on Line1 of SPA which is on LAN together with 3CX PBX - all located in Europe - and myself being in Canada behind NAT router using 3CX Softphone registered as remote extension to 3CX in EU) and at least now I know it can work, first few minutes of the call we had strong tremolo (is that called 'jitter'?) and echo in voice (first he had it and than both of us had it) but somehow it suddenly went away after few minutes and we had clear voice both ways for the rest of the call, also there was 1 second or even more lag between us all the time - if I interjected something into his speech, he would keep talking and only respond a bit later to what I said but that is perhaps due to nature of the call and nothing can be done about it...

    then we hung up and when I called him again (from remote extension - ie., out on internet behind NAT router) we had again the atrocious tremolo and echo and we didn't talk long enough for it to clear

    then I had him in turn call me from Europe (where 3CX PBX is located), that is initiate the call from SPA Line1 connected phone (which is local extension 080 of 3CX PBX) and call remote extension 171 -> me in Canada with 3CX Softphone registered as remote extension 171 to 3CX PBX in Europe...
    my softphone would ring but I wouldn't hear him at all when I took the call and he would get 'destination is busy' (voice or tone message, not sure which one) and the log in 3CX would say:
    but at least now there is something to troubleshoot

    I corrected the 3CX PSTN external line port setting - I had 5060 there while SPA is set to 5061
    however this is not where the problem was since I am not using PSTN calling at all as yet (I don't have physical PSTN phone line connected to SPA)

    also I do not have any VOIP line setup in 3CX yet, all I am using at the moment are extensions - remote and local mix - and I believe I am now able to make calls due to your advice about port forwarding ->

    STUN 3478 -> I am going to keep that open because I do not know that the 3CX PBX is behind symmetric NAT, that's just my guessing because of the flaky IP resolution efforts - that resolution of my IP seems to persist for now but at least I can make a call

    perhaps what did the trick was your advice about 'mixing internal and external extensions' and that I have to forward not just 900x ports but also the 700x ports (which are otherwise supposed to be used only for internal calling between local extensions)
    problem is that the manual is badly out of date and I can now see that one shouldn't even read it - it was written before the official introduction of remote extensions and the information it gives about ports just doesn't apply to current RC2 release if you use those remote extensions (I redownloaded the manual only several days ago and it still doesn't reflect the new release)

    I also forwarded those ports 10000-20000 although I have no idea where those do come in

    maybe the reason I can 'call in' from remote extension but couldn't be called from extension local to 3CX (when using it to call the remote extension) because I may need to forward those 700x ports at the remote location where the softphone is (I did that now and also forwarded the 10000-20000 ports and will test it tomorrow)... that's some forwarding I say, I mean if you get people out there to use skype, they just download and install it and off they go but with 3CX softphone they also have to forward tons of ports (at minimum 5060 & 5062), is that because of SIP or what, now with connecting through exterior media server and using exterior STUN server it is no longer peer2peer connection anyway and I am begining to wonder why use those remote extensions at all if that is the case that you need to depend on third party public servers to be able to call, why not simply register with SIP VOIP provider like FWD and make standard SIP calls and be done with it

    the tremolo in voice during call and its subsequent fixing (it just went away by itself suddenly) might have been due to the codec being switched but that strong echo might be harder to troubleshoot, we had echo as strong as original voice, talk about echo LOL, it was more like if you spoke twice, ie. 100% echo

    in the softphone codecs are listed with priority with G711A-Law being first in line and u-Law second, shouldn't u-Law be set as first priority perhaps? also can one open the codec pannel during call and play with it and have it reflected live in the call? did anybody try doing that?

    again thanks so much, at least now I have something to work on to improve it, did that rtf file show color highlighting in text? I made another such marked up log for this calling session and it is uploaded here on my FTP

    3CX_Log-1st_Calls.rtf

    I have also noticed I have switched off UPNP in the router behind which the 3CX PBX is located, would it be better switched on?

    vanDivX
     
  11. Anonymous

    Anonymous Guest

    Yes that is jitter, you can reduce that by introducing QoS in your network, but if your ISP does not support it it would not help. No harm in trying.

    Looks like Call Progress issue, what happens when you wait eg 5 min after your first call and than have him calling back?
    It can also be related to RTP and Codecs, to eliminate the codecs make sure you have the same for both.

    These ports are for your SOUND these are the RTP. You do not need the whole range, only a few within that range but I do not know which ones you use.


    Yeah you can also say the same thing for BANANAS, you compare two different things.
    The reasons for the ports, well that is because you introduce a few bits and pieces. (SIP, STUN, RTP, RTPC). Not a biggy but a bit fiddly when starting.

    Off is better, UPNP is prone for hacking :).

    Hope this helps.

    Here some pointers to get started on JITTER and ECHO.

    SPA
    PSTN Line and the Line1 Config.

    Network Settings
    SIP CoS Value: [0-7]
    RTP CoS Value: [0-7]
    Network Jitter Level: high
    Jitter Buffer Adjustment: up and down

    That should help a little.

    Henk.
     
  12. vanDivX

    Joined:
    Feb 20, 2007
    Messages:
    36
    Likes Received:
    0
    calling is a calling is a calling...

    I was testing again and let my bro call me first (after this SIP boondogle was resting whole night so it might remember that the last call was finished...) and he still can't get to me, something is refusing to be budged, maybe need to open some more gazilion ports or what, I can call him fine except that the call quality (echo and jitter) is something awful and atrocious and abysmal and simply POS

    later on we switched to 'bananas' skype and it worked and was very much acceptable quality call

    I am no fan of skype, 99% of time I use it for written messages only BUT it can make calls and make circles around this SIP %^&*()_ that's all I can say going by my experience so far (and of course I know its not sip and that its proprietary technology and all that)



    my settings:
    Network Settings
    SIP ToS/DiffServ Value: 0x68 SIP CoS Value: 3 [0-7]
    RTP ToS/DiffServ Value: 0xb8 RTP CoS Value: 6 [0-7]
    Network Jitter Level: high Jitter Buffer Adjustment: up and down


    when I get some sleep and get over the trauma I might experiment with those arcane setting, like that cos(ine?) values that I don't have a clue even what its called or what it does, monkey's business this calling I say

    however I don't think or believe that any such setting will somehow magically improve the quality of calls, they are way too bad, simply not acceptable by any mark, can't see that being fixed by some little tweak

    BTW I made sure both ends used uLaw codec, the soft phone showed that was so during the call (and no, you can't make changes to codecs on the fly as I was asking)

    vanDivX
     
  13. Anonymous

    Anonymous Guest

    These settings only work if your ISP supports them, basically what they do is put a little tag on every IP package to tell the switches and routers that these packages need priority on the network when the network is congested.

    Ok this is what I like you to do, do a tracert from your place to the IP Phone at your bro's and have him do the same. I like to know if there is a latency on your network. There is a few things we can do but not much.

    That your bro cannot call you might be a fire wall issue. Can you tell me (you problably done already) where what sit. Is your bro on the same network as the 3cx for example is he connecting the same way as you do?

    Keep in mind that a firewall allows answering of all traffic that is initiated from its network, this might explain why you can call your bro but traffic from him is not going through as it is firewalled.

    Hope this helps.
    Henk.
     
  14. vanDivX

    Joined:
    Feb 20, 2007
    Messages:
    36
    Likes Received:
    0
    Tracert.rtf

    I think its within limits, the trace I mean, what I find discouraging is that calls would get better some five to ten minutes into the call and becoming almost normal calls then but first five minutes is very bad, hardly can make up what the other side is saying, its like double echo at full strength like original voice, if you combine that with strong jitter... if we hang up and I call up again, it is all over the bad quality again

    my bro calls from SPA Line1 phone which is on the same LAN as 3CX PBX and I am in remote location - Canada

    only firewall now is on my side (I have disabled the SPI FIrewall on the router at 3CX PBX location) but I have forwarded in ports 5060,5062,5064 and also 7000-7500 and 10000-20000, perhaps I should also forward the 900x ports too? that seems like overkill

    I will make FWD accounts and try to run the calls through voip provider that way, I don't see much hope anymore for this whole thing (local extensions mixed with remote) I still get the Failed to resolve IP messages and also a whole bunch of these

    as I see it, the call from my bro doesn't come through because the 3CX PBX thinks my extension is is busy while it is not, my remote softphone is registered to it and is hung up, it even rings for a while and it doesn't help if I take the call and see the microfone meaning the call is in progress, my bro doesn't hear me, instead he hears busy tone as soon as he dialed my extension number and that's all he ever hears (actually its tone like 'Called number doesn't exist' but I think its to do with imperfect regional setting in 3CX
    my guess would be that this is SPAs doing, it looks like its fault more than anything else

    vanDivX
     

Share This Page