Monday, November 3, 2008

IP Phone Finally Working

It's taken me weeks, but I finally have a working IP phone. I have my Red Hat extension configured as line 1 and my Fedora extension configured as line 2.

There was a post somewhat recently from someone who purchased a Grandstream GXP-2000 IP phone and got it working with Having had no luck with my Cisco 7960G, I decided to go with the Grandstream phone.

Configuration of the GXP-2000 is certainly easier, but getting an IP phone to work on your LAN behind whatever you're using for a firewall is a royal PITA.

I tried STUN since the phone can do that. The phone was able to register itself and I could make and receive calls, but you'd never hear anything. Someone pointed out that I needed to forward tens of thousands of ports for the RTP traffic. I found some iptables PREROUTING and FORWARD rules that seemed to be correct. Still didn't help.

I fooled around with NAT settings, but nothing ever worked. Other people I talked to suggested running Asterisk locally or running siproxd or some other stack of software that would let the phone connect. The whole point of having the physical IP phone was to avoid any sort of software on my workstations and servers to make the phone work. Running siproxd wasn't really an option because I use OpenWRT on a WHR-G54-HP for my router/firewall/vpnc box. Not enough space to store siproxd.

Digging around online pointed me to an iptables kernel patch. It added the ip_conntrack_sip.o and ip_nat_sip.o modules. I'm using OpenWRT 0.9, the last whiterussian release. One thing that I find irritating is when I mention OpenWRT people, I am immediately told to change to DD-WRT or to upgrade to Kamikaze or something else. Why? I don't care and 0.9 works fine for me. Unless there is something I really can't get working under 0.9, I don't want to change or upgrade.

However, these kernel modules almost caused me to look in to DD-WRT, but I couldn't find any evidence that DD-WRT would make my SIP situation any easier. OpenWRT runs 2.4.30. My device is MIPS, so compiling these modules for 2.4.30 for MIPS was going to be annoying and/or impossible.

Finding the patch was the first trick. The OpenWRT dev team removed the iptables SIP patch about 3 years ago due to licensing concerns. I found that svn revision 3289 was the last time they had the SIP patch. I checked that out from and proceeded to build for my router. It took a little while, but I eventually got the two modules and copied them to the router.

With the modules loaded and the following iptables rules in place:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp --dport 5060 -j ACCEPT
iptables -A FORWARD -o vlan1 -p udp --dport 5060 -j ACCEPT
iptables -t nat -A POSTROUTING -o vlan1 -j SNAT --to-source [public IP]

The phone finally works. The kernel modules are making life easier for me because I don't need a lot of iptables rules to get the phone working.

For details on my OpenWRT configuration, go here.

My extension is 5100345.


Veselin said...

I am trying to achieve something similar and have not succeeded yet. Is there a way of me getting in touch with you? Or maybe you could give some ideas how to get around my problem, or at least where to read about it.
I have Netgear router with DD-WRT v24 firmware. It establishes VPN connection successfully to a Cisco1812 router. Behind the Netgear I have a Cisco7960 IP Phone that registers successfully to Cisco CallManager in my office that is behind the 1812 router. BUT, like you, I can only make and receive calls and no voice traffic passess through.
Now, I know that the signalisation is SCCP, not SIP like yours, but I still have to get the RTP traffic through the VPN. I tried your IPTABLES commands and it is not working (since I am newbie in Linux and DD-WRT, I can only copy and paste the commands)
Please help.

Aamir Khan said...

Thanks for the comments. We are glad to hear your SPA303 is working fantastically! We appreciate the positive feedback.
Ip Phones