There was a post somewhat recently from someone who purchased a Grandstream GXP-2000 IP phone and got it working with talk.fedoraproject.org. Having had no luck with my Cisco 7960G, I decided to go with the Grandstream phone.
Configuration of the GXP-2000 is certainly easier, but getting an IP phone to work on your LAN behind whatever you're using for a firewall is a royal PITA.
I tried STUN since the phone can do that. The phone was able to register itself and I could make and receive calls, but you'd never hear anything. Someone pointed out that I needed to forward tens of thousands of ports for the RTP traffic. I found some iptables PREROUTING and FORWARD rules that seemed to be correct. Still didn't help.
I fooled around with NAT settings, but nothing ever worked. Other people I talked to suggested running Asterisk locally or running siproxd or some other stack of software that would let the phone connect. The whole point of having the physical IP phone was to avoid any sort of software on my workstations and servers to make the phone work. Running siproxd wasn't really an option because I use OpenWRT on a WHR-G54-HP for my router/firewall/vpnc box. Not enough space to store siproxd.
Digging around online pointed me to an iptables kernel patch. It added the ip_conntrack_sip.o and ip_nat_sip.o modules. I'm using OpenWRT 0.9, the last whiterussian release. One thing that I find irritating is when I mention OpenWRT people, I am immediately told to change to DD-WRT or to upgrade to Kamikaze or something else. Why? I don't care and 0.9 works fine for me. Unless there is something I really can't get working under 0.9, I don't want to change or upgrade.
However, these kernel modules almost caused me to look in to DD-WRT, but I couldn't find any evidence that DD-WRT would make my SIP situation any easier. OpenWRT runs 2.4.30. My device is MIPS, so compiling these modules for 2.4.30 for MIPS was going to be annoying and/or impossible.
Finding the patch was the first trick. The OpenWRT dev team removed the iptables SIP patch about 3 years ago due to licensing concerns. I found that svn revision 3289 was the last time they had the SIP patch. I checked that out from svn.openwrt.org and proceeded to build for my router. It took a little while, but I eventually got the two modules and copied them to the router.
With the modules loaded and the following iptables rules in place:
The phone finally works. The kernel modules are making life easier for me because I don't need a lot of iptables rules to get the phone working.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp --dport 5060 -j ACCEPT
iptables -A FORWARD -o vlan1 -p udp --dport 5060 -j ACCEPT
iptables -t nat -A POSTROUTING -o vlan1 -j SNAT --to-source [public IP]
For details on my OpenWRT configuration, go here.
My talk.fedoraproject.org extension is 5100345.