I might also be missing something, but the SIP proxy is very different. Where do I enable transparent proxy and setup a SIP routing table for different domains? I tried a simple non-transparent configuration, but that also doesnt appear to function.
as mentioned in another thread, the SIP proxy has been replaced by a true statefull SIP connection tracking helper.
In V6, the SIP Proxy had limitations, as it was only possible to do outbound calls, which means that a Sip client behind the firewall could connect to a SIP server on the internet.
But there were three limitations: 1) no inbound support for SIP calls to your own sip server 2) all SIP RTP packets where proxied by the applications, which created a higher latency and we were forced to open a big udp range for incoming packets. 3) QoS was not abler to properly determain the RTP connections, therefor VoIP prioritization was poor.
This has all been addressed by a helper similar to FTP, which parses the SIP traffic and detects when a calls takes place and opens the matching ports to only allow this specific flow and only for the duration of the call.
Also it is now possible to simply mark the SIP TCP connection (tcp/5060) with a specific number, which gets automatically inheritet to the RTP call packets. This we can easily prioritize the VoIP traffic.
On top of that, the whole handling is now handled in the kernel and not in userspace anymore, which reduces the latency dramatically.
In order to use the new SIP functions, just add: Internal Network to 'SIP Client' and Any to 'SIP Server'.
Than configure your phone to not use a SIP proxy of the firewall, but to directly connect the SIP Servers, as there were no firewall.
Than the ASG will do the magic and handle everything.
On top of that, you can create a DNAT rule to FORWARD port tcp/5060 to you own SIP server, to handle incoming SIP calls.
So my setup is fairly straight forward as this was a test for the AS7 firewall. As I mentioned the configuration we are used to from the v6 series is that the phones are configured to go to the address of the SIP server, the proxy was set to transparent. Allowed hosts was the Internal side, and the interface was Internet.
Before reading your note, I had the v7 configuration with the server being the IP that of the foreign SIP server, and Internet network as the client.
The firewall has one rule for MASQ of all clients on the Internal network. There are three phones at this location, but only one is enabled during the testing period. Since I do not have an inbound server and I dont have extra IPs I dont have a DNAT rule.
My packet filter rulebase is an any any allow outbound rule, with a new rule added that allows all inbound from the IP network of the SIP server.
My Internet connection type is Cable Modem (DHCP).
Still no joy on this. I am going to have pull sniffer traces to see what the firewall is producing in terms of packets.
As I wrote in an other SIP thread I still have issues after following Gert's "guide". I can make and receive calls but can't hear anything since the RTP ports is blocked på the firewall. According to Gert's the firewall should do some magic, but that's not the case for me.
Am I doing something wrong or is this setup only ment for SIP servers behind the firewall and not a VoIP adapter (i.e. Sipura 2100)?
disable the usage of STUN and if applicatable of NAT ind the configuration of your phone. After sisabling these options in your phone, power off the phone and reboot the firewall. Startup your phone again and everything should be fine.
I still havent made much progress with the new SIP connection helper. I started to do an more detailed analysis by setting all rules to log all and then look at the results to see where the traffic was breaking down. No SIP traffic is appearing in the packet filter logs, and the SIP log remains empty. I will post as I find more information, but generally speaking if I switch to the v6 firewall in transparent mode - all is good. TFTP of the configuration is successful to the device, but no SIP traffic is moving. Disabling the SIP connection helper yields a registration with the wrong (internal IP), enabling yields a null result.
I still havent made much progress with the new SIP connection helper. I started to do an more detailed analysis by setting all rules to log all and then look at the results to see where the traffic was breaking down. No SIP traffic is appearing in the packet filter logs, and the SIP log remains empty. I will post as I find more information, but generally speaking if I switch to the v6 firewall in transparent mode - all is good. TFTP of the configuration is successful to the device, but no SIP traffic is moving. Disabling the SIP connection helper yields a registration with the wrong (internal IP), enabling yields a null result.
