SIP and Netscreen Firewalls

VoIP using SIP and RTP is a cool thing, but can be somewhat of a pain to get working from behind a firewall (NAT) device. First, an overview of the protocol:

TCP port 5060 (typically) to set up calls – Session Initalisation Protocol
UDP random ports 10,000 – 30,000 for call data (audio, video, etc) – Real Time Protocol

The problem is thus: when an RTP packet is sent from a gateway (eg, an Asterisk box) to a register from behind a NAT, then naturally the packet headers need modification as normal for a NAT. However, the SIP protocol contains data in the payload – including IP addres(es) (the ‘Via’ option).

For perfect use, this would need to update the packet payload to be modified. Looks like Netfilter in Linux is on the way to doing this with two kernel modules: ip_conntrack_sip and ip_nat_sip: see here.

However, pay lots of money for a Netscreen, and it doesn’t do this, despite having a ‘SIP ALG’ – according to Juniper support, the manufacturers of the Netscreen.


Reliable (High Availability) networking with Linux

In a word: Bonding. See Nick Ferrier’s post to Debian-Administration. Grab my script from my Subversion respository so you can monitor your links. Get two managed switches (I like the DLink DGS-3324SR gigabit switches). Enable MSTP (Multiple vlan Spanning Tree Protocol) on ports 1, 2, 23 and 24, and disable spanning tree on all other ports; patch ports 23 to 1 on the next switch, and 24 to 2 on the next so you have two links between each switch. Plug your two interfaces into any of the other ports (3-22) on each switch. End of story.

Configuring APC Rack PDUs

A brand new APC should be ready to have its IP set via using an ‘arp and ping’ technique. Its in the manual, but worth noting, since I normally google search before RTFM! And so does most of the world..

  1. On any running host on the same network, set the ARP for the MAC address of the device. Eg: arp -s 00:C0:B7:76:08:CC will tell the host you are on to send to hat mac address when you use the IP
  2. On the same host, before the arp expires (normally 5 mins), send a ping to this IP with a special size of 113 bytes. Eg: ping -l 113 from Win, or ping -s 113 if you have a better operating system (Linux)!

If this fails, then you need to get the serial cable out and wire it up (9600 8N1 is default I think, turn off ALL flow control; no hardware, no software). Password recovery: find the small hole and use a paper clip or similar to reset the device. You have to reset it twice for it to take effect, and then you can use the default username and password of apc/apc.

SIP Telephony, good and bad

I’ve had a SIP handset now for about two weeks: a Budgetone 102 handset. Its not too bad, from what I can tell, but I am using a provider in Perth, SimTex, whichis around 400ms away RTT, and I am getting some bad audio on one side of the call.

Its so frustrating, that we constantly have to abandon the SIP phone and use the PSTN, at more expense. I’m connecting through Demon internet in London on a 512 DSL link., which should be plenty fast enough. The annoying thing is that my emails and now phone calls to SimTex have gone unanswered. Not a way to keep customers. TIme to start looking for other providers, or, put my own box in…. Asterisk rocks, and the PSTN cards arent that expensive… if I put a 1U box with an ISDN 30 card in each city…. I’d be a SIP-telco.

I found Cisco had a nice lit of SIP response codes.