VOIP Tech Chat → Can I get Asterisk to not proxy media?

A question for the Asterisk gurus here:

I have a FreePBX system, based on Asterisk 1.8, running on a VPS. I'd like to interconnect my three locations (and various providers), somehow avoiding having Asterisk in the media path.

Each location has IP desk phones (Polycom or Aastra) and a Gigaset A580 IP system. One place has POTS, connected by an SPA3102; another has pseudo-POTS (triple-play from ISP), connected via an OBi110. The ISP-supplied NAT router/modems can do port range forwarding, but hairpinning does not work correctly. The phones and ATAs can all do NAT mapping or not, whichever would work best in this system.

My dilemma:

If NAT mapping is off (devices send private address in SDP), directrtpsetup will work for intra-location calls (between extensions or to/from the local POTS), but will fail for inter-location calls. Trunk calls using a provider that does not proxy media (and whose upstreams don't do symmetric RTP) will also fail. Conversely, if NAT mapping is on, inter-location is ok, but intra- will fail.

If there were some way to get Asterisk to replace the private IP with the public one, when connecting to an endpoint not behind the same NAT, all would be well.

Anyone have a similar system running?

Have you looked at directmediadeny and directmediapermit pair of options in sip.conf? I have used this approach for 2 locations, with one of them behind the asterisk server (hence no nat). I suspect that it would not completely solve your problem, but may be a start.

Cheers,
-m

I have experimented with getting Asterisk not to proxy media. After a long-winded trying/failing, I have managed to get Asterisk not to proxy media. I am running Freepbx 2.10.1.3 and Asterisk 10.4.0 on CentOS Linux 6.3 (Linux 2.6.32-279.19.1.el6.i686 - 32-bit) VPS with a PAP2T connected to 2 extensions. The settings below, may be of help, but not sure if it will solve your issue.

1) On the PAP2T all NAT issues are turned off. The PAP2T is connected directly to a dedicated Internet connection. This is the only way I could get the PAP2T to work with no-NAT since I am unable to configure any of my routers to operate in no-NAT mode.

2) Key settings in Freepbx are a) Extensions; 'canreinvite=yes' and turn off recording feature (does not work when Asterisk is not proxying the media), b) in Asterisk SIP settings; set 'NAT' to 'no', set IP Configuration to 'Static IP'' (external IP is the IP of your VPS), set 'Reinvite Behaviour to 'yes', in 'Other SIP Settings' set 'directrtpsetup=yes' and 'keepalive=yes', c) in Advanced settings, set 'SIP canrenivite (directmedia)' to 'yes' and 'SIP nat' to 'no', d) In General Settings blank out anything in the box next to 'Asterisk Dial command options'.

Now, the PAP2T and Freepbx/Asterisk should be set up to not proxy media.

To check that Asterisk do not proxy media, SSH into your VPS and command "asterisk -vvvvvvvvvR" at root to get to Asterisk CLI, then command "rtp set debug on" (no quotes). After the call is set up and you see no activity at the CLI prompt, that indicates Asterisk is not proxying the media. If you do see scrolling lines, you will see RTP stream and that it is proxied by Asterisk.

[In my configuration; when Asterisk is not proxying the media, the call quality is much better. However, you will loose som of Freepbx's features, which do depend on Asterisk proxying the media, so it is a trade-off....]

Many thanks for the replies, but I don't completely understand either. Here is a specific example of the desired behavior:

Extensions 101 and 102 are in location A and 103 is in location B. When 101 calls 102, the INVITE sent to 102 should specify in its SDP, the private IP address of 101, i.e. what 101 sent in the original invite. When 102 answers, the 200 OK sent to 101 should specify in its SDP, the private IP address of 102, i.e. what 102 sent in its 200 OK. The resulting conversation stays on the LAN (does not go over the Internet at all).

OTOH, when 101 calls 103, the INVITE sent to 103 must have the public IP address of 101, so 103's voice packets will travel over the Internet to 101's router and be forwarded to 101's phone. Likewise, the 200 OK must have the public address of 103.

@voip_wire: Though I am aware of directmediapermit/deny and could indeed use them to prevent a malfunction in cases where direct media wouldn't work (proxied audio is a lot better than no audio), my goal is to always have direct media work. So, for a case where directmediadeny is active, is there some way for another option to kick in (reinvite?) and still have a direct path?

@pacpac: If I understand correctly, all your extensions are on public IPs. If that were my case, your solution would indeed work fine. Unfortunately, I don't see any easy way of doing that at reasonable cost. (If money were no object, I could simply get a block of static IPs at each location.) Possibly, there is a way to emulate having public IPs for all the devices, and I'd be willing to throw some extra hardware at the problem, but I'm not aware of anything that would not either require writing lots of code, or would be a major administrative hassle, e.g. running an Asterisk box at each location.

For extension to extension calling, onsip.com is perfect for this. Traffic will not leave your network (other than sip signaling) for calls on the same LAN. Media will be point to point (once call is established) for calls outside of your LAN.

The a la carte plan is free and allows for unlimited extensions.

Correct, my extensions are on Public IPs. I think I understand what you are looking for, i.e. connect to one Asterisk box from 3 different locations (extensions 101. 102, 103, etc.) and having SIP signalling only handled by Asterisk and having the RTP stream to go directly between the extensions. Without, by any stretch of the imagination, being an expert on Asterisk, I do not believe that is possible, very much because Asterisk was designed to proxy media. You might want to try to see if any of the guys over at the PBX-in-a-Flash forum can help out.

Thanks for the suggestion, but I don't see a good way to use it in my application.

I'd have to use separate line appearances for OnSIP and Asterisk, is that correct? The phones don't have automatic route selection (except for the Gigasets, where it doesn't work right), so users would have to manually select the appropriate line.

One reason for wanting low-latency intra-location calls is conferencing. Say I've made or received an outside call on extension 101 and someone else at home wants to participate. I call their extension and establish a three-way call. If the path between the local phones is over the Internet and the local parties are within earshot of each other, both hear a very annoying "echo" that makes conversation very difficult. Unfortunately, some of the phones cannot do cross-provider conferencing, i.e. they could not use the Asterisk line for one leg and the OnSIP line for the other.

The other main reason is for calls using the local POTS line. On outgoing, I'd like to just dial a number (or select it from contacts, calls list, etc.) and have the system automatically use a POTS line, if it's cost-effective for that call and available. With OnSIP, I'd have to manually dial a code for the ATA and then dial the desired number. For incoming, I'd like some intelligent filtering and routing, ringing multiple destinations if needed. I don't see a way that OnSIP can do this at all.

The closest I ever came to finding a solution to this challenge was when I tried using the Milkfish SIP proxy embedded in dd-wrt routers.

It's been years since I used it and I'm not sure whether it's still being maintained. But it seemed to work OK at the time. It may be worth a try.

That is how I do it. Line 2 of my Polycom is Onsip. The Gigaset routes all extensions starting with '700' to Onsip.

We've been enjoying free HD Voice calls to select family members for a year now.

ALL legs must support it, your asterisk must detect all legs as NOT being behind a NAT.

You could try "nat=never" instead of "nat=no" in your SIP Trunks. I personally use "canreinvite" on my personal 1.4 boxes and it works fine.

Sorry if this was not very concise, but that's how I do it with my personal Asterisk boxes. I do proxy the RTP however for all my devices/PBX that are actually behind a NAT, no point with dealing with such a nightmare for no gain.

In a way I had the flipped setup, as described below:

101 and 102 ar on 10.0.0.1/24, behind the asterisk+router. 103 and 104 have public IP (dynamic, but within a known ip-range). I wanted to make sure that if 101 calls 102, I get direct media. This was ensured by the localnet setting. To get asterisk out of the media path for calls between 103 and 104, I setup

directmediadeny=0.0.0.0/0
directmediapermit=NNN.NNN.0.1/24
 

Unfortunately, this also presumes that 103 and 104 have public IPs, and wouldn't apply in your case ...
-m

In this case it's not "no gain" -- I'm not the type who whines about a few milliseconds of extra latency.

When connecting Aastra IP phone to SPA3102 over the LAN, the jitter buffers get down to ~10 ms (each direction), so including the 20 ms packetization delays, the round-trip latency added to a local POTS call is only ~60 ms, not enough to even notice.

OTOH, if the media passes through Asterisk, it's awful. I'm in Bangkok and the PBX is at ChicagoVPS. Ping time is 261 ms, and the jitter buffer runs ~30 ms, resulting in about 620 ms latency.

On some inter-location calls, latency with the direct path is unavoidably bad, but I'd like not to needlessly make it even worse.

If I can find a path to the cheese, I'm ready to deal with the nightmare.

Do you get direct media for calls from 101 to 103? If so, how did you get Asterisk to magically send your public IP address in the SDP to 103?

No, I can't. It does not matter in my case, as the router/asterisk/firewall are the same box - it physically sits between 101 and 103.

If I understood your desired setup, you would like to
• Turn NAT off at each device. You did say that you are OK leaving it on, but I think that direct RTP is unlikely to work that way.
• Use a SIP router to intelligently handle NAT of the RTP packets

If you have not looked at (and ruled it out) perhaps openSIPS may be easier to adapt for your use case. I don't have any experience, but its configuration file reads more like a program, and I expect would be lend itself to the explicit/fine grained routing that you require.

Edit:
To be honest, openSIPS configuration requires a deeper understanding of SIP protocol than I have, but your past posts suggest that this would be well within your capability.

cheers,
-m

If your router correctly supports loopback feature, you will not see any RTP packets going outside of the NAT router at the time, when 101 and 102 connect to each other, using their WAN IP. The same IP should be used for connections between 101 and 103 or 102 and 103, of course.

IMHO, solution in this case should be:
1. Get NAT router with proper support for loopback function
2. Configure all your clients to use direct media mode and always send in SDP their WAN IP, obtained with STUN (or similar solution)