Obihai install trouble
-
I'm having trouble getting an Obi202 VoIP adapter to work on my network. If I plug it straight into the DSL modem, it works, but when plugged into the network, I can't get it to connect to the ObiTalk network.
I've tried adding port forwarding rules for all their recommended ports:
What ports should I keep open on my router/firewall?
In order for your OBi to be able to send packets w/o interruption, please configure your router as follows:Allow Outgoing:
TCP Ports: 6800, 5222, 5223
UDP Ports: 5060, 5061, 10000 to 11000, 16600 to 16998, 19305
Allow Incoming on UDP Port: 10000with no luck. I do have two other port forwards going without a problem. Has anyone set one of these up before?
Thanks for any suggestions!
-
Yeah - Obihai doesn't need anything special behind pfsense.
I do have manual outbound NAT set up and I do have a rule on outbound that assigns static port on 5060.
I also have uPNP runing on the interface that obihai is on.But, I'm pretty sure that obihai worked fine before any of that.
My obihai worked just fun with only the default allow rule on LAN +DHCP.
I did most of that other stuff to make SIP server behave.Are you running multiple IPs or multiple WAN interfaces or anything?
Are you running snort or some other blocker of everything package? -
No multiple IPs, no multiple WANs - one WAN, one LAN. The only package I'm running is freeradius2 for WPA2 Enterprise. The Obi is plugged into ethernet, not using wireless. I'll try setting up uPNP. I've assigned a static DHCP address to the Obi.
-
Static IP is good all the time…
Static Port might make a bigger difference for you.
Just check for entries under "static port manual outbound NAT SIP" on google or this forum ;)
-
OK, I set up a static port for all packets from the Obihai (192.168.1.250). I also set up port forwarding and uPNP. Screenshots of port forwarding, outbound NAT, uPNP, and the firewall rules are attached, as well as the Obihai status screen.
I was wondering about a 1:1 NAT setup, but that seems really complicated, especially since my WAN address changes.
-
Also, I turned on syslog on the Obi, and get these:
8/28/13 10:09:14.000 PM OBI[-1]: BASE:resolving root.pnn.obihai.com (repeated multiple times)
8/28/13 10:09:14.000 PM OBI[-1]: DNS: All servers are not responding!I've tried multiple different DNS servers with no luck. Normally I use pfSense as the DNS for the network, but I've also tried Google's (8.8.8.8) and another couple that I know of.
-
I've even added the IP address of that server to the DNS forwarder on pfSense, and still no luck. I'm highly confused.
-
You keep talking about obhai static IP
I keep telling you to try to set up static port in manual outbound NAT.
Those two things are not same.
obhai doesn't need all this stuff you are doing at all.
It might need static port on 5060 on manual outbound NAT depending on how it connects.
-
I've set all the ports on 192.168.1.250 (the Obi202) to be static under manual outbound NAT - see the second screenshot I posted. It didn't make a difference.
-
What is your obihai connecting too? Google voice or some SIP server?
If its some SIP server, who's SIP server? I have an idea what may be causing this.
-
I have an idea as well. Since
If I plug it straight into the DSL modem, it works
the idea would be this all borkage is caused by the huge overengineering of the configuration. Once again, keep it simple! As in:
My obihai worked just fun with only the default allow rule on LAN +DHCP.
-
Yeah - I'm thinking NAT (as in NAT on the SIP server side) is creating a problem where the obihai is only working if it runs against the public IP without NAT. If not that, then maybe OP is double NATed and doesn't realize it. obihai + pfsense is usually stupid simple. No special care required.
I'm waiting to hear back who provides his SIP. I run a SIP server here, and that is the only reason I am using manual outbound plus static port. Obihai worked without that. Asterisks didn't.
-
I've tried to connect to Google Voice, but first I'm trying to get their echo test service to work with no success. It's trying to connect to root.pnn.obihai.com, which is their provisioning service.
I did try the Obihai with the defaults as well, with no success - that's why I started port forwarding, etc., which also hasn't worked.
From the syslogs from the Obihai, all it keeps doing is trying to resolve the DNS for root.pnn.obihai.com over and over. I've tried turning off DNS forwarding, as well as putting the IP address for root.pnn.obihai.com into the DNS forwarder static section. I've also tried using different DNS servers on the Obihai with no luck either. I've also tried an explicit firewall rule to allow (and log) DNS lookups, which shows requests to pfSense and then requests out to the network.
-
Well, if DNS resolution does not work, then any messing with NAT/port forwards and uPNP sounds rather premature, to put it mildly?!
-
Hmmmm…
From a console on one of your computers, try:
ping root.pnn.obihai.com
Then, from pfsense console do the same.
Please tell results.
-
dok: I didn't find out it was a DNS issue until after starting with port issues.
Ping from my computer:
PING root.pnn.obihai.com (54.241.160.4): 56 data bytes
64 bytes from 54.241.160.4: icmp_seq=0 ttl=55 time=100.852 ms
64 bytes from 54.241.160.4: icmp_seq=1 ttl=55 time=93.125 ms
64 bytes from 54.241.160.4: icmp_seq=2 ttl=55 time=101.612 ms
64 bytes from 54.241.160.4: icmp_seq=3 ttl=55 time=92.128 msPing from pfSense:
PING root.pnn.obihai.com (54.241.160.4): 56 data bytes
64 bytes from 54.241.160.4: icmp_seq=0 ttl=56 time=94.989 ms
64 bytes from 54.241.160.4: icmp_seq=1 ttl=56 time=92.355 ms
64 bytes from 54.241.160.4: icmp_seq=2 ttl=56 time=115.846 ms
64 bytes from 54.241.160.4: icmp_seq=3 ttl=56 time=90.387 ms -
OK - So, you fixed the DNS settings?
-
I haven't touched the DNS settings - this is my problem. Every computer on my network except the Obihai can see that host. I can't figure out what else to try to get DNS through to the Obi. I think tonight I'm going to try putting the Obihai by itself on the OPT interface and log everything that goes in and out to see if I can figure out what's going on. I'm confused as all get out at this point.
-
Are all the other computers automatically grabbing DNS via DHCP or is their DNS manually configured on each computer?
-
They all get it via DHCP. I've tried setting the Obihai to both DNS via DHCP (which gives out 192.168.1.254, the pfSense box) and setting it explicitly (8.8.8.8 and 8.8.4.4, Google's DNS servers).
-
Hmmmm. No clue. Good luck.
-
Is there a way to simulate the "DMZ" option of Linksys, etc. routers via pfSense? I tried sticking the Obihai on a second LAN interface so I can log the traffic better, but no help. I can see in the states table that there are requests going to and from:
udp 8.8.8.8:53 <- 192.168.2.250:36837 NO_TRAFFIC:SINGLE
udp 192.168.2.250:36837 -> 8.8.8.8:53 SINGLE:NO_TRAFFICand via syslog:
(from Obi202)
8/29/13 11:55:53.000 PM OBI[-1]: BASE:resolving root.pnn.obihai.com(from pfSense)
8/29/13 11:55:53.000 PM 192.168.2.250.36837 > 8.8.8.8.53[-1]: 11189+ A? root.pnn.obihai.com. (37)
8/29/13 11:55:55.000 PM 192.168.2.250.42176 > 192.168.2.254.53[-1]: 11189+ A? root.pnn.obihai.com. (37)Something seems like it's restricting the replies from the DNS servers from getting back to the Obihai, but I'll be darned if I can figure out what it is. I set up a firewall entry allowing any and all network traffic to the second interface I moved the Obi onto, with no change.
-
Are you double NATed?
-
And on another note: are you really using 8.8.8.8 as your DNS? Or is your ISP blocking all DNS server but their own?
-
I shouldn't be double-NATed - my network topology is:
Cable modem –- pfSense box --- unmanaged switch --- Ethernet devices (including Obihai)
I'll check what DNS server the ISP gives out and try that as well, but I've never had a problem using other nameservers on my other computers.
-
Is there a way to assign the Obihai the external IP address via DHCP, similar to how Linksys routers' DMZ function works? (It's a little different than everyone else's concept of DMZ, which makes things a little confusing.) I'm wondering if it's having a problem with NAT, and that's the only way I can think of testing it.
-
My obihai is not on any DMZ is and not getting any special treatment. Matter of fact its getting very un-special treatment. Its just plugged into a switch and NATed same as everything else.
Thats not the problem. Why don't you connect it straight to the modem, upgrade the firmware, then put it behind the pfsense again.
This isn't supposed to be so hard.Which version of pfsense are you running?
-
OK - I updated the firmware yesterday through the web interface.
SoftwareVersion 3.0.1 (Build: 4041)I'm running pfSense 2.1 beta -
2.1-RC1 (i386)
built on Thu Aug 22 23:23:56 EDT 2013
FreeBSD 8.3-RELEASE-p10I was looking for the Ramdisk support that was introduced in 2.1, which is why I'm running the beta instead of 2.0.3.
Can you do me a favor? What does your Obi list in the web interface for the Obitalk status? Specifically, what does it say under the ex-addr?
-
Lost me.
I can access obitalk online and look at the status of things there on the web or I can type in the IP address of my local device and see some statuses there.
Please tell me exactly which you want me to look at and exactly describe the menu in question.
-
Sorry - when you first log into the web interface of the Obi, I'm looking at the status page that comes up. The sublistings on that page are WAN status, product info, ObiBT dongle 1 and 2 status, SP1-4 status, OBITalk status, and OBiPlus service status. I'm interested in what it says for the OBiTalk status.
-
OBiTALK Service Status
Parameter Name Value
Status Normal (User Mode)
CallState 0 Active CallsI'm not sure how that would help you to know.
(Mine is an OBi100) -
Sorry - mine has an additional field listing "ex-addr", which I'm taking to be what the Obi thinks its address is. I was hoping yours would tell me if it was using the address from DHCP or if it actually found the address on the other side of the NAT.
-
And now, without changing anything, it's working on OPT1 but not on the main LAN subnet. I'm more confused than ever, but I'll take it! Thanks for all the help everyone!
-
You have probably inadvertantly broken something on the LAN firewall or NAT that you haven't broken on OPT1. Glad its working.