VoIP b/t subnets - audio problems
-
Hey folks,
Recent convert from a linux based system and I'm having some issues with a VoIP setup.My voip server, Asterisk, is on my lan, along with my hard-wired voip phones.
I have opt2 setup as a wlan with an open AP (no security) for some WiFi phones that don't support WPA.
I created a virtual IP (10.1.2.40) on opt2 and a 1:1 nat to the VoIP server (10.1.1.40). There are, for the sake of testing, two rules that allow both wifi phones to pass any proto on any port to the asterisk server (10.1.1.40).
Nevertheless I'm still having issues. If I call from the LAN (hardwired voip phone) to the wifi phone on opt2 I get 2 way audio. If I call from the WiFi phones I get no audio.
Audio, fyi, travels on UDP b/t ports 10,000 - 20,000 .
Anyone have any suggestions?
-
Search the forum for the static port option. It fixes the problem 99% of the times.
-
Thanks for the tip!
I've been reading up and I guess I'm still missing something.I've tried creating two outbound nat rules:
WAN 10.1.2.70/32 any port, any destination, any nat
static port =YES
LAN 10.1.4.70/32 any port, any destination, any nat
static port =YESwhere 10.1.2.70 is the wifi phone on opt2
and 10.1.1.40 is the Asterisk PBX on LANstill only getting audio in one direction.
-
NAT is making problems with a lot of VOIP implementations as long as you don't have any kind of proxy or STUN server. I would suggest setting this up without NAT and simply route between OPT and LAN. If you want to add some security to your unsecured accesspoint enable captive portal at the ap interface and add the macasresses of your voipphones as passthrough macs.
-
NAT is making problems with a lot of VOIP implementations as long as you don't have any kind of proxy or STUN server. I would suggest setting this up without NAT and simply route between OPT and LAN. If you want to add some security to your unsecured accesspoint enable captive portal at the ap interface and add the macasresses of your voipphones as passthrough macs.
Thanks for the suggestions!
Unfortunately captive portal just isn't secure enough, it would be trivial to spoof the MAC and gain access.
I'll keep playing and see what I can come up with. I still think there might be a solution with static ports, just need to figure out how that works.