BlueBox/NAT

NOTE: This wiki for getting shorewall NAT traversal for SIP working applies equally to Asterisk/FreePBX -- however, Asterisk/FreePBX does not use multiple domains and only listens for SIP connections on a single port (by default 5060) so just delete/comment out the rules referencing ports 5070, 5080, etc.

I use net-firewall/iptables and also use NAT and need to forward the following udp ports from my router to my FreeSWITCH server: as well as the port range for RTP (10000 to 20000).
 * 5060 (standard SIP -- Authenticated SIP)
 * 5070 (alternate SIP -- Authenticated SIP -- NAT)
 * 5080 (alternate SIP -- UnAuthenticated SIP)

In addition I use net-firewall/shorewall for the firewall on my FreeSWITCH server, so I need the following in my : ACCEPT         loc             $FW     tcp     5038 # AMP -- Asterisk Manager Protocol ACCEPT         all             $FW     udp     5036 # iax ACCEPT         all             $FW     udp     4569 # iax2 ACCEPT         all             $FW     udp     5060 # sip ACCEPT         all             $FW     tcp     5060 # sip Some SIP servers need tcp as well ACCEPT         all             $FW     udp     5061 # sips ACCEPT         all             $FW     tcp     5061 # sips ACCEPT         all             $FW     udp     5070 # FreeSWITCH sip udp ACCEPT         all             $FW     tcp     5070 # FreeSWITCH sip tcp ACCEPT         all             $FW     udp     5080 # FreeSWITCH sip udp ACCEPT         all             $FW     tcp     5080 # FreeSWITCH sip tcp ACCEPT         all             $FW     udp     10000:20000     # rtp
 * 1) ASTERISK and FreeSWITCH
 * 1) SIP
 * 1) ACCEPT        all             $FW     udp     2727 # MGCP media gateway control protocol
 * 2) H323 tcp 522, 1503, 1720, 1731 and 8080

Following the Forum Thread [http://www.mail-archive.com/shorewall-users@lists.sourceforge.net/msg03965.html How do I configure shorewall to work with VoIP SIP? (FIXED!)] I first tried disabling kernel connection tracking for sip in : modprobe -r nf_nat_sip       &> /dev/null

modprobe -r nf_conntrack_sip &> /dev/null

#

modprobe -r nf_nat_h323      &> /dev/null

modprobe -r nf_conntrack_h323 &> /dev/null

And I also added the above ports to : NOTRACK         loc             192.168.1.0/24     udp     5060 # sip

NOTRACK         loc             192.168.1.0/24     tcp     5060 # sip

NOTRACK         $FW             192.168.1.0/24     udp     5060 # sip

NOTRACK         $FW             192.168.1.0/24     tcp     5060 # sip

and so on for ports 5061, 5070, 5080, 10000:20000

But (not unexpectedly) after calling the DID and picking up my extension, there was no audio on either my cell phone or sip phone. So next I edited the "Unauthenticated SIP" interface and changed the "Default Interface" to "Authenticated SIP -- NAT" and checked the following: Now I had audio on my cell phone but still no audio on my sip phone.
 * Server is behind NAT?: ON
 * NAT detection mechanism: "Detect IP via uPnP"
 * SIP Ping Registered Devices: ON
 * Aggressive NAT Detection: ON
 * Use Network IP & Port for RTP: OFF

After reading the FreeSwitch Firewall WIKI I solved the one-way audio problem by instead using the kernel's conntrack modules for sip. So I removed the above ports from and removed the entries for conntrack modules for nat, sip, h323 in

Because BlueBox/FreeSwitch uses multiple ports {5060, 5070, 5080} to distinguish multiple interfaces for multiple domains, it is necessary to compile the kernel with connection tracking as modules so that the module can be loaded specifying which ports to track instead of the default 5060.

Then I enabled module loading for these modules in

loadmodule nf_nat_sip loadmodule nf_conntrack_sip   ports=5060,5070,5080

And now we have proper SIP NAT traversal with two-way audio!