O2+Asterisk 2011 -- half working

[terpstra]

I was hit recently by the change O2 put through that broke my asterisk. I've found settings that work after these changes. I can both place and receive calls, and the sound quality is good. However, after about an hour of having connected the router, out-going calls start failing with:

 chan_sip.c:9813 handle_response_invite: Forbidden - wrong password on authentication for INVITE to '"49xxx" <sip:[email protected]>;tag=as3d772309'

Restarting my router fixes the problem.

I'll post my asterisk config below. First some quick information about my setup. I disconnected the O2 router+modem and instead put in a D-Link DSL-321B modem which is in bridge mode connected to my Asus WL-500G which runs PPPoE. The WL-500g is running openwrt and I've installed asterisk (1.2.14) on it. Thus, my asterisk is talking directly from the NAT which runs PPPoE; it is not behind a firewall or NAT. I then have SIP phones inside my LAN which are registered with the asterisk server on the router (wl-500g).

Here's what works for me:

[general]
srvlookup=yes
bindport=5060
bindaddr=0.0.0.0

disallow=all
allow=alaw

insecure=very
qualify=4000

register => 49xxx:password:[email protected]@sip.o2online.de/anyone


[o2out]                     
host=sip.o2online.de
canreinvite=yes
type=peer                   
[email protected]
fromdomain=sip.o2online.de  
secret=password

... I had a few other options in general, but they probably are not relevant to others. The key fix for me was to add the '@[email protected]'. The doubled @hostname seemed to be the trick that others had missed.

Like I said, the registration works 100% reliably. I get incoming calls no problem. It's only for outgoing calls where I need to restart the PPPoE connection. Restarting asterisk alone does not help.

Here's hoping someone else can take this information and get us asterisk users the last step of the way to a working fix post O2 breakage.

PS. I can understand german replies.

 

[arnysch]

Hi OpenWrt comrade,

sorry I cannot tell you anything about the cause of your problem. I don't spot anything weird in your sip.conf.

Things which come to my mind:

• Do you use the new DNS servers offered by O2 during ppp connection establishment? The old O2 servers which I had configured statically don't do it any longer.
• Some people in this forum suspect that O2 uses some kind of protection system which for some period (30-60 min) locks out a user who is considered to be abusive.

Besides using NAT, my setup is similar to yours. As a modem I use an original O2 router (Zyxel) in bridge mode. Maybe O2 recognizes my modem's MAC address as being O2 hardware, so I am priviledged regarding an assumed protection system. Other people reported they have less problems with O2 hardware, and also that O2 had asked them for their MAC address.

Or maybe you try some Asterisk settings which I use. This is my sip.conf:

[general]
realm = HorstBox
useragent = HorstBox
callerid = HorstBox

bindport = 5060
qualify = no			; qualify=yes, um NAT-Sessions offenzuhalten?

context = default
allowguest = yes
disable = all
allow = alaw
allow = ulaw
allow = gsm
allow = slinear

srvlookup = yes	
canreinvite = no

dtmfmode = rfc2833

tos_sip = cs3			; Empfohlen (cs3==0x60=96)
tos_audio = ef			; Empfohlen (ef=Expedited Forwarding=0xB8=184)
tos_video = af41			; Empfohlen (af41==0x88=136)

t38udptlsupport = yes
language = de

registerattempts=0
registertimeout=30

;nat = yes		; Always ignore info and assume NAT
nat=no			; Use NAT mode only according to RFC3581 (;rport)
;nat=never		; Never attempt NAT mode or RFC3581 support


register => 4971198765430:secretsecret:[email protected]@sip.o2online.de/4971198765430
register => 4971198765431:secretsecret:[email protected]@sip.o2online.de/4971198765431
register => 4971198765432:secretsecret:[email protected]@sip.o2online.de/4971198765432
register => 4971198765433:secretsecret:[email protected]@sip.o2online.de/4971198765433


[o2-out](!)
type=peer
host=sip.o2online.de
[email protected]
secret=secretsecret
fromdomain=sip.o2online.de
usereqphone=yes
disallow=all
allow=alaw
allow=g729
insecure=port,invite

[o2-out-0](o2-out)
fromuser=4971198765430

[o2-out-1](o2-out)
fromuser=4971198765431

[o2-out-2](o2-out)
fromuser=4971198765432

[o2-out-3](o2-out)
fromuser=4971198765433

 

[terpstra]

[*]Some people in this forum suspect that O2 uses some kind of protection system which for some period (30-60 min) locks out a user who is considered to be abusive.
Other people reported they have less problems with O2 hardware, and also that O2 had asked them for their MAC address.

Well, after more testing, I am fairly certain that it is NOT my asterisk configuration. Things work 100% perfectly for some time after setting up the PPPoE channel. Then I get the 'password wrong' messages on outgoing calls. Reset the PPPoE link and all will work again... for some yet-to-be-accurately-measured time.

Things I am considering trying:
* Figure out exactly what causes the disconnect
* Reverse engineer and customize the O2 router firmware to install a packet sniffer to see what they do to keep the link alive
* MAC spoofing on my router to match the O2 router
* Cancelling O2 and moving to live in a cave

As a modem I use an original O2 router (Zyxel) in bridge mode.

I tried to get this to work, but I couldn't make it happen. I have an "O2 Router Classic" that I poked via the 'WAN.html' webpage and telnet. I managed to get it to the point where I could see the PPPoE access concentrators on devices connected to the LAN ports. However, when I established a PPPoE connection to one of them, I could get no traffic to flow, despite pppd having successfully negotiated and brought up the connection.

This disgusting anti-compatibility mess is extremely frustrating. My family constantly complains about the phone not working, but I am powerless to fix it. I can't use the O2 router, because it's missing several features that we need (tun6to4, vpn bridging to the office, SIP routing to different providers based on destination telephone #, notification of missed incoming calls via prowl to the woman's iphone...). None of these things are possible if I have to chain the openwrt device behind an uncooperative NAT that blocks non-UDP/TCP traffic and steals the VoIP connection for itself.

 

[arnysch]

Hi terpstra,

Spoofing the MAC address is easy, as there is this possible OpenWrt "option macaddr yy:yy:yy:yy:yy:yy" in /etc/config/network. But: today I temporarilly reactivated and used my Horstbox ADSL modem (MAC assigned by D-Link Corporation) instead of the one from the O2 router (MAC assigned by Zyxel), and O2 voip still run ok for a couple of hours. As I will be away from home, I restored the old setup just to be on the safe side.

Customizing the O2 firmware would be ambitious. Good luck.

Some people in this forum seem to be quite successfull with a Fritzbox. I have never heard negative opinions about Fritzbox' masquerading/natting, so this might be an option.

PPP connection established but no traffic flow possible: might be caused by settings VPI/VCI=1/35 (WAN.html page), which is reserved for O2 voip traffic only. Last time I checked O2 blocked routing to other destinations via this virtual ATM channel. For normal internet VPI/VCI=1/32 must be used. And O2 voip works with 1/32 too - yet.

I understand your frustration. To get the maximum from O2 dsl requires endless hours of trying and testing and forum reading. Once in a while O2 changes some parameters and the setup adventure restarts. Good as challenging hobby, but incompatible with family and real life.

 

[terpstra]

today I temporarilly reactivated and used my Horstbox ADSL modem (MAC assigned by D-Link Corporation) instead of the one from the O2 router (MAC assigned by Zyxel), and O2 voip still run ok for a couple of hours. For normal internet VPI/VCI=1/32 must be used. And O2 voip works with 1/32 too - yet.

So, as I understand it, you had working:
Horstbox ADSL modem connected to O2 (VPI/VCI=1/32)
Openwrt router connected to Horstbox (using PPPoE)
Linux box running Asterisk connected to Openwrt

... and the complete setup worked stable for you.

You are only using a single PPPoE channel and single VPI/VCI? As I no longer believe that my asterisk server itself is the problem, and your put a non-O2 modem in the same place as I have, our setups must be more-or-less the same. Yet yours works. That gives me hope!

What version of openwrt are you using? I am still running white russian 0.9 from years and years ago. I was using [email protected] for login, but based on a post for fritzboxs in another thread I've switched to [email protected]. Still to early to say if that fixed it, though.

 

[arnysch]

Within Horstbox Professional there are two systems called 'Horst' and 'Herta'. Here both run OpenWrt.

Herta has a TI AR7 processor (MIPS) with ADSL 2+ modem and WLAN. So I installed atm driver/software, masquerading iptables firewall, pppd with pppoe, all built from OpenWrt development svn from July 2010. Horst has an Intel ixp4xx processor (ARM) and I installed Asterisk 1.6.0.11-rc1, all built from svn (I think) in Aug 2009.

Usually Herta's modem connection stalls after 1-3 days. The WLAN driver is shitty (not in official kernel). That's why I use the O2 router as modem and WLAN AP. Also flaky is the isdn software part on horst, which hangs about once a month.

But the voip connections to O2 are stable with the O2 modem. Unless O2 changes something. With the Herta modem, I tried it for 4-5h now. Yes, I use the 1/32 atm channel with ppp login [email protected]/freeway.

Using Herta's modem, I could establish a second ppp connection via 1/35 for O2 voip. Tried and it works. But then setting up routing is tricky. Because it is not just a single O2 server involved. Rtp might be handled by another server as sip. Incoming O2 calls might come from an address different from _sip._udp.sip.o2online.de. I had to find out all O2 servers involved and setup static routes via the 1/35 ppp interface. Or route all traffic from Horst via the 1/35 - but then there would be no voip to Sipgate. Maybe clever iptable/netfilter connection tracking could be used. Or running two Asterisks on different machines. Anyway, it would be complicated.