1

I want to connect two SIP phones from different locations over ZeroTier. I have no problem configuring asterisk, however I am lost at how to connect remote (LAN 2) phone using forwarding.

The situation can be pictured like this:

--------------------------+---------------------------------     
LAN 1                     I           LAN 2
192.168.2.0/24            I           192.168.3.0/24
--------------------------+---------------------------------
                          I                          
  ASTERISK +              I           
ZeroTier node 1           I           ZeroTier node 2
192.168.192.117  <================>   192.168.192.128                               
192.168.2.117             I           192.168.3.105
      ^                   I                 ^
      |                   I                 |
      v                   I                 v                                   
SIP phone 1               I           SIP phone 2                                        
192.168.2.101             I           192.168.3.101

I have asterisk server running on 192.168.2.117. No problem to see phone on LAN 1. The problem is how to see phone on LAN 2.

I read some explenations on iptables and have partial success - seems that I can see packets from remote phone on ZeroTier node on LAN 1 becase of this rules:

iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i eth0 -j DNAT --to 192.168.192.117

The idea is to forward all incoming UDP from LAN 2 and forward it to ZeroTier on LAN 1. I must admit I don't fully understand what is written here... and also it may be completely wrong :(

However that's all. No way to response going back.

ZeroTier supports natively some bridging, but I must admit networking is "high math" for me.

Can anybody help please?

Tom HANAX
  • 153

1 Answers1

1

With great help from my colleague I managed to make it work. The idea was make asterisk to see phone 2 packets as coming from ZeroTier node 2 - make 192.168.3.101 seem as 192.168.192.128. So:

  • for every UDP packet from phone 2 (192.168.3.101) change source IP to 192.168.192.128 and destination to 192.168.192.117
  • for response packets coming from asterisk (192.168.192.117) - change source IP to 192.168.192.128 and destination IP to 192.168.3.101
iptables -t nat -A PREROUTING  -p udp -s 192.168.3.101   -j DNAT --to 192.168.192.117
iptables -t nat -A POSTROUTING -p udp -s 192.168.3.101   -j SNAT --to 192.168.192.128
iptables -t nat -A PREROUTING  -p udp -s 192.168.192.117 -j DNAT --to 192.168.3.101
iptables -t nat -A POSTROUTING -p udp -s 192.168.192.117 -j SNAT --to 192.168.192.128

Now with some super-basic asterisk configuration I can call remote SIP phone over ZeroTier without any additional configuration to ZeroTier nodes or altering LAN 2 configuration in any way.

Tom HANAX
  • 153
  • Could you please elaborate a bit on your answer? In what machines do the iptables rules have to be set? How do you set the connection between 192.168.192.117 and 192.168.192.128? >I haved a similar problem and would greatly benefit from more details. – F. Tusell Mar 12 '23 at 13:17
  • Sorry, I do not use ZeroTier for this purpose anymore. I use wireguard now. However my guess will be that all these iptables command should be issued on device with asterisk server. – Tom HANAX Mar 16 '23 at 19:19